Linux、Python爱好者,推广者。
分类: 系统运维
2015-12-13 16:41:00
服务器环境:三台服务器,分别是LDAP+Kerberos服务器、NFS Secure服务器、客户机。
本文档重点是如何配置以上这些服务,理论知识另需补脑。
硬件环境:VMware Workstation 上运行2个KVM,vmware作为LDAP服务器,2个KVM分别作为NFS和客户机。主机名分别为kerberos.example.com、server0.example.com、desktop0.example.com。
软件环境:三台机器的OS版本是RHEL7.0,kerberos关闭slinux和firewalld,server0和desktop0上开启selinux和firewalld。
一、在kerberos机器上配置Kerberos服务
1. 安装软件:
yum install -y krb5-libs krb5-server krb5-workstation pam_krb5
2. 修改配置文件/var/kerberos/krb5kdc/kdc.conf
[kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88
[realms] EXAMPLE.COM = { master_key_type = aes256-cts default_principal_flags = +preauth acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal }
|
/var/kerberos/krb5kdc/kadm5.acl这个文件里的域要和上面文件[realms]中定义的要一致。
3. 在kerberos、server0、desktop0上修改Kerberos配置文件/etc/krb5.conf
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] dns_lookup_realm = false ticket_lifetime = 12h renew_lifetime = 7d forwardable = true rdns = false default_realm = EXAMPLE.COM default_ccache_name = KEYRING:persistent:%{uid}
[realms] EXAMPLE.COM = { kdc = kerberos.example.com admin_server = kerberos.example.com }
[domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM |
4. 创建 Kerberos 数据库。
kdb5_util create -s -r EXAMPLE.COM
提示输入密码为:kerberos
注意EXAMPLE.COM与kdc.conf定义的要一致。
这个过程时间比较长。
5. 启动服务
systemctl status krb5kdc.service
systemctl enable krb5kdc.service
systemctl start kadmin.service
systemctl enable kadmin.service
firewall-cmd --permanent --add-service=kerberos
firewall-cmd --reload
6. 创建认证的唯一ID
Kerberos认证的唯一ID叫principal,由primary、instance、realm三部分组成,格式为 primary/instance@realm 。
principal有3种类型:user、service、host。
1)给root用户创建一个user类型的、带管理权限的principal,密码为root:
kadmin.local Authenticating as principal root/admin@EXAMPLE.COM with password. kadmin.local: addprinc root/admin WARNING: no policy specified for root/admin@EXAMPLE.COM; defaulting to no policy Enter password for principal "root/admin@EXAMPLE.COM": Re-enter password for principal "root/admin@EXAMPLE.COM": Principal "root/admin@EXAMPLE.COM" created. kadmin.local: listprincs K/M@EXAMPLE.COM kadmin/admin@EXAMPLE.COM kadmin/changepw@EXAMPLE.COM kadmin/kerberos.example.com@EXAMPLE.COM krbtgt/EXAMPLE.COM@EXAMPLE.COM root/admin@EXAMPLE.COM kadmin.local: quit |
2)创建host和service类型的principal
kadmin Authenticating as principal root/admin@EXAMPLE.COM with password. Password for root/admin@EXAMPLE.COM: kadmin: addprinc -randkey host/server0.example.com WARNING: no policy specified for host/server0.example.com@EXAMPLE.COM; defaulting to no policy Principal "host/server0.example.com@EXAMPLE.COM" created. kadmin: addprinc -randkey host/desktop0.example.com WARNING: no policy specified for host/desktop0.example.com@EXAMPLE.COM; defaulting to no policy Principal "host/desktop0.example.com@EXAMPLE.COM" created. kadmin: addprinc -randkey nfs/server0.example.com WARNING: no policy specified for nfs/server0.example.com@EXAMPLE.COM; defaulting to no policy Principal "nfs/server0.example.com@EXAMPLE.COM" created. kadmin: addprinc tim WARNING: no policy specified for tim@EXAMPLE.COM; defaulting to no policy Enter password for principal "tim@EXAMPLE.COM": Re-enter password for principal "tim@EXAMPLE.COM": Principal "tim@EXAMPLE.COM" created. kadmin: q |
给tim用户的kerberos认证密码,密码为:tim。
useradd -u 1001 tim
7. 把key从KDC里导出来
创建了principal之后,KDC知道所有principal的key,通常导出为.keytab密钥串文件。
1)把desktop0的key导出到秘钥串:
kadmin: ktadd -k /root/nfs_client.keytab host/desktop0.example.com kadmin: q |
2)查看秘钥串
klist -k /root/nfs_client.keytab Keytab name: FILE:/root/nfs_client.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 host/desktop0.example.com@EXAMPLE.COM 2 host/desktop0.example.com@EXAMPLE.COM 2 host/desktop0.example.com@EXAMPLE.COM 2 host/desktop0.example.com@EXAMPLE.COM 2 host/desktop0.example.com@EXAMPLE.COM 2 host/desktop0.example.com@EXAMPLE.COM 2 host/desktop0.example.com@EXAMPLE.COM 2 host/desktop0.example.com@EXAMPLE.COM |
3)同样方法导出server0的秘钥
kadmin: ktadd -k /root/nfs_server.keytab host/server0.example.com kadmin: ktadd -k /root/nfs_server.keytab nfs/server0.example.com kadmin: q |
8. 把秘钥串放到web上,提供给kerberos的客户端(server0和desktop0)
cp nfs_client.keytab nfs_server.keytab /var/www/html/
二、在server0上配置nfs-server
为了测试kerberos,配置两个nfs共享,分别是/public作为标准共享给example.com域,只读方式,另一个/protected作为安全共享,读写方式。访问 /protected 需要通过Kerberos安全加密,使用KDC服务器提供的密钥。目录 /protected 里面有子目录名为secret ,所有人为 tim,用户tim 能以读写方式访问/protected/secret目录。用户tim在三台服务器里存在。
1. 安装软件,分别在server0和desktop0上
首先把kerberos服务器上的serve0和desktop0上:
scp /etc/krb5.conf server0:/etc
scp /etc/krb5.conf desktop0:/etc
yum install krb5-workstation
yum install nfs-utils
2. 配置nfs
mkdir -p /protected/secret
mkdir /public
cat /etc/exports
/public 192.168.3.0/24(ro)
/protected 192.168.3.0/24(rw,sec=krb5p,no_root_squash)
注意:以上共享给客户端一定要写成ip地址的形式,写成域名(*.example.com)挂载不上 安全的nfs,报错信息:mount.nfs: Operation not permitted。没找到原因。
编辑 /etc/sysconfig/nfs 配置文件,修改 RPCNFSDARGS 变量的值:
RPCNFSDARGS="-V 4.2"
3. 启动nfs
1)启动标准NFS服务
systemctl start nfs-server
systemctl enable nfs-server
2)下载秘钥串
wget -O /etc/krb5.keytab
3)启动NFS Secure服务
systemctl start nfs-secure-server.service
showmount -e
Export list for server0.example.com:
/protected 192.168.3.0/24
/public 192.168.3.0/24
4)设置防火墙
firewall-cmd --permanent --add-service=nfs
firewall-cmd --permanent --add-service=rpc-bind
firewall-cmd --permanent --add-service=mountd
firewall-cmd --reload
5)创建用户tim,与kerberos服务器上uid一致
useradd -u 1001 tim
chown tim.tim /protected/secret
三、客户机desktop0上配置
1. 创建挂载点
mkdir /mnt/nfsmount
mkdir /mnt/nfssecure
showmout -e 192.168.3.31
2. 普通挂载
1)标准挂载
mount 192.168.3.31:/public /mnt/nfsmount/
这个是可以挂载的。
2)安装NFS挂载
mount -o sec=krb5p,v4.2 192.168.3.31:/protected /mnt/nfssecure/
mount.nfs: an incorrect mount option was specified
这个时候挂载不上,需要下载秘钥串。
wget -O /etc/krb5.keytab
查看秘钥串:klist -k /etc/krb5.keytab
3)启动nfs-secure
systemctl restart nfs-secure
再挂载mount -o sec=krb5p,v4.2 192.168.3.31:/protected /mnt/nfssecure就可以了。
[root@desktop0 ~]# su - tim
[tim@desktop0 ~]$ df
df: ‘/mnt/nfssecure’: Permission denied
用户tim需要通过kinit获取Kerberos票据才能看到/mnt/nfssecure/这个目录的内容。
[tim@desktop0 ~]$ kinit
Password for tim@EXAMPLE.COM:
执行df命令查看已经显示了/mnt/nfssecure/这个挂载点
如果文件权限显示的是4294967294,需要在服务器端和客户端启动rpcidmapd服务:
systemctl start rpcidmapd
systemctl enable nfs-idmap.service
用户tim在/mnt/nfssecure/secret可以创建文件,文件所有者为tim。
klist查看票据。
以上环境每个主机的/etc/hosts和/etc/krb5.conf文件一致。
四、在kerberos服务器上安装LDAP
环境说明:所有主机对应的FQDN域为abc.com,kerberos域(realm)为ABC.COM。
kerberos+ldap服务器:kerberos.abc.com
nfs服务器:station1.abc.com
client:station2.abc.com
涉及到的文件内容分别如下:
kdc.conf
cat /var/kerberos/krb5kdc/kdc.conf [kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88
[realms] ABC.COM = { master_key_type = aes256-cts default_principal_flags = +preauth acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal } |
kadm5.acl
cat /var/kerberos/krb5kdc/kadm5.acl */admin@ABC.COM * |
krb5.conf
cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] dns_lookup_realm = false ticket_lifetime = 12h renew_lifetime = 7d forwardable = true rdns = false default_realm = ABC.COM default_ccache_name = KEYRING:persistent:%{uid}
[realms] ABC.COM = { kdc = kerberos.abc.com admin_server = kerberos.abc.com }
[domain_realm] .abc.com = ABC.COM abc.com = ABC.COM |
hosts
cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.3.176 kerberos.abc.com 192.168.3.156 station1.abc.com 192.168.3.166 station2.abc.com |
1. 安装软件
yum install openldap-servers openldap-clients
2. 修改配置文件模板
cp /usr/share/openldap-servers/slapd.ldif .
1)证书文件位置
olcTLSCACertificatePath: /etc/openldap/certs //服务器证书存放的位置
olcTLSCertificateFile: /etc/openldap/certs/ldap.crt //服务器证书文件
olcTLSCertificateKeyFile: /etc/openldap/certs/ldap.key //服务器私钥文件
2)添加schema
include: file:///etc/openldap/schema/corba.ldif
include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/duaconf.ldif
include: file:///etc/openldap/schema/dyngroup.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif
include: file:///etc/openldap/schema/java.ldif
include: file:///etc/openldap/schema/misc.ldif
include: file:///etc/openldap/schema/nis.ldif
include: file:///etc/openldap/schema/openldap.ldif
include: file:///etc/openldap/schema/ppolicy.ldif
include: file:///etc/openldap/schema/collective.ldif
3)数据类型为bdb格式
dn: olcDatabase=bdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: bdb
4)设置RootDN及RootPW
olcSuffix: dc=abc,dc=com
olcRootDN: cn=Manager,dc=abc,dc=com
olcRootPW: 123
3. 生成配置文件
rm -rfv /etc/openldap/slapd.d/*
slapadd -F /etc/openldap/slapd.d -n 0 -l /root/slapd.ldif
测试配置文件是否正确:
slaptest -u -F /etc/openldap/slapd.d
4. 启动slapd服务
chown ldap.ldap slapd.d/* -R
cp /usr/share/openldap-servers/DB_CONFIG.example
/var/lib/ldap/DB_CONFIG
chown ldap.ldap /var/lib/ldap/DB_CONFIG
systemctl start slapd
systemctl enable slapd
5. 迁移用户信息到ldap
yum install migrationtools
1)生成基准DN的ldif文件
cd /usr/share/migrationtools/
修改vim migrate_common.ph,改成abc.com域
71 $DEFAULT_MAIL_DOMAIN = "abc.com";
74 $DEFAULT_BASE = "dc=abc,dc=com";
然后生成ldif文件
./migrate_base.pl > /root/abc.ldif
保留文件/root/abc.ldif文件如下内容
dn: dc=abc,dc=com dc: abc objectClass: top objectClass: domain
dn: ou=People,dc=abc,dc=com ou: People objectClass: top objectClass: organizationalUnit
dn: ou=Group,dc=abc,dc=com ou: Group objectClass: top objectClass: organizationalUnit |
2)创建用户
mkdir /rhome
useradd -d /rhome/ldap1 ldap1
useradd -d /rhome/ldap2 ldap2
echo 123 | passwd --stdin ldap1
echo 123 | passwd --stdin ldap2
tail -2 /etc/passwd > /root/users.txt
tail -2 /etc/group > /root/groups.txt
./migrate_passwd.pl /root/users.txt > /root/users.ldif
./migrate_group.pl /root/groups.txt > /root/groups.ldif
最终有了abc.ldif、users.ldif、group.ldif三个ldif格式的文件,我们要把它们导入到ldap 数据库里。
3)创建DN
导入abc.ldif
systemctl stop slapd
slapadd -vl abc.ldif
4)安装ldap管理工具
安装ldap管理工具:phpldapadmin
tar zxf phpldapadmin-1.2.0.4.tgz -C /var/www/html/
cd /var/www/html/
mv phpldapadmin-1.2.0.4/ ldap
yum install php
yum install php-ldap
systemctl restart httpd
cd ldap/config
cp config.php.example config.php
chown ldap.ldap /var/lib/ldap/ -R
systemctl restart slapd
5)导入用户users.ldif和组gruops.ldif
通过页面或者ldapadd -D "cn=Manager,dc=abc,dc=com" -W -x -f groups.ldif来导入。
6. TLS加密
1)创建CA,在kerberos主机上执行
vim /etc/pki/tls/openssl.cnf
172 basicConstraints=CA:TRUE //改成TRUE
[root@kerberos CA]# pwd
/etc/pki/CA
/etc/pki/tls/misc/CA -h
usage: /etc/pki/tls/misc/CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify
执行如下脚本 :
[root@kerberos CA]# /etc/pki/tls/misc/CA -newca
生成自己的证书,生成自己的私钥。
生成如下两个文件:
/etc/CA/cacert.pem 证书
/etc/CA/private/cakey.pem 私钥
2)创建服务器(ldap服务器)证书
产生一对密钥,并找CA做数字签名,生成证书
生成服务器的RSA私钥:
openssl genrsa -out ldap.key 1024
导出公钥,做成证书请求文件(csr)给CA做签名:
openssl req -new -key ldap.key -out ldap.csr
把证书请求文件拷给CA,去做数字签名:
在CA上执行:
openssl ca -in ldap.csr -out ldap.crt
把ldap.crt、ldap.key放到ldap服务器的正确位置:
cp ldap.crt ldap.key /etc/openldap/certs/
chown -R ldap.ldap /etc/openldap/certs/
chmod 700 /etc/openldap/certs/
五、LDAP客户端配置(在station1和station2上)
1. 安装软件
yum install openldap-clients
yum install sssd-ldap nss-pam-ldapd
2. 不使用TLS,使用ldap密码
authconfig-tui
User Information Authentication
[ ] Cache Information [ ] Use MD5 Passwords
[*] Use LDAP [*] Use Shadow Passwords
[ ] Use NIS [*] Use LDAP Authentication
[ ] Use IPAv2 [ ] Use Kerberos
[ ] Use Winbind [ ] Use Fingerprint reader
[ ] Use Winbind Authentication
[*] Local authorization is sufficient
[ ] Use TLS
Server: ldap://kerberos.abc.com
Base DN: dc=abc,dc=com
3. ssh station1.abc.com
ldap1/123
4. 不使用TLS,使用kerberos密码
1)把ldap1添加到kerberos数据库
addprinc ldap1 //密码为ldap1
addprinc ldap2 //密码为ldap2
5. authconfig-tui
User Information Authentication
[ ] Cache Information [ ] Use MD5 Passwords
[*] Use LDAP [*] Use Shadow Passwords
[ ] Use NIS [ ] Use LDAP Authentication
[ ] Use IPAv2 [*] Use Kerberos
[ ] Use Winbind [ ] Use Fingerprint reader
[ ] Use Winbind Authentication
[*] Local authorization is sufficient
Kerberos Settings
Realm: ABC.COM
KDC: kerberos.abc.com
Admin Server: kerberos.abc.com
[ ] Use DNS to resolve hosts to realms
[ ] Use DNS to locate KDCs for realms
ssh station1.abc.com
ldap1/ldap1
注:需要启动nslcd服务:systemctl restart nslcd,/etc/pam.d/password-auth里有 pam_ldap.so模块,如果是kerberos密码认证,会有pam_krb5.so模块
6)使用TLS加密,在ldap服务端操作:
生成自签名的证书:
生成服务器的RSA私钥:
openssl genrsa -out ldap.key 1024
生成签名请求:
openssl req -new -key ldap.key -out ldap.csr
生成自签名的证书:
openssl x509 -req -days 3653 -in ldap.csr -signkey ldap.key -out ldap.crt
把 ldap.key 和 ldap.crt 复制到 /etc/openldap/certs 目录。
7)使用TLS加密,ldap客户端配置
把nslcd服务停掉,卸载相应软件。
yum install sssd
由于使用了自签名证书,所以客户端并没有下载CA证书,所以
编辑 /etc/openldap/ldap.conf 文件,在TLS_CACERTDIR那一行上方添加一行:
TLS_REQCERT allow
grep -v '^#' /etc/openldap/ldap.conf |uniq
TLS_REQCERT allow TLS_CACERTDIR /etc/openldap/cacerts
SASL_NOCANON on URI ldap://kerberos.abc.com BASE dc=abc,dc=com |
然后执行LDAP查询命令:
ldapsearch -x -b "dc=abc,dc=com"
"objectclass=*" -ZZ
就可以显示LDAP的数据,注意最后的 -ZZ 是强制使用TLS加密。
编辑 /etc/sssd/sssd.conf 文件,在ldap_uri那一行下方添加一行:
ldap_tls_reqcert = allow
重启sssd服务:
systemctl restart sssd
cat /etc/sssd/sssd.conf [domain/default]
autofs_provider = ldap cache_credentials = True ldap_search_base = dc=abc,dc=com krb5_server = kerberos.abc.com id_provider = ldap auth_provider = krb5 chpass_provider = krb5 ldap_uri = ldap://kerberos.abc.com ldap_tls_reqcert = allow krb5_realm = ABC.COM ldap_id_use_start_tls = True ldap_tls_cacertdir = /etc/openldap/cacerts krb5_store_password_if_offline = True krb5_kpasswd = kerberos.abc.com [sssd] services = nss, pam, autofs config_file_version = 2
domains = default [nss]
[pam]
[sudo]
[autofs]
[ssh]
[pac] |
选择了TLS后/etc/pam.d/password-auth里有pam_sss.so模块
在ldap客户端测试:
id ldap1 uid=1001(ldap1) gid=1001(ldap1) groups=1001(ldap1) |
使用ssh登录测试。
注意:ldap客户端只需安装sssd:yum install sssd
使用authconfig-tui配置完,自动会产生/etc/sssd/sssd.conf文件。
使用authconfig-tui配置时,ldap的server一定要写主机名。
8)使用CA签名的证书
把ca的证书拷贝到ldap客户端的/etc/openldap/cacerts目录下
[root@kerberos CA]# scp cacert.pem station2.abc.com: /etc/openldap/cacerts
[root@station2 ~]# cacertdir_rehash /etc/openldap/cacerts/
并且去掉第7)步骤的两个allow。
六、配置autofs
LDAP用户的HOME目录,是通过autofs从服务器端的NFS服务挂载到本地的。如果 没有挂载,则LDAP用户就没有HOME目录。
[root@station2 auto.master.d]# yum install autofs
[root@station2 auto.master.d]# grep rhome /etc/auto.master
/rhome /etc/auto.misc
[root@station2 auto.master.d]# grep kerberos /etc/auto.misc
* -fstab=nfs kerberos.abc.com:/rhome/&
[root@station2 auto.master.d]# systemctl start autofs
[root@station2 auto.master.d]# systemctl enable autofs
[root@station2 ~]# tail -2 /etc/fstab station1.abc.com:/public /mnt/nfsmount nfs defaults 0 0 station1.abc.com:/protected /mnt/nfssecure nfs defaults,sec=krb5p,v4.2 0 0 |
mount -a
[root@station2 ~]# df Filesystem 1K-blocks Used Available Use% Mounted on /dev/vda3 8913920 1011600 7902320 12% / devtmpfs 503384 0 503384 0% /dev tmpfs 508996 0 508996 0% /dev/shm tmpfs 508996 6696 502300 2% /run tmpfs 508996 0 508996 0% /sys/fs/cgroup /dev/vda1 508588 91600 416988 19% /boot kerberos.abc.com:/rhome/ldap2 30210048 5526016 24684032 19% /rhome/ldap2 station1.abc.com:/public 8913920 982272 7931648 12% /mnt/nfsmount station1.abc.com:/protected 8913920 982272 7931648 12% /mnt/nfssecure |
使用ldap1登录station2.abc.com进行测试:
[c:\~]$ ssh 192.168.3.166
Connecting to 192.168.3.166:22... Connection established. To escape to local shell, press 'Ctrl+Alt+]'.
WARNING! The remote SSH server rejected X11 forwarding request. Last login: Sun Sep 6 17:26:01 2015 from 192.168.3.93 [ldap1@station2 ~]$ df Filesystem 1K-blocks Used Available Use% Mounted on /dev/vda3 8913920 1011660 7902260 12% / devtmpfs 503384 0 503384 0% /dev tmpfs 508996 0 508996 0% /dev/shm tmpfs 508996 6728 502268 2% /run tmpfs 508996 0 508996 0% /sys/fs/cgroup /dev/vda1 508588 91600 416988 19% /boot kerberos.abc.com:/rhome/ldap2 30210048 5526016 24684032 19% /rhome/ldap2 station1.abc.com:/public 8913920 982144 7931776 12% /mnt/nfsmount station1.abc.com:/protected 8913920 982144 7931776 12% /mnt/nfssecure |
写文件测试:
[ldap1@station2 ~]$ cd /mnt/nfssecure/ [ldap1@station2 nfssecure]$ cd abc [ldap1@station2 abc]$ touch abc [ldap1@station2 abc]$ cp /etc/passwd . [ldap1@station2 abc]$ ll total 4 -rw-rw-r-- 1 ldap1 ldap1 0 Sep 6 17:37 abc -rw-r--r-- 1 ldap1 ldap1 1156 Sep 6 2015 passwd |
文件权限是ldap1用户的。
文件/etc/nsswitch.conf内容:
33 passwd: files sss 34 shadow: files sss 35 group: files sss |
文件/etc/sysconfig/authconfig内容:
cat /etc/sysconfig/authconfig IPADOMAINJOINED=no USEMKHOMEDIR=no USEPAMACCESS=no CACHECREDENTIALS=yes USESSSDAUTH=no USESHADOW=yes USEWINBIND=no PASSWDALGORITHM=sha512 FORCELEGACY=no USEFPRINTD=no USEHESIOD=no FORCESMARTCARD=no USEDB=no USELDAPAUTH=no IPAV2NONTP=no WINBINDKRB5=no USELOCAUTHORIZE=yes USEECRYPTFS=no USEIPAV2=no USEWINBINDAUTH=no USESMARTCARD=no USELDAP=yes USENIS=no USEKERBEROS=yes USESYSNETAUTH=no USESSSD=yes USEPWQUALITY=yes USEPASSWDQC=no |
至此,所有配置已完成。