SUSE FAQ 系列 -- 用 Windows Active Directory 認證

一篇好文章，轉自 http://www.timkennedy.net/docs/Linux+Active_Directory.html

原文以 Redhat 為例，其實對于 SuSE 來說，同樣的方法也可以應用。
用 Windows Active Directory 作 SUSE Linux Enterprise Server 9 認證

一篇好文章，轉自 http://www.timkennedy.net/docs/Linux+Active_Directory.html

原文以 Redhat 為例，其實對于 SuSE 來說，同樣的方法也可以應用。
用 Windows Active Directory 作 SUSE Linux Enterprise Server 9 認證

Linux integration with Active Directory Authentication
    with Winbind and PAM (Pluggable Authentication Modules)



Q. What separates this effort from the all the other Samba + Active Directory
   + User Authentication documents that are already available?

A. We don't use shares, we use ADS only as the authoritative repository
   for authentication data, and we needed a way to restrict to specific
   users or groups, or combinations thereof, the ability to login to hosts.



This document assumes you have a basic familiarity with PAM and Fedora Core
Linux, and the ability to install RPM based packages using YUM.  Other than
the installation of the packages, and possibly the location of some files, most
of the information contained herein should be portable to other flavors of
Linux.


The large portion of the data presented here is taken directly from Chapter
21 of the Samba Documentation "Winbind: Use of Domain Aclearcase/" target="_blank" >ccounts", under Part 3
Advanced Configuration.

The Winbindd Daemon is a part of the Samba Installation.  The winbindd daemon
listens on a UNIX domain socket for AAA requests generated by NSS or PAM.
Winbindd allows a *nix system to use PAM requests, translated into MSRPC calls,
to directly query a Windows PDC for user and group information.  Winbind then
maps the NT accounts and groups onto UNIX uids/gids.


INSTALLATION

    To install Winbind on SLES9, if you have YaST working:
    as root: 'yast -i samba-winbind'


CONFIGURATION

    change in /etc/nsswitch.conf:
    -------------------------------------------------------------
    passwd:    files
    shadow: files
    group:  files
    -------------------------------------------------------------

    to:
    -------------------------------------------------------------
    passwd: files winbind
    shadow: files winbind
    group:  files winbind
    -------------------------------------------------------------


    create the file /etc/samba/smb.conf:
    replace: DOMAIN        with your domain
             CONTROLLER1    with the ip address of your 1st DC
         CONTROLLER2    with the ip address of your 2nd DC
         DOMAIN.TLD    with your realm DOMAIN and TLD
    -------------------------------------------------------------
    [global]
       winbind separator = +
       winbind cache time = 10
       workgroup = DOMAIN
       password server = CONTROLLER1 CONTROLLER1
       winbind use default domain = yes
       realm = DOMAIN.COM
       security = ads
       encrypt passwords = yes
       idmap uid = 10000-20000
       idmap gid = 10000-20000
       winbind enum users = yes
       winbind enum groups = yes
       template shell = /bin/bash
       template homedir = /home/%D/%U
    -------------------------------------------------------------


    join the linux server to the domain:
    -------------------------------------------------------------
    root# net ads join -U 

    the username you use must have administrative privileges on
    the domain. if successful you will see a message like:
      Joined 'LINUXSERVER1' to realm 'DOMAIN.TLD'
    -------------------------------------------------------------
   
   
    start winbindd:
    -------------------------------------------------------------
    root# /etc/init.d/winbind start

    winbind by default runs as two processes.  One answers client
    queries, and the other updates the winbind cache with the
    most current answer for the query the first process just
    answered for.
    -------------------------------------------------------------
   
   
    make sure you have a backup of /etc/pam.d directory:   
    -------------------------------------------------------------
    root# cp -a /etc/pam.d /etc/pam.d.bak
    -------------------------------------------------------------

   
    These are the relevant lines for the various pam controlled
    methods: account, auth, password, and session.
    Just place these lines into the pam.d file of any service
    for which you'd like to control authorization by ADS.
    -------------------------------------------------------------
    auth        sufficient    pam_winbind.so
    account     sufficient    pam_winbind.so
    password    sufficient    pam_winbind.so use_authtok
    -------------------------------------------------------------


    And this goes into /etc/pam.d/system-auth:
    -------------------------------------------------------------
     session     required      pam_mkhomedir.so skel=/etc/skel umask=0022
    -------------------------------------------------------------


    Now.  All of that sets up your linux box to allow Active Directory
    Domain users to log in, with a bash shell, into a homedir in
    /home/DOMAIN/user.  It will even create the home directories for
    any user that doesn't already have one, provided the session
    portion of the file contains the call to system-auth.

    Now.  let's say you want to be able to limit access to the
    server to only users from certain groups.  well, it actually
    turned out to be kind of simple to do.

    Well, it's actually quite simple.  As we know, all users and
    groups from active directory are mapped to unix uids and gids.
    Well, we can make that work for us. 

    first, let's see what groups I'm in (tkennedy):
    -------------------------------------------------------------
    root# getent group | grep tkennedy
    Domain Users:x:10000:tkennedy,mmouse,ckent,gbush,bclinton,cpowell
    Domain Admins:x:10001:tkennedy,cpowell,ckent
    Enterprise Admins:x:10002:tkennedy,ckent
    Unix Admins:x:10003:tknenedy,bschmidt,eroberts
    -------------------------------------------------------------
    by replacing the account entries in /etc/pam.d/sshd with:
    account      sufficient    pam_succeed_if.so gid = 10003

    you can limit ssh access to the server to only members of the
    Unix Admins group.
    -------------------------------------------------------------


    By using lines like that in other per-service pam.d files, you
    set up quite complex authentication rules to control logins on
    a per service/per group basis.



    Any questions?  You can reach me at tim@timkennedy.net

原文轉自：http://www.kjueaiud.com