說明:Linux通過
Samba(smbd,nmbd,winbind)+Kerberos,加入至Windows AD域後,與AD域連接並共享資料信息。
以上述實驗為基礎,安裝Postfix +
Cyrus-SASL+Cyrus-IMAP+WebMail客戶端。Postfix通過Cyrus-SASL來進行認證。所有User信息及
Password都存放於Windows 2003 AD上。
基於實驗一,所有Windows 2003 AD上的User都能通過 SSH & FTP、smbclient連接於Linux
Server.
未完成實驗有:
1)Openwebmail未能通過User認證收發電郵 ;
2)在Windows 2003 AD的User屬性中Home 目錄設置於Linux Server上時出現錯誤,User由XP登入域後,
Home目錄不能自動連接於Linux 的User目錄。
===================================================================================
原理:
Linux通過Samba(smbd,nmbd,winbind)+Kerberos加入至Windows AD域後,與AD域連接並共享資料信息。
Server Information :
Windows 2003 AD
Hostname: winserver.centos.winserver.com
IP: 172.16.10.100 / 16
DNS: 172.16.100.100
GW: 172.16.100.100
Domain: centos
Password: centos
CentOS 5.3 Linux
Hostname: filesrv01.centos.winserver.com
Password: centos
IP: 172.16.10.200 / 16
DNS: 172.16.100.100
GW: 172.16.100.100
WebMail: SquirrelMail 1.4.8-4.0.1.el5.centos.2
===================================================================================
chkconfig --level 0123456 sendmail off
chkconfig --level 0123456 smartd off
chkconfig --level 0123456 pcscd off
chkconfig --level 0123456 bluetooth off
chkconfig --level 0123456 iptables off
chkconfig --level 0123456 ip6tables off
chkconfig --level 0123456 vsftpd on
chkconfig --level 0123456 vncserver on
==================================================================
yum install gcc-* perl-* httpd-* php-* postfix-* cyrus-imapd-*
cyrus-sasl-* samba-*
###### Setting for Cyrus-Imapd Service ######
[root@filesrv01 ~]# passwd cyrus
Changing password for user cyrus.
New UNIX password: ---------->password
BAD PASSWORD: it is based on a dictionary word
Retype new UNIX password: ---------->password
passwd: all authentication tokens updated successfully.
chkconfig --level 0123456 cyrus-imapd on
chkconfig --level 0123456 saslauthd on
==================================
vi /usr/lib/sasl2/smtpd.conf
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
==================================
vi /etc/imap.conf
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: cyrus
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
==================================
vi /etc/cyrus.conf
# imaps cmd="imapd -s" listen="imaps" prefork=1
# pop3s cmd="pop3d -s" listen="pop3s" prefork=1
service cyrus-imapd start
service saslauthd start
[root@filesrv01 ~]# testsaslauthd -u jeffrey_leung -p shenzheng123456/
0: OK "Success."
===================================================================================
mkdir /bak_conf
cp /etc/krb5.conf /bak_conf/
cp /etc/samba/smb.conf /bak_conf/
cp /etc/postfix/main.cf /bak_conf/
===================================================================================
vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = CENTOS.WINSERVER.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
CENTOS.WINSERVER.COM = {
kdc = 172.16.10.100:88
admin_server = 172.16.10.100:749
default_domain = CENTOS.WINSERVER.COM
}
[domain_realm]
.centos.winserver.com = CENTOS.WINSERVER.COM
centos.winserver.com = CENTOS.WINSERVER.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
===================================================================================
vi /etc/samba/smb.conf
[global]
workgroup = centos
netbios name = filesrv01
server string = Samba Server Version %v
password server = 172.16.10.100
realm = CENTOS.WINSERVER.COM
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
winbind separator = /
template shell = /sbin/nologin
winbind use default domain = true
winbind offline logon = false
client use spnego = no
server signing = auto
; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
; hosts allow = 127. 192.168.12. 192.168.13.
log file = /var/log/samba/%m.log
max log size = 50
encrypt passwords = yes
os level = 20
preferred master = no
dns proxy = no
winbind enum users = yes
winbind enum groups = yes
template homedir= /home/%U
[homes]
comment = Home Directories
path = /home/%U
browseable = no
writable = yes
valid users = %U
; valid users = MYDOMAIN\%S
===================================================================================
######### Add Linux Server to Windows 2003 AD #########
authconfig
User Information
Cache Information
Use Winbind
User Information
Use MD5 Passwords
Use Shadow Passwords
Use Kerberos
Use SMB Authentication
Use Winbind Authentication
[Next]
Realm: CENTOS.WINSERVER.COM
KDC: 172.16.10.100:88,172.16.10.100
Admin Server: 172.16.10.100:749
[] Use DNS to resolve hosts to realms
[] use DNS to locate KDCs for realms
[Next]
Security Model(*) ads
() domain
Domain: centos
Domain Controllers: 172.16.10.100
ADS Realm: CENTOS.WINSERVER.COM
Template Shell: () /sbin/nologin
() /bin/sh
(*) /bin/bash
() /bin/tcsh
() /bin/ksh
[ Join Domain ]
User: Administrator
Password: centos
[ OK ]
[ OK ]
===================================================================================
less /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
===================================================================================
######### 測試加入至 Windows 2003 AD #########
[root@filesrv01 ~]# kinit
Password for
administrator@CENTOS.WINSERVER.COM:
[root@filesrv01 ~]#
######### 把 SMB Server 加入至 AD Domain Server #########
[root@filesrv01 ~]# net ads join -U
's password:
Using short domain name -- CENTOS
Joined 'FILESRV01' to realm 'CENTOS.WINSERVER.COM'
######### Check Domain User Information #########
[root@filesrv01 soft]# wbinfo --user-info=ja_li
ja_li:*:16777216:10000:Jack Li:/home/CENTOS/ja_li:/sbin/nologin
[root@filesrv01 soft]# wbinfo --user-info=cl_ye
cl_ye:*:16777217:10000:Crolson Ye:/home/CENTOS/cl_ye:/sbin/nologin
######### Check Domain Group Information #########
[root@filesrv01 soft]# wbinfo --group-info=SZIT
szit:*:10001
[root@filesrv01 soft]# wbinfo --group-info=SZQC
szqc:*:10002
[root@filesrv01 soft]# wbinfo --group-info=SZHR
szhr:*:10003
[root@filesrv01 soft]# wbinfo --group-info=SZFinance
szfinance:*:10004
[root@filesrv01 soft]# wbinfo -g
domain computers
domain controllers
schema admins
enterprise admins
domain admins
domain users
domain guests
group policy creator owners
dnsupdateproxy
szit
szhr
szqc
szfinance
==================================
[root@filesrv01 centos]# net getdomainsid
SID for domain FILESRV01 is: S-1-5-21-579886517-2040302620-1869373772
SID for domain CENTOS is: S-1-5-21-2075900954-1661521954-1233162749
###### Testing Connaction from Samba to Localhost & AD Server ######
[root@filesrv01 Department]# smbclient -L localhost -U ja_li
Password:
Domain=[CENTOS] OS=[Unix] Server=[Samba 3.0.33-3.7.el5]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba Server Version 3.0.33-3.7.el5)
ja_li Disk Home Directories
Domain=[CENTOS] OS=[Unix] Server=[Samba 3.0.33-3.7.el5]
Server Comment
--------- -------
FILESRV01 Samba Server Version 3.0.33-3.7.el5
WINSERVER
Workgroup Master
--------- -------
CENTOS WINSERVER
============================================
[root@filesrv01 soft]# smbclient -L winserver -U ja_li
Password:
Domain=[CENTOS] OS=[Windows Server 2003 3790] Server=[Windows Server
2003 5.2]
Sharename Type Comment
--------- ---- -------
IPC$ IPC 遠程 IPC
NETLOGON Disk Logon server share
ADMIN$ Disk 遠程管理
SYSVOL Disk Logon server share
C$ Disk 默認共享
Domain=[CENTOS] OS=[Windows Server 2003 3790] Server=[Windows Server
2003 5.2]
Server Comment
--------- ------------
FILESRV01 Samba Server Version 3.0.33-3.7.el5
WINSERVER
Workgroup Master
--------- ---------
CENTOS WINSERVER
==================================
###### Create Folder for Windows AD User ######
[root@filesrv01 Department]# mkdir /home/centos
[root@filesrv01 Department]# mkdir /home/centos/ja_li
[root@filesrv01 Department]# mkdir /home/centos/cl_ye
[root@filesrv01 Department]# ll /home/centos
total 12
drwxr-xr-x 2 root root 4096 Apr 29 11:29 cl_ye
drwxr-xr-x 2 root root 4096 Apr 29 11:29 ja_li
[root@filesrv01 centos]# chown cl_ye. cl_ye
[root@filesrv01 centos]# chown ja_li. ja_li
[root@filesrv01 centos]# ll
total 8
drwxr-xr-x 2 cl_ye domain users 4096 Apr 29 11:29 cl_ye
drwxr-xr-x 2 ja_li domain users 4096 Apr 29 11:29 ja_li
[root@filesrv01 centos]# chmod 700 -R cl_ye
[root@filesrv01 centos]# chmod 700 -R ja_li
[root@filesrv01 centos]# ll
total 8
drwx------ 2 cl_ye domain users 4096 Apr 29 11:29 cl_ye
drwx------ 2 ja_li domain users 4096 Apr 29 11:29 ja_li
===================================================================================
vi /etc/postfix/main.cf
#soft_bounce = no
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
#default_privs = nobody
myhostname = filesrv01.centos.winserver.com
mydomain = centos.winserver.com
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
mail.$mydomain, ftp.$mydomain
#local_recipient_maps = unix:passwd.byname $alias_maps
#local_recipient_maps = proxy:unix:passwd.byname $alias_maps
#local_recipient_maps =
unknown_local_recipient_reject_code = 550
mynetworks_style = class
mynetworks = 172.16.0.0/16, 127.0.0.0/8
relay_domains = $mydestination
#relayhost = $mydomain
#relayhost = [gateway.my.domain]
#relayhost = [mailserver.isp.tld]
#relayhost = uucphost
#relayhost = [an.ip.add.ress]
#relay_recipient_maps = hash:/etc/postfix/relay_recipients
#in_flow_delay = 1s
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
#recipient_delimiter = +
#home_mailbox = Mailbox
#home_mailbox = Maildir/
#mail_spool_directory = /var/mail
#mail_spool_directory = /var/spool/mail
#mailbox_command = /some/where/procmail
#mailbox_command = /some/where/procmail -a "$EXTENSION"
mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
mailbox_transport = cyrus
#fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp
#fallback_transport =
#luser_relay = $user@other.host
#luser_relay = $local@other.host
#luser_relay = admin+$local
#header_checks = regexp:/etc/postfix/header_checks
#fast_flush_domains = $relay_domains
#smtpd_banner = $myhostname ESMTP $mail_name
#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
#local_destination_concurrency_limit = 2
#default_destination_concurrency_limit = 20
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.3.3/samples
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = winserver.$mydomain
smtpd_sasl_security_options=noanonymous
smtpd_recipient_restrictions = permit_sasl_authenticated,
reject_unauth_destination, permit_mynetworks check_relay_domains
smtpd_delay_reject = yes
broken_sasl_auth_clients = yes
==================================================================
service postfix start
[root@filesrv01 ~]# telnet 172.16.10.200 25
Trying 172.16.10.200...
Connected to filesrv01.centos.winserver.com (172.16.10.200).
Escape character is '^]'.
220 filesrv01.centos.winserver.com ESMTP Postfix
ehlo filesrv01.centos.winserver.com
250-filesrv01.centos.winserver.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
^]
telnet> q
Connection closed.
==================================
[root@filesrv01 ~]# telnet 172.16.10.200 110
Trying 172.16.10.200...
Connected to filesrv01.centos.winserver.com (172.16.10.200).
Escape character is '^]'.
+OK filesrv01.centos.winserver.com Cyrus POP3
v2.3.7-Invoca-RPM-2.3.7-2.el5 server ready
<>
^]
telnet> q
Connection closed.
==================================
[root@filesrv01 ~]# telnet 172.16.10.200 143
Trying 172.16.10.200...
Connected to filesrv01.centos.winserver.com (172.16.10.200).
Escape character is '^]'.
* OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID]
filesrv01.centos.winserver.com Cyrus IMAP4 v2.3.7-Invoca-RPM-2.3.7-2.el5
server
ready
^]
telnet> q
Connection closed.
阅读(1006) | 评论(0) | 转发(0) |
