PBIS可以很方便的加域然后使用域认证,比起winbind+samba方便多了。这东西原来叫LikeWise,现在换了这个名字,有开源版本,功能上也够用了。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
#1:下载
https:
//github
.com
/BeyondTrust/pbis-open/releases
#2:安装,默认设置即可
sh pbis-
open
-8.5.4.334.linux.x86_64.deb.sh
#3:加域
domainjoin-cli
join
test
.net admin
#4:可能用得到的自定义设置
/opt/pbis/bin/config
HomeDirTemplate
'%H/%D/%U'
/opt/pbis/bin/config
LoginShellTemplate
/bin/bash
/opt/pbis/bin/config
HomeDirUmask 077
/opt/pbis/bin/config
UserDomainPrefix
test
.net
/opt/pbis/bin/config
AssumeDefaultDomain
true
#/opt/pbis/bin/config Requiremembershipof test\\LinuxUser test\\new # 允许LinuxUser用户组 及 new用户登录
#允许用户组为sudoer
%
test
\\LinuxAdmins ALL=(ALL:ALL) ALL
|
如果用来使用的是winbind+samba认证
1:先退出域
|
1
|
net ads leave -U
test
.net administrator
|
2:把原来/etc/pam.d/ 下面的winbind相关项删除,还有/etc/nsswitch.conf 里面的winbind删除
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
cat
/etc/pam
.d
/common-account
account [success=ok new_authtok_reqd=ok default=ignore] pam_lsass.so unknown_ok
account [success=2 new_authtok_reqd=
done
default=ignore] pam_lsass.so
account [success=1 new_authtok_reqd=
done
default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
#--------------------------------------------------
cat
/etc/pam
.d
/common-auth
auth [success=2 default=ignore] pam_lsass.so
auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
#--------------------------------------------------
cat
/etc/pam
.d
/common-password
password [success=2 default=ignore] pam_lsass.so
password [success=1 default=ignore] pam_unix.so obscure try_first_pass sha512
password requisite pam_deny.so
password required pam_permit.so
#--------------------------------------------------
cat
/etc/pam
.d
/common-session
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session optional pam_lsass.so
session required pam_unix.so
session optional pam_systemd.so
#--------------------------------------------------
cat
/etc/pam
.d
/common-session-noninteractive
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session optional pam_lsass.so
session required pam_unix.so
#--------------------------------------------------
cat
/etc/nsswitch
.conf
passwd
: compat lsass
group: compat lsass
shadow: compat
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
|
3:如果还要使用samba,可以删除winbind(用不到了)。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
net cache flush
#不执行此操作,samba还是使用原来winbind的UID
#--------------------------------------------------
cat
/etc/samba/smb
.conf
[global]
server string = %h server (Samba, Ubuntu)
security = ads
workgroup = TEST
realm = TEST.NET
client ntlmv2 auth =
yes
encrypt passwords =
yes
log
file
=
/var/log/samba/log
.%m
max log size = 1000
panic action =
/usr/share/samba/panic-action
%d
machine password timeout = 0
[homes]
comment = Home Directories
browseable = no
read
only = no
create mask = 0700
directory mask = 0700
|
|
1
|
/opt/pbis/bin/samba-interop-install
--
install
#这样就可以使用pbis认证samba了
|
另外bash提示符是 test\username 这样的格式,然后为了美观把格式改为 username 这样
|
1
|
sed
-i
"58s#^.*\$#&\nmodify_username()\n{\n echo \$USER | awk -F\\\\\\\\ '{print \$NF}'\n}\n#;s#\\\\u#\$(modify_username)#g"
/etc/skel/
.bashrc
|
centos
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
#!/bin/bash
for
i
in
`
ls
/home
`
do
grep
TESTDOMAIN
/home/
$i/.bashrc ||
cat
>>
/home/
$i/.bashrc << EOF
modify_username()
{
echo
\$USER |
awk
-F\\\\\\\\
'{print \$NF}'
}
if
[[ \$USER =~
"TESTDOMAIN"
]];
then
PS1=
'[\$(modify_username)@\H:\w]\\$ '
fi
EOF
done
grep
TESTDOMAIN
/etc/skel/
.bashrc ||
cat
>>
/etc/skel/
.bashrc << EOF
modify_username()
{
echo
\$USER |
awk
-F\\\\\\\\
'{print \$NF}'
}
if
[[ \$USER =~
"TESTDOMAIN"
]];
then
PS1=
'[\$(modify_username)@\H:\w]\\$ '
fi
EOF
|
#samba出现这样的错误
|
1
2
|
#Bad talloc magic value - access after free
apt-get
install
libtalloc2
|
#加域时出现
|
1
2
|
#Error: ERROR_GEN_FAILURE [code 0x0000001f]
apt-get remove avahi-daemon
|
本文转自 nonono11 51CTO博客,原文链接:http://blog.51cto.com/abian/1947099,如需转载请自行联系原作者
