Chinaunix首页 | 论坛 | 博客
  • 博客访问: 135885
  • 博文数量: 58
  • 博客积分: 1411
  • 博客等级: 上尉
  • 技术积分: 750
  • 用 户 组: 普通用户
  • 注册时间: 2006-03-25 11:41
文章分类
文章存档

2010年(20)

2009年(37)

2008年(1)

我的朋友

分类:

2010-01-14 14:36:52

說明:Linux通過 Samba(smbd,nmbd,winbind)+Kerberos,加入至Windows AD域後,與AD域連接並共享資料信息。

以上述實驗為基礎,安裝Postfix + Cyrus-SASL+Cyrus-IMAP+WebMail客戶端。Postfix通過Cyrus-SASL來進行認證。所有User信息及 Password都存放於Windows 2003 AD上。

基於實驗一,所有Windows 2003 AD上的User都能通過 SSH & FTP、smbclient連接於Linux Server.

未完成實驗有:
 1)Openwebmail未能通過User認證收發電郵 ;
2)在Windows 2003 AD的User屬性中Home 目錄設置於Linux Server上時出現錯誤,User由XP登入域後, Home目錄不能自動連接於Linux 的User目錄。

===================================================================================
原理:
Linux通過Samba(smbd,nmbd,winbind)+Kerberos加入至Windows AD域後,與AD域連接並共享資料信息。


Server Information :

Windows 2003 AD
Hostname: winserver.centos.winserver.com
IP: 172.16.10.100 / 16
DNS: 172.16.100.100
GW: 172.16.100.100
Domain: centos
Password: centos


CentOS 5.3 Linux
Hostname: filesrv01.centos.winserver.com
Password: centos
IP: 172.16.10.200 / 16
DNS: 172.16.100.100
GW: 172.16.100.100
WebMail: SquirrelMail 1.4.8-4.0.1.el5.centos.2

===================================================================================

chkconfig --level 0123456 sendmail off
chkconfig --level 0123456 smartd off
chkconfig --level 0123456 pcscd off
chkconfig --level 0123456 bluetooth off
chkconfig --level 0123456 iptables off
chkconfig --level 0123456 ip6tables off
chkconfig --level 0123456 vsftpd on
chkconfig --level 0123456 vncserver on

==================================================================
yum install gcc-* perl-* httpd-* php-* postfix-* cyrus-imapd-* cyrus-sasl-* samba-*


###### Setting for Cyrus-Imapd Service ######
[root@filesrv01 ~]# passwd cyrus
Changing password for user cyrus.
New UNIX password: ---------->password
BAD PASSWORD: it is based on a dictionary word
Retype new UNIX password: ---------->password
passwd: all authentication tokens updated successfully.
chkconfig --level 0123456 cyrus-imapd on
chkconfig --level 0123456 saslauthd on

==================================

vi /usr/lib/sasl2/smtpd.conf
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

==================================

vi /etc/imap.conf
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: cyrus
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN

==================================

vi /etc/cyrus.conf
# imaps cmd="imapd -s" listen="imaps" prefork=1
# pop3s cmd="pop3d -s" listen="pop3s" prefork=1


service cyrus-imapd start
service saslauthd start

[root@filesrv01 ~]# testsaslauthd -u jeffrey_leung -p shenzheng123456/
0: OK "Success."


===================================================================================

mkdir /bak_conf
cp /etc/krb5.conf /bak_conf/
cp /etc/samba/smb.conf /bak_conf/
cp /etc/postfix/main.cf /bak_conf/

===================================================================================

vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = CENTOS.WINSERVER.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms]
CENTOS.WINSERVER.COM = {
kdc = 172.16.10.100:88
admin_server = 172.16.10.100:749
default_domain = CENTOS.WINSERVER.COM
}

[domain_realm]
.centos.winserver.com = CENTOS.WINSERVER.COM
centos.winserver.com = CENTOS.WINSERVER.COM

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

===================================================================================
vi /etc/samba/smb.conf

[global]
workgroup = centos
netbios name = filesrv01
server string = Samba Server Version %v
password server = 172.16.10.100
realm = CENTOS.WINSERVER.COM
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
winbind separator = /
template shell = /sbin/nologin
winbind use default domain = true
winbind offline logon = false
client use spnego = no
server signing = auto
; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
; hosts allow = 127. 192.168.12. 192.168.13.
log file = /var/log/samba/%m.log
max log size = 50
encrypt passwords = yes
os level = 20
preferred master = no
dns proxy = no

winbind enum users = yes
winbind enum groups = yes
template homedir= /home/%U



[homes]
comment = Home Directories
path = /home/%U
browseable = no
writable = yes
valid users = %U
; valid users = MYDOMAIN\%S


===================================================================================

######### Add Linux Server to Windows 2003 AD #########

authconfig
User Information

Cache Information

Use Winbind

User Information

Use MD5 Passwords

Use Shadow Passwords

Use Kerberos

Use SMB Authentication

Use Winbind Authentication
[Next]
Realm: CENTOS.WINSERVER.COM
KDC: 172.16.10.100:88,172.16.10.100
Admin Server: 172.16.10.100:749
[] Use DNS to resolve hosts to realms
[] use DNS to locate KDCs for realms
[Next]
Security Model(*) ads
() domain
Domain: centos
Domain Controllers: 172.16.10.100
ADS Realm: CENTOS.WINSERVER.COM
Template Shell: () /sbin/nologin
() /bin/sh
(*) /bin/bash
() /bin/tcsh
() /bin/ksh
[ Join Domain ]
User: Administrator
Password: centos
[ OK ]
[ OK ]

===================================================================================
less /etc/nsswitch.conf

passwd: files winbind
shadow: files winbind
group: files winbind

===================================================================================

######### 測試加入至 Windows 2003 AD #########
[root@filesrv01 ~]# kinit

Password for administrator@CENTOS.WINSERVER.COM:
[root@filesrv01 ~]#



######### 把 SMB Server 加入至 AD Domain Server #########
[root@filesrv01 ~]# net ads join -U

's password:
Using short domain name -- CENTOS
Joined 'FILESRV01' to realm 'CENTOS.WINSERVER.COM'


######### Check Domain User Information #########
[root@filesrv01 soft]# wbinfo --user-info=ja_li
ja_li:*:16777216:10000:Jack Li:/home/CENTOS/ja_li:/sbin/nologin
[root@filesrv01 soft]# wbinfo --user-info=cl_ye
cl_ye:*:16777217:10000:Crolson Ye:/home/CENTOS/cl_ye:/sbin/nologin


######### Check Domain Group Information #########
[root@filesrv01 soft]# wbinfo --group-info=SZIT
szit:*:10001
[root@filesrv01 soft]# wbinfo --group-info=SZQC
szqc:*:10002
[root@filesrv01 soft]# wbinfo --group-info=SZHR
szhr:*:10003
[root@filesrv01 soft]# wbinfo --group-info=SZFinance
szfinance:*:10004

[root@filesrv01 soft]# wbinfo -g
domain computers
domain controllers
schema admins
enterprise admins
domain admins
domain users
domain guests
group policy creator owners
dnsupdateproxy
szit
szhr
szqc
szfinance

==================================

[root@filesrv01 centos]# net getdomainsid
SID for domain FILESRV01 is: S-1-5-21-579886517-2040302620-1869373772
SID for domain CENTOS is: S-1-5-21-2075900954-1661521954-1233162749


###### Testing Connaction from Samba to Localhost & AD Server ######

[root@filesrv01 Department]# smbclient -L localhost -U ja_li
Password:
Domain=[CENTOS] OS=[Unix] Server=[Samba 3.0.33-3.7.el5]

Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba Server Version 3.0.33-3.7.el5)
ja_li Disk Home Directories
Domain=[CENTOS] OS=[Unix] Server=[Samba 3.0.33-3.7.el5]

Server Comment
--------- -------
FILESRV01 Samba Server Version 3.0.33-3.7.el5
WINSERVER

Workgroup Master
--------- -------
CENTOS WINSERVER


============================================

[root@filesrv01 soft]# smbclient -L winserver -U ja_li
Password:
Domain=[CENTOS] OS=[Windows Server 2003 3790] Server=[Windows Server 2003 5.2]

Sharename Type Comment
---------   ----   -------
IPC$   IPC  遠程 IPC
NETLOGON Disk  Logon server share
ADMIN$  Disk  遠程管理
SYSVOL    Disk  Logon server share
C$    Disk   默認共享
Domain=[CENTOS] OS=[Windows Server 2003 3790] Server=[Windows Server 2003 5.2]

Server Comment
---------  ------------
FILESRV01 Samba Server Version 3.0.33-3.7.el5
WINSERVER

Workgroup Master
---------  ---------
CENTOS WINSERVER

==================================

###### Create Folder for Windows AD User ######

[root@filesrv01 Department]# mkdir /home/centos
[root@filesrv01 Department]# mkdir /home/centos/ja_li
[root@filesrv01 Department]# mkdir /home/centos/cl_ye
[root@filesrv01 Department]# ll /home/centos
total 12
drwxr-xr-x 2 root root 4096 Apr 29 11:29 cl_ye
drwxr-xr-x 2 root root 4096 Apr 29 11:29 ja_li

[root@filesrv01 centos]# chown cl_ye. cl_ye
[root@filesrv01 centos]# chown ja_li. ja_li

[root@filesrv01 centos]# ll
total 8
drwxr-xr-x 2 cl_ye domain users 4096 Apr 29 11:29 cl_ye
drwxr-xr-x 2 ja_li domain users 4096 Apr 29 11:29 ja_li

[root@filesrv01 centos]# chmod 700 -R cl_ye
[root@filesrv01 centos]# chmod 700 -R ja_li
[root@filesrv01 centos]# ll
total 8
drwx------ 2 cl_ye domain users 4096 Apr 29 11:29 cl_ye
drwx------ 2 ja_li domain users 4096 Apr 29 11:29 ja_li

===================================================================================

vi /etc/postfix/main.cf
#soft_bounce = no
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
#default_privs = nobody
myhostname = filesrv01.centos.winserver.com
mydomain = centos.winserver.com
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
mail.$mydomain, ftp.$mydomain
#local_recipient_maps = unix:passwd.byname $alias_maps
#local_recipient_maps = proxy:unix:passwd.byname $alias_maps
#local_recipient_maps =
unknown_local_recipient_reject_code = 550
mynetworks_style = class
mynetworks = 172.16.0.0/16, 127.0.0.0/8
relay_domains = $mydestination
#relayhost = $mydomain
#relayhost = [gateway.my.domain]
#relayhost = [mailserver.isp.tld]
#relayhost = uucphost
#relayhost = [an.ip.add.ress]
#relay_recipient_maps = hash:/etc/postfix/relay_recipients
#in_flow_delay = 1s
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
#recipient_delimiter = +
#home_mailbox = Mailbox
#home_mailbox = Maildir/
#mail_spool_directory = /var/mail
#mail_spool_directory = /var/spool/mail
#mailbox_command = /some/where/procmail
#mailbox_command = /some/where/procmail -a "$EXTENSION"
mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
mailbox_transport = cyrus
#fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp
#fallback_transport =
#luser_relay = $user@other.host
#luser_relay = $local@other.host
#luser_relay = admin+$local
#header_checks = regexp:/etc/postfix/header_checks
#fast_flush_domains = $relay_domains
#smtpd_banner = $myhostname ESMTP $mail_name
#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
#local_destination_concurrency_limit = 2
#default_destination_concurrency_limit = 20
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.3.3/samples
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = winserver.$mydomain
smtpd_sasl_security_options=noanonymous
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination, permit_mynetworks check_relay_domains
smtpd_delay_reject = yes
broken_sasl_auth_clients = yes

==================================================================

service postfix start
[root@filesrv01 ~]# telnet 172.16.10.200 25
Trying 172.16.10.200...
Connected to filesrv01.centos.winserver.com (172.16.10.200).
Escape character is '^]'.
220 filesrv01.centos.winserver.com ESMTP Postfix
ehlo filesrv01.centos.winserver.com
250-filesrv01.centos.winserver.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
^]
telnet> q
Connection closed.

==================================

[root@filesrv01 ~]# telnet 172.16.10.200 110
Trying 172.16.10.200...
Connected to filesrv01.centos.winserver.com (172.16.10.200).
Escape character is '^]'.
+OK filesrv01.centos.winserver.com Cyrus POP3 v2.3.7-Invoca-RPM-2.3.7-2.el5 server ready

<
>
^]
telnet> q
Connection closed.

==================================

[root@filesrv01 ~]# telnet 172.16.10.200 143
Trying 172.16.10.200...
Connected to filesrv01.centos.winserver.com (172.16.10.200).
Escape character is '^]'.
* OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID] filesrv01.centos.winserver.com Cyrus IMAP4 v2.3.7-Invoca-RPM-2.3.7-2.el5 server

ready
^]
telnet> q
Connection closed.
阅读(1014) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~