ubuntu加入Windows的AD域(使用Samba和Winbind的方式)

ubuntu加入Windows的AD域

Integrate Ubuntu 16.04 to AD as a Domain Member with Samba and Winbind – Part 8

Step 1: Initial Configurations to Join Ubuntu to Samba4 AD

1.首先要修改好自己電腦的hostname，可以使用hostnamectl命令或者直接編輯/etc/hostname 文件

# hostnamectl set-hostname your_machine_short_name

$ cat /etc/hostname  
mamh-PC

$ hostnamectl                           
   Static hostname: mamh-PC
         Icon name: computer-desktop
           Chassis: desktop
        Machine ID: 4165ee77f3a840b880478065c5624a98
           Boot ID: 0b179497ee0a4ffdb5d5a1a288693fa9
  Operating System: Ubuntu 16.04.6 LTS
            Kernel: Linux 4.18.0-15-generic
      Architecture: x86-64

2.然後一個重要的步驟是設置好ip。尤其是DNS 。

3.最後是重啓網絡，或者重啓電腦。

systemctl restart networking.service

ping -c2 your_domain_name

4.最後一個步驟是安裝時間同步服務器ntpdate

$ sudo apt-get install ntpdate
$ sudo ntpdate -q your_domain_name
$ sudo ntpdate your_domain_name

5.安裝所需要的軟件包

$ sudo apt-get install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind

安裝Kerberos軟件時候會提示讓你輸入default realm，這裏輸入company.com，全部大寫。
6.測試 Kerberos authentication

# kinit ad_admin_user
# klist

Step 2: Join Ubuntu to Samba4 AD DC

7.The first step in integrating the Ubuntu machine into the Samba4 Active Directory domain is to edit Samba configuration file.

# mv /etc/samba/smb.conf /etc/samba/smb.conf.initial
# nano /etc/samba/smb.conf

[global]
        workgroup = TECMINT
        realm = TECMINT.LAN
        netbios name = ubuntu
        security = ADS
        dns forwarder = 192.168.1.1

idmap config * : backend = tdb        
idmap config *:range = 50000-1000000
	
   template homedir = /home/%D/%U
   template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = false
   winbind nss info = rfc2307
   winbind enum users = yes
   winbind enum groups = yes

  vfs objects = acl_xattr
  map acl inherit = Yes
  store dos attributes = Yes

Replace workgroup, realm, netbios name and dns forwarder variables with your own custom settings.
The winbind use default domain parameter causes winbind service to treat any unqualified AD usernames as users of the AD. You should omit this parameter if you have local system accounts names which overlap AD accounts.

8.Now you should restart all samba daemons and stop and remove unnecessary services and enable samba services system-wide by issuing the below commands.

$ sudo systemctl restart smbd nmbd winbind
$ sudo systemctl stop samba-ad-dc
$ sudo systemctl enable smbd nmbd winbind

9.Join Ubuntu machine to Samba4 AD DC by issuing the following command. Use the name of an AD DC account with administrator privileges in order for the binding to realm to work as expected.

$ sudo net ads join -U ad_admin_user

10.通過Windows 域控服務器上我們可以看到computer下面已經有mamh-pc這臺電腦了

Step 3: Configure AD Accounts Authentication

11.爲了能夠使用域賬號登錄我們的電腦，你需要配置一些東西的
首先配置的是nss服務，也就是The Name Service Switch (NSS)

$ sudo nano /etc/nsswitch.conf


$ cat /etc/nsswitch.conf                 
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind  	#這裏需要修改，行尾多加了個　winbind　
group:          compat winbind		#這裏需要修改，行尾多加了個　winbind
shadow:         compat winbind		#這裏需要修改，行尾多加了個　winbind
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

12.測試是否加入域控成功，能否獲取到用戶和組

$ wbinfo -u
$ wbinfo -g

wbinfo - Query information from winbind daemon,這個命令是查詢winbind中的信息的，
如果加入成功，會列出所有用戶名和用戶組。也就是域控裏面的用戶名和組。

13.同樣的也需要測試

$ sudo getent passwd| grep your_domain_user
$ sudo getent group|grep 'domain admins'

14.In order to authenticate on Ubuntu machine with domain accounts you need to run pam-auth-update command with root privileges and add all the entries required for winbind service and to automatically create home directories for each domain account at the first login.
配置一下登錄時候自動創建home目錄。

$ sudo pam-auth-update

  |  Pluggable Authentication Modules (PAM) determine how authentication,         │  
  │ authorization, and password changing are handled on the system, as well as    │  
  │ allowing configuration of additional actions to take when starting user       │  
  │ sessions.                                                                     │  
  │                                                                               │  
  │ Some PAM module packages provide profiles that can be used to automatically   │  
  │ adjust the behavior of all PAM-using applications on the system.  Please      │  
  │ indicate which of these behaviors you wish to enable.                         │  
  │                                                                               │  
  │ PAM profiles to enable:                                                       │  
  │                                                                               │  
  │    [*] Unix authentication                                                    │  
  │    [*] Winbind NT/Active Directory authentication                             │  
  │    [*] Register user sessions in the systemd control group hierarchy          │  
  │    [*] Create home directory on login  把這個勾上，這裏都勾選，然後按確定     │  
  │    [*] GNOME Keyring Daemon - Login keyring management                        │  
  │                                                                               │  
  │                                                                               │  
  │                     <確定>                       <取消>     

15.在Ubuntu系統上你需要手動修改 /etc/pam.d/common-account 文件，添加如下一行，然後才能實現登錄自動創建家目錄
把use_authtok的那行註釋，添加如下一行。

session    required    pam_mkhomedir.so    skel=/etc/skel/    umask=0022

16.爲了能使用修改域用戶密碼需要修改 /etc/pam.d/common-password 文件

# password	[success=1 default=ignore]	pam_winbind.so use_authtok try_first_pass
password       [success=1 default=ignore]      pam_winbind.so try_first_pass

17.使用域賬號登錄Ubuntu，然後驗證ID。

$ su - your_ad_user

#使用我的域賬號來登錄ubuntu
$ su - mamh.ma
密碼： 
mamh.ma@mamh-PC:~$ id
uid=50224(mamh.ma) 
gid=50004(domain users) 
組=50004(domain users),27(sudo),50000(BUILTIN\administrators),50001(BUILTIN\users),50005(denied rodc password replication group),50006(pptp client),50007(vpn-oa),50008(產品中心),50009(admin_scm),50010(vpn-all),50011(vpn-qbyy),50012(軟件部),50013(數據中心),50014(domain admins),50015(pptp client長期),50016(server開發部),50017(company)

mamh.ma@mamh-PC:~$ pwd
/home/mamh.ma

# 使用另外一個同事賬號登錄
$ su - mage  
密碼： 
正在創建文件夾 “/home/mage”。
mage@mamh-PC:~$ id
uid=50225(mage) gid=50004(domain users) 組=50004(domain users),50000(BUILTIN\administrators),50001(BUILTIN\users),50005(denied rodc password replication group),50006(pptp client),50007(vpn-oa),50008(產品中心),50009(admin_scm),50010(vpn-all),50011(vpn-qbyy),50012(軟件部),50013(數據中心),50014(domain admins),50015(pptp client長期),50016(server開發部),50017(company)
mage@mamh-PC:~$ 
mage@mamh-PC:~$ pwd
/home/mage
mage@mamh-PC:~$ exit
註銷

18.使域賬號有root權限。

$ sudo usermod -aG sudo your_domain_user

19.使某個與羣組有root權限。

%YOUR_DOMAIN\your_domain\  group       		 ALL=(ALL:ALL) ALL

%company\\domain\ admins ALL=(ALL:ALL) ALL

“domain admins"  這個是與羣組中的組名，這裏使用\反斜線來加到空格前面轉義。

20.如果你是帶圖形界面，你需要配置LightDM /usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf file, 加入下面2行，然後重啓。

greeter-show-manual-login=true
greeter-hide-users=true

It should now be able to perform logins on Ubuntu Desktop with a domain account using either your_domain_username or your_domain_username@your_domain.tld or your_domain\your_domain_username format.