Chinaunix首页 | 论坛 | 博客
  • 博客访问: 135918
  • 博文数量: 58
  • 博客积分: 1411
  • 博客等级: 上尉
  • 技术积分: 750
  • 用 户 组: 普通用户
  • 注册时间: 2006-03-25 11:41
文章分类
文章存档

2010年(20)

2009年(37)

2008年(1)

我的朋友

分类: LINUX

2010-01-15 11:54:45

加域配置
安装文件:
apt-get install samba winbind krb5-config krb5-user postfix dovecot-common dovecot-imapd dovecot-pop3d squirrelmail

1. 配置邮件服务器的DNS
sudo vi /etc/resolv.conf
search testmail.com
nameserver 172.16.21.210 //改写成目标AD域的DNS

2.krb5 的配置
sudo vi /etc/krb5.conf
[libdefaults]
default_realm = TESTMAIL.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h


[realms]
TESTMAIL.COM = {
default_domain = TESTMAIL.COM
kdc = 172.16.21.56:88
admin_server = 172.16.21.56:749
}

[domain_realm]
.testmail.com = TESTMAIL.COM
testmail.com = TESTMAIL.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[login]
krb4_convert = true
krb4_get_tickets = false

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

测试域的可用性:
kinit //@后必须为大写
正常的话,是输入密码后立即返回shell

3.配置 /etc/nsswitch.conf
sudo vi /etc/nsswitch.conf

passwd: files winbind
group: files winbind
shadow: files winbind

4.配置smb
sudo vi /etc/samba/smb.conf
在global下面添加如下命令
[global]
workgroup = TESTMAIL //AD域用户组
netbios name = ubuntu001 //邮件服务器所在的计算机名
server string = Samba Server
security = ADS //验证方式
realm = TESTMAIL.COM //域名一定要与krb5.conf中的realm一直
password server = testmailserver.testmail.com //AD域的计算机名
encrypt passwords = yes
os level = 20
dns proxy = no
idmap gid = 10000-20000
idmap uid = 10000-20000
winbind use default domain = yes
winbind separator = /
winbind enum groups = yes
winbind enum users = yes
template shell = /bin/bash


5. 加域命令:
/usr/bin/net join -U username //username为域中管理员账号

6.重启服务命令:
/etc/init.d/samba restart
/etc/init.d/winbind restart

7.测试加域成功与否命令:
net rpc testjoin
成功的话会出现如下提示:
Join to 'TESTMAIL' is OK

8.测试与域的信任关系:
wbinfo -t
出现
checking the trust secret via RPC calls succeeded
说明主机信任已成功建立
执行
wbinfo -u 可列出ubuntu中的用户和win2003 域中的用户信息
执行
wbinfo -g 可列出ubuntu中的组和win2003 域中的组信息
执行
getent group 可列出ubuntu中组和win 2003 域中的组信息
执行
getent passwd 可列出ubuntu中账号和win2003域中的账号信息


postfix 配置
1.
寻找以下值,根据自身需求修改如myhostname,mynetworks
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree{queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree{queue_directory}/smtp_scache
myhostname = testmail.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = dgalltop.com.cn, debian.dgalltop.com.cn, localhost, localhost.localdomain, localhost
relayhost =
mynetworks = 172.16.21.0/24, 127.0.0.0/8
recipient_delimiter = +
inet_interfaces = all
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_sasl_security_options = noanonymous
home_mailbox = Maildir/

2.vim /etc/postfix/master.cf
找到下面这句
smtp inet n - - - - smtpd
改成
smtp inet n - n - - smtpd

3.新增文件
vim /etc/postfix/sasl/smtpd.conf
内容如下
log_level: 3
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

dovecot相关的配置
sudo vi /etc/dovecot/dovecot.conf

protocols = imap pop3
listen = *
disable_plaintext_auth = no
log_timestamp = "%Y-%m-%d %H:%M:%S "
login_dir = /var/run/dovecot/login
mail_location =maildir:~/Maildir
mail_extra_groups = mail
protocol imap {
}
protocol pop3 {
pop3_uidl_format = %08Xu%08Xv
}
auth default {
mechanisms = plain
passdb pam {
}
userdb passwd {
}
user = root
socket listen {
client {
mode = 0660
user = postfix
group = postfix
}
}
}

PAM及SASL相关的配置
安装所需文 件
apt-get install libsasl2 sasl2-bin libsasl2-modules

1.sudo vi /etc/pam.d/common-auth

auth sufficient pam_winbind.so krb5_auth Krb5_ccache_type=FILE
auth sufficient pam_unix.so use_first_pass nullok_secure
auth required pam_deny.so

2.sudo vi /etc/pam.d/common-account

account sufficient pam_winbind.so use_first_pass cached_login
account required pam_unix.so

3.sudo vi /etc/pam.d/common-session

session required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel

4.刪除/var /run/saslauthd
rm -R /var/run/saslauthd

5.新建 /var/spool/postfix/var/run/saslauthd
mkdir -p /var/spool/postfix/var/run/saslauthd

6.建立连接
ln -s /var/spool/postfix/var/run/saslauthd/ /var/run/saslauthd

7.sudo vi /etc/default/saslauthd
START=yes
MECHANISMS="pam"

8.重新启 动 saslauthd
/etc/init.d/saslauthd restart


squirrelmail相关的配 置

1.sudo squirrelmail-configure

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >>


选 择第2项

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Server Settings

General
-------
1. Domain : testmail.com
2. Invert Time : false
3. Sendmail or SMTP : SMTP

A. Update IMAP Settings : 172.16.21.201:143 (dovecot)
B. Update SMTP Settings : 172.16.21.201:25

R Return to Main Menu
C Turn color on
S Save data
Q Quit

Command >>


2.修改 apache2 配置文件 /etc/apache2/apache2.conf,插入下面的行
Include /etc/squirrelmail/apache.conf

3.建立一个连接
ln -s /usr/share/squirrelmail/ /var/www/squirrelmail

4.重新启动 apache2
/etc/init.d/apache2 restart

5.打开邮件主页



关 于在squirrelmail-web上同步AD域账户步骤

1.下载2个插件

change_pass-3.0-1.4.0.tar.gz


compatibility-2.0.15-1.0.tar.gz

2. 将插件安装至ubuntu
可以用U盘,也可以用共享,也可以用FTP,这里不详细说明(本步骤用FTP传输)

3.安装 compatibility-2.0.15-1.0.tar.gz
比如插件放在 /mnt/down下
首先进入/mnt/down目录

tar zxf compatibility-2.0.15-1.0.tar.gz
//解压缩

mv compatibility /var/www/squirrelmail/plugins/
//此处为我所装的squirrelmail做在的插件目录

chown -R gavin /var/www/squirrelmail/plugins/compatibility/
//gavin为我 ubuntu用户名,根据自己账户对其设置权限

chmod -R 755 /var/www/squirrelmail/plugins/compatibility/

4.安装change_pass- 3.0-1.4.0.tar.gz
比如插件放在 /mnt/down下
首先进入/mnt/down目录

tar zxf change_pass-3.0-1.4.0.tar.gz
mv change_passwd /var/www/squirrelmail/plugins/
chown -R gavin /var/www/squirrelmail/plugins/change_passwd/
chmod -R 755 /var/www/squirrelmail/plugins/change_passwd/

5.启用插件
sudo squirrelmail-configure

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >>


选 择第8项

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Plugins
Installed Plugins
1. compatibility
2. squirrelspell
3. change_passwd
4. test
5. administrator

Available Plugins:
6. abook_take
7. bug_report
8. calendar
9. chg_sasl_passwd
10. delete_move_next
11. demo
12. filters
13. fortune
14. info
15. listcommands
16. mail_fetch
17. message_details
18. newmail
19. sent_subfolders
20. spamcop
21. translate

R Return to Main Menu
C Turn color on
S Save data
Q Quit

Command >>


按相应的数字键,添加插件

6. 至此插件安装完毕,但仍需对change passwd配置

cd /var/www/squirrelmail/plugins/change_passwd/
cp config.php.sample config.php
cp ldap-chpasswd.cfg.sample ldap-chpasswd.cfg

vi ldap-chpasswd.cfg
$hosts = "172.16.21.210"
$domain = "testmail.com"

vi config.php
$overridePathToChpasswd = 'ldap-chpasswd'



7.测试
首先需在AD域上安装【证书颁发机构组建】
具体方法请根据此链 接


安装 apt-get install libio-socket-ssl-perl perl
之后安装
perl -MCPAN -e "install Net::DNS::Resolver"
perl -MCPAN -e "install IO::Socket::SSL"
然后
cd /var/www/squirrelmail/plugins/change_passwd/
输入./ldap-chpasswd
正常 的话会出现如下画面
Usage:
Change password: ldap-chpasswd [username] [old password] [new password]
Search user DN : ldap-chpasswd [username] [password]

Current configuration

Is Active Directory: 1
Hosts: 172.16.21.210
Domain: testmail.com
Search Base: dc=testmail,dc=com
Timeout: 3 seconds

再输入./ldap-chpasswd gavin001 ABCabc12 //gavin001为AD域中一用户名 ABCabc12为此用户名密码
正常的话会出现如下画面
CN=gavin001,OU=testmail,DC=testmail,DC=com


至 此,就可以在squirrelmail web中直接修改密码了。

注意:AD域中【默认域安全设置】与【默认域控制器安全设置】的账户策 略要一致
Enforce password history
Maximum password age
Minimum password age
Minimum password length
Password must meet complexity requirements
此5项要一致

文件:change_passwd-4.2f.tar.gz
大小:27KB
下载:下载

文件:compatibility-2.0.15-1.0.tar.gz
大小:39KB
下载:下载

阅读(875) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~