????????????? Debian Jessie ? Active Directory Domain Controller

????? ?????????? ?????? example.com ? IP ??????? 192.168.40.1

????????????? ??????????? ?????? (https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectory)
????????? ???????????
vim /etc/apt/sources.list:

deb http://ftp.ua.debian.org/debian/ jessie main


aptitude update
aptitude -y install winbind samba krb5-user libpam-krb5 libpam-winbind libnss-winbind ntp iptables-persistent

??????????? ??????? ?????????
vim /etc/network/interfaces:

auto eth0
allow-hotplug eth0
iface eth0 inet static
        address 192.168.40.2
        gateway 192.168.40.1

invoke-rc.d networking stop && invoke-rc.d networking start

vim /etc/resolv.conf:

domain example.com
search example.com
nameserver 192.168.40.1

??????????? ????????????? ??????? ? ???????? Active Directory
vim /etc/ntp.conf:

server example.com

invoke-rc.d ntp restart

??????????? Kerberos
vim /etc/krb5.conf:

[libdefaults]
        default_realm = EXAMPLE.COM
        dns_lookup_realm = false
        dns_lookup_kdc = false
        ticket_lifetime = 24h
        renew_lifetime = 7d
        forwardable = true
[realms]
 EXAMPLE.COM = {
  kdc = example.com
  admin_server = example.com
 }
[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

vim /etc/samba/smb.conf:

[global]
        security = ads
        realm = EXAMPLE.COM
        password server = 192.168.40.1
        workgroup = MYADDC
        idmap config * : range = 10000-20000
        idmap config * : backend = tdb
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%D/%U
        template shell = /bin/bash
        client use spnego = yes
        client ntlmv2 auth = yes
        encrypt passwords = yes
        winbind use default domain = yes
        restrict anonymous = 2
        domain master = no
        local master = no
        preferred master = no
        os level = 0

realm — ?????? ??? ??????????? ??????
workgroup — ???????? ??? ??????????? ??????

invoke-rc.d winbind stop
invoke-rc.d samba restart
invoke-rc.d winbind start

vim /etc/nsswitch.conf:

passwd:         compat winbind
group:          compat winbind

vim /etc/pam.d/common-account:

account sufficient      pam_winbind.so
account required        pam_unix.so

vim /etc/pam.d/common-auth:

auth    sufficient      pam_unix.so
auth    required        pam_winbind.so  use_first_pass

vim /etc/pam.d/common-password:

password   required   pam_unix.so nullok obscure min=4 max=50 md5

vim /etc/pam.d/common-session:

session     required    pam_mkhomedir.so umask=0022 skel=/etc/skel

????????? ?????
iptables -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I OUTPUT 2 -s 192.168.40.2 -d 192.168.40.1 -o eth0 -p tcp -m state --state NEW -m multiport --dports 53,88,135,139,389,445,464,636,1024:5000,3268,3269,5353 -j ACCEPT
iptables -I OUTPUT 3 -s 192.168.40.2 -d 192.168.40.1 -o eth0 -p udp -m multiport --dports 88,137,138,389,464,5353 -j ACCEPT
/etc/init.d/netfilter-persistent save

?????????????? ? Active Directory Domain Controller
net ads join -U Administrator
shutdown -r now

???? ?????????? gdm, ???????? «??? ? ??????» ? ??????
???????? ??? ??????????? ??????\??? ???????????? ? ??????
????????:
myaddc\user

Добавить комментарий

Ваш e-mail не будет опубликован. Обязательные поля помечены *