Benutzer-Werkzeuge
2009_windowsserver
Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
| — |
2009_windowsserver [2009/11/28 14:31] (aktuell) |
||
|---|---|---|---|
| Zeile 1: | Zeile 1: | ||
| + | *[[http://193.171.7.43/StepbyStep/default.aspx|Step-by-Step Windows Server Installationsanleitungen]] | ||
| + | |||
| + | ====== Windows Server Anbindung mit openSUSE ====== | ||
| + | |||
| + | zypper in kr5_client pam_krb | ||
| + | |||
| + | */etc/hosts | ||
| + | <file> | ||
| + | 127.0.0.1 localhost d4e.local | ||
| + | |||
| + | # special IPv6 addresses | ||
| + | ::1 localhost ipv6-localhost ipv6-loopback | ||
| + | |||
| + | fe00::0 ipv6-localnet | ||
| + | |||
| + | ff00::0 ipv6-mcastprefix | ||
| + | ff02::1 ipv6-allnodes | ||
| + | ff02::2 ipv6-allrouters | ||
| + | ff02::3 ipv6-allhosts | ||
| + | 127.0.0.2 d4e.weiz.local d4e | ||
| + | 192.168.1.253 weiz.local | ||
| + | </file> | ||
| + | */etc/resolv.conf | ||
| + | <file> | ||
| + | nameserver 192.168.1.253 | ||
| + | </file> | ||
| + | */etc/HOSTNAME | ||
| + | <file> | ||
| + | d4e.weiz.local | ||
| + | </file> | ||
| + | */etc/ntp.conf | ||
| + | *Hinzufügen | ||
| + | <file> | ||
| + | server weiz.local | ||
| + | </file> | ||
| + | |||
| + | *insserv ntp | ||
| + | *rcntp restart | ||
| + | |||
| + | |||
| + | */etc/krb5.conf | ||
| + | <file> | ||
| + | [libdefaults] | ||
| + | default_realm = WEIZ.LOCAL | ||
| + | clockskew = 300 | ||
| + | |||
| + | [realms] | ||
| + | WEIZ.LOCAL = { | ||
| + | kdc = weiz.local | ||
| + | admin_server = weiz.local | ||
| + | default_domain = weiz.local | ||
| + | } | ||
| + | |||
| + | [domain_realm] | ||
| + | .weiz.local = WEIZ.LOCAL | ||
| + | weiz.local = WEIZ.LOCAL | ||
| + | [appdefaults] | ||
| + | pam = { | ||
| + | ticket_lifetime = 1d | ||
| + | renew_lifetime = 1d | ||
| + | forwardable = true | ||
| + | proxiable = false | ||
| + | minimum_uid = 1 | ||
| + | } | ||
| + | </file> | ||
| + | |||
| + | */etc/samba/smb.conf | ||
| + | <file> | ||
| + | [global] | ||
| + | security = ADS | ||
| + | realm = WEIZ.LOCAL | ||
| + | password server = 192.168.1.253 | ||
| + | workgroup = WEIZ | ||
| + | encrypt passwords = yes | ||
| + | client use spnego = yes | ||
| + | winbind use default domain = yes | ||
| + | winbind refresh tickets = yes | ||
| + | log level = 0 | ||
| + | idmap uid = 10000-20000 | ||
| + | idmap gid = 10000-20000 | ||
| + | template home dir = /home/%U | ||
| + | template shell = /bin/bash | ||
| + | domain master = no | ||
| + | template homedir = /home/%D/%U | ||
| + | usershare allow guests = No | ||
| + | </file> | ||
| + | |||
| + | *insserv smb | ||
| + | *rcsmb restart | ||
| + | *insserv winbind | ||
| + | *rcwinbind restart | ||
| + | |||
| + | */etc/nsswitch.conf | ||
| + | <file> | ||
| + | passwd: files nis winbind compat ldap | ||
| + | group: compat ldap winbind | ||
| + | shadow: files nis winbind compat | ||
| + | |||
| + | hosts: files dns | ||
| + | networks: files | ||
| + | |||
| + | services: db files | ||
| + | protocols: db files | ||
| + | ethers: db files | ||
| + | rpc: db files | ||
| + | netgroup: nis | ||
| + | </file> | ||
| + | *etc/pam.d/common-account-pc | ||
| + | <file> | ||
| + | account requisite pam_unix2.so | ||
| + | account sufficient pam_localuser.so | ||
| + | account sufficient pam_ldap.so use_first_pass | ||
| + | account required pam_winbind.so use_first_pass | ||
| + | </file> | ||
| + | *etc/pam.d/common-auth-pc | ||
| + | <file> | ||
| + | auth required pam_env.so | ||
| + | auth sufficient pam_unix2.so | ||
| + | auth sufficient pam_ldap.so use_first_pass | ||
| + | auth required pam_winbind.so use_first_pass | ||
| + | </file> | ||
| + | *etc/pam.d/common-password-pc | ||
| + | <file> | ||
| + | password sufficient pam_winbind.so | ||
| + | password requisite pam_pwcheck.so nullok cracklib | ||
| + | password sufficient pam_unix2.so use_authtok nullok | ||
| + | password required pam_ldap.so try_first_pass use_authtok | ||
| + | </file> | ||
| + | *etc/pam.d/common-session-pc | ||
| + | <file> | ||
| + | session optional pam_mkhomedir.so | ||
| + | session required pam_limits.so | ||
| + | session required pam_unix2.so | ||
| + | session optional pam_ldap.so | ||
| + | session required pam_winbind.so | ||
| + | session optional pam_umask.so | ||
| + | </file> | ||
| + | *etc/pam.d/gdm | ||
| + | <file> | ||
| + | auth optional pam_mount.so | ||
| + | auth include common-auth | ||
| + | account include common-account | ||
| + | password include common-password | ||
| + | session required pam_loginuid.so | ||
| + | session include common-session | ||
| + | auth optional pam_gnome_keyring.so | ||
| + | session optional pam_gnome_keyring.so auto_start | ||
| + | session optional pam_mount.so | ||
| + | </file> | ||
| + | *etc/pam.d/login | ||
| + | <file> | ||
| + | auth optional pam_mount.so | ||
| + | auth requisite pam_nologin.so | ||
| + | auth [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad] pam_securetty.so | ||
| + | auth include common-auth | ||
| + | account include common-account | ||
| + | password include common-password | ||
| + | session required pam_loginuid.so | ||
| + | session include common-session | ||
| + | session required pam_lastlog.so nowtmp | ||
| + | session optional pam_mail.so standard | ||
| + | session optional pam_ck_connector.so | ||
| + | session optional pam_mount.so | ||
| + | </file> | ||
| + | *etc/pam.d/xdm | ||
| + | <file> | ||
| + | auth optional pam_mount.so | ||
| + | auth include common-auth | ||
| + | account include common-account | ||
| + | password include common-password | ||
| + | session required pam_loginuid.so | ||
| + | session include common-session | ||
| + | session optional pam_mount.so | ||
| + | </file> | ||
| + | *etc/security/pam_mount.conf.xml | ||
| + | <file> | ||
| + | <?xml version="1.0" encoding="utf-8" ?> | ||
| + | <pam_mount> | ||
| + | |||
| + | <debug enable="0" /> | ||
| + | <mkmountpoint enable="1" remove="true" /> | ||
| + | <fsckloop device="/dev/loop7" /> | ||
| + | <mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" /> | ||
| + | <!-- | ||
| + | <mntoptions deny="suid,dev" /> | ||
| + | <mntoptions allow="*" /> | ||
| + | <mntoptions deny="*" /> | ||
| + | --> | ||
| + | <mntoptions require="nosuid,nodev" /> | ||
| + | |||
| + | <path>/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin</path> | ||
| + | <lsof>lsof %(MNTPT)</lsof> | ||
| + | <fsck>fsck -p %(FSCKTARGET)</fsck> | ||
| + | <losetup>losetup -p0 "%(before=\"-e\" CIPHER)" | ||
| + | "%(ifnempty=\"-k\" KEYBITS)" %(KEYBITS) %(FSCKLOOP) %(VOLUME)</losetup> | ||
| + | <unlosetup>losetup -d %(FSCKLOOP)</unlosetup> | ||
| + | <cifsmount>mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o | ||
| + | "user=%(USER),uid=%(USERUID),gid=%(USERGID)%(before=\",\" OPTIONS)"</cifsmount> | ||
| + | <davmount>mount -t davfs %(SERVER)/%(VOLUME) %(MNTPT) -o | ||
| + | "username=%(USER),uid=%(USERUID),gid=%(USERGID)%(before=\",\" | ||
| + | OPTIONS)"</davmount> | ||
| + | <smbmount>smbmount //%(SERVER)/%(VOLUME) %(MNTPT) -o | ||
| + | "username=%(USER),uid=%(USERUID),gid=%(USERGID)%(before=\",\" OPTIONS)"</smbmount> | ||
| + | <smbumount>smbumount %(MNTPT)</smbumount> | ||
| + | <ncpmount>ncpmount %(SERVER)/%(USER) %(MNTPT) -o | ||
| + | "pass-fd=0,volume=%(VOLUME)%(before=\",\" OPTIONS)"</ncpmount> | ||
| + | <ncpumount>ncpumount %(MNTPT)</ncpumount> | ||
| + | <fusemount>mount.fuse %(VOLUME) %(MNTPT) | ||
| + | "%(ifnempty=\"-o\" OPTIONS)" %(OPTIONS)</fusemount> | ||
| + | <fuseumount>fusermount -u %(MNTPT)</fuseumount> | ||
| + | <truecryptmount>truecrypt %(VOLUME) %(MNTPT)</truecryptmount> | ||
| + | <truecryptumount>truecrypt -d %(MNTPT)</truecryptumount> | ||
| + | <fd0ssh>pmt-fd0ssh</fd0ssh> | ||
| + | <umount>umount %(MNTPT)</umount> | ||
| + | <lclmount>mount -p0 -t %(FSTYPE) %(VOLUME) %(MNTPT) | ||
| + | "%(ifnempty=\"-o\" OPTIONS)" %(OPTIONS)</lclmount> | ||
| + | <cryptmount>mount -t crypt "%(ifnempty=\"-o\" OPTIONS)" %(OPTIONS) | ||
| + | %(VOLUME) %(MNTPT)</cryptmount> | ||
| + | <nfsmount>mount %(SERVER):%(VOLUME) %(MNTPT) | ||
| + | "%(ifnempty=\"-o\" OPTIONS)" %(OPTIONS)</nfsmount> | ||
| + | <mntcheck>mount</mntcheck> | ||
| + | <pmvarrun>pmvarrun -u %(USER) -o %(OPERATION)</pmvarrun> | ||
| + | |||
| + | <volume user="*" fstype="cifs" server="192.168.1.253" path="%(USER)" | ||
| + | mountpoint="/home/WEIZ/%(USER)/server" options="dir_mode=0755,iocharset=utf8" /> | ||
| + | |||
| + | <msg-authpw>pam_mount password:</msg-authpw> | ||
| + | <msg-sessionpw>reenter password for pam_mount:</msg-sessionpw> | ||
| + | |||
| + | </pam_mount> | ||
| + | </file> | ||
| + | */etc/security/pam_winbind.conf | ||
| + | <file> | ||
| + | # | ||
| + | # pam_winbind configuration file | ||
| + | # | ||
| + | # /etc/security/pam_winbind.conf | ||
| + | # | ||
| + | |||
| + | [global] | ||
| + | krb5_auth = yes | ||
| + | krb5_ccache_type = FILE | ||
| + | |||
| + | # turn on debugging | ||
| + | ;debug = no | ||
| + | |||
| + | # turn on extended PAM state debugging | ||
| + | ;debug_state = no | ||
| + | |||
| + | # request a cached login if possible | ||
| + | # (needs "winbind offline logon = yes" in smb.conf) | ||
| + | ;cached_login = no | ||
| + | |||
| + | # authenticate using kerberos | ||
| + | ;krb5_auth = no | ||
| + | |||
| + | # when using kerberos, request a "FILE" krb5 credential cache type | ||
| + | # (leave empty to just do krb5 authentication but not have a ticket | ||
| + | # afterwards) | ||
| + | ;krb5_ccache_type = | ||
| + | |||
| + | # make successful authentication dependend on membership of one SID | ||
| + | # (can also take a name) | ||
| + | ;require_membership_of = | ||
| + | |||
| + | # password expiry warning period in days | ||
| + | ;warn_pwd_expire = 14 | ||
| + | |||
| + | # omit pam conversations | ||
| + | ;silent = no | ||
| + | </file> | ||
| + | |||
| + | *mv /etc/ldap.conf /etc/ldap.conf.bak | ||
| + | *net ads join -U Administrator%Passwort -S 192.168.1.253 (Fehlermeldung ignorieren!) = Domänenanmeldung | ||
| + | |||
| + | *rcxdm restart | ||
| + | *Beim Anmelden: In der Taskleiste Domäne auswählen | ||
| + | |||
| + | |||
| + | ---- | ||
| + | |||
| + | *[[http://support.microsoft.com/kb/942564|Zu beachten für Windows Server 2008]] | ||
| + | | ||
| + | ---- | ||
| + | |||
| + | ====== Samba-Member-Server im ADS mit Win2003-Server ====== | ||
| + | |||
| + | ==== Vorraussetzungen ==== | ||
| + | |||
| + | * Testsysteme waren: | ||
| + | * Linux: SuSE SLES10-SP1 -> 192.168.123.10, Hostname: filer.mydom.local | ||
| + | * Folgende Pakete installieren: | ||
| + | * krb5, samba, samba-winbind ... so ungefähr: | ||
| + | <code> | ||
| + | # rpm -qa | egrep 'samba|kerberos|winbind|krb' | ||
| + | yast2-samba-client-2.13.36-0.8 | ||
| + | samba-winbind-3.0.24-2.23 | ||
| + | samba-client-3.0.24-2.23 | ||
| + | yast2-samba-server-2.13.22-0.8 | ||
| + | samba-3.0.24-2.23 | ||
| + | pam_krb5-2.2.3-18.2 | ||
| + | krb5-client-1.4.3-19.17 | ||
| + | samba-vscan-0.3.6b-42.49 | ||
| + | krb5-1.4.3-19.17 | ||
| + | yast2-kerberos-client-2.13.11-0.10 | ||
| + | krb5-apps-clients-1.4.3-19.17 | ||
| + | samba-krb-printing-3.0.24-2.23 | ||
| + | </code> | ||
| + | Hinweis: \\ | ||
| + | Das samba-winbind-RPM des SLES10-SP0 macht vermutlich Probleme. \\ | ||
| + | Bzw. ich hatte SLES10-SP1, allerdings wurde samba-winbind wohl von der SP0-DVD nachinstalliert. \\ | ||
| + | Das führte immer zu einem "Error looking up domain users"-Fehler bei "wbinfo -u"... siehe unten ! \\ | ||
| + | |||
| + | * Windows: Win2003-Server-R2 -> 192.168.123.1, Hostname: domcontroller.mydom.local | ||
| + | * als Active-Directory-Server einrichten: | ||
| + | * Start -> Ausführen -> dcpromo -> weiter, weiter weiter... | ||
| + | * DNS-Server ist der Windows-Rechner, also den Linux-Rechner dort eintragen (Forward+Reverse-Lookup). | ||
| + | * Der Linux-Rechner benutzt Win2003 als DNS-Server, also mit folgender /etc/resolv.conf: | ||
| + | <code> | ||
| + | nameserver 192.168.123.1 | ||
| + | search mydom.intern | ||
| + | </code> | ||
| + | * DNS-Auflösungen muss auf beiden Servern funktionieren, am besten vorher testen: | ||
| + | * auf Linux mit dem "host"-Befehl: | ||
| + | <code> | ||
| + | # host filer.mydom.local | ||
| + | filer.mydom.local has address 192.168.123.10 | ||
| + | # host 192.168.123.10 | ||
| + | 10.123.168.192.in-addr.arpa domain name pointer filer.mydom.local. | ||
| + | # host domcontroller.mydom.local | ||
| + | domcontroller.mydom.local has address 192.168.123.1 | ||
| + | # host 192.168.123.1 | ||
| + | 1.123.168.192.in-addr.arpa domain name pointer domcontroller.mydom.local. | ||
| + | </code> | ||
| + | * auf Windows mit "nslookup". | ||
| + | |||
| + | |||
| + | ==== kerberos ==== | ||
| + | |||
| + | * kerberos config, /etc/krb5.conf: | ||
| + | <code> | ||
| + | [libdefaults] | ||
| + | default_realm = MYDOM.LOCAL | ||
| + | clockskew = 300 | ||
| + | |||
| + | [realms] | ||
| + | MYDOM.LOCAL = { | ||
| + | kdc = DOMCONTROLLER.MYDOM.LOCAL | ||
| + | default_domain = MYDOM.LOCAL | ||
| + | } | ||
| + | |||
| + | [domain_realm] | ||
| + | .mydom.local = MYDOM.LOCAL | ||
| + | mydom.local = MYDOM.LOCAL | ||
| + | |||
| + | [logging] | ||
| + | default = SYSLOG:NOTICE:DAEMON | ||
| + | |||
| + | [appdefaults] | ||
| + | pam = { | ||
| + | ticket_lifetime = 1d | ||
| + | renew_lifetime = 1d | ||
| + | forwardable = true | ||
| + | proxiable = false | ||
| + | retain_after_close = false | ||
| + | minimum_uid = 0 | ||
| + | debug = false | ||
| + | } | ||
| + | </code> | ||
| + | |||
| + | * kerberos Ticket anfordern: | ||
| + | <code> | ||
| + | # kinit domadmin@MYDOM.LOCAL | ||
| + | Password for domadmin@MYDOM.LOCAL: ***** | ||
| + | </code> | ||
| + | |||
| + | * kerberos-Ticket anzeigen: | ||
| + | <code> | ||
| + | # klist | ||
| + | Ticket cache: FILE:/tmp/krb5cc_0 | ||
| + | Default principal: domadmin@MYDOM.LOCAL | ||
| + | |||
| + | Valid starting Expires Service principal | ||
| + | 10/31/08 13:41:33 10/31/08 23:41:42 krbtgt/MYDOM.LOCAL@MYDOM.LOCAL | ||
| + | renew until 11/01/08 13:41:33 | ||
| + | |||
| + | |||
| + | Kerberos 4 ticket cache: /tmp/tkt0 | ||
| + | klist: You have no tickets cached | ||
| + | </code> | ||
| + | |||
| + | |||
| + | ==== samba & winbind ==== | ||
| + | |||
| + | * samba config, /etc/samba/smb.conf: | ||
| + | <code> | ||
| + | [global] | ||
| + | workgroup = MYDOM | ||
| + | realm = MYDOM.LOCAL | ||
| + | netbios name = filer | ||
| + | server string = Fileserver | ||
| + | #log level = 3 | ||
| + | security = ADS | ||
| + | encrypt passwords = yes | ||
| + | password server = domcontroller.mydom.local | ||
| + | #password level = N | ||
| + | client use spnego = yes | ||
| + | idmap uid = 10000-20000 | ||
| + | idmap gid = 10000-20000 | ||
| + | # | ||
| + | domain master = no | ||
| + | local master = no | ||
| + | preferred master = no | ||
| + | os level = 0 | ||
| + | # | ||
| + | winbind use default domain = yes | ||
| + | winbind refresh tickets = yes | ||
| + | winbind separator = + | ||
| + | winbind separator = \ | ||
| + | #winbind separator = / | ||
| + | # | ||
| + | ##winbind enum users and groups should be used with caution in active directories greater than 200 users or groups, | ||
| + | ##as enumeration is an expensive process and likely to timeout and cause login failures. | ||
| + | ##during login, the full passwd and group will be "enumerated" every time from your active directory server. enumeration is not required for a successful login. | ||
| + | winbind enum users = yes | ||
| + | winbind enum groups = yes | ||
| + | |||
| + | #[backup] | ||
| + | # comment = Backup | ||
| + | # path = /test | ||
| + | # browseable = yes | ||
| + | # read only = no | ||
| + | # guest ok = no | ||
| + | # valid users = @alle | ||
| + | # create mask = 0770 | ||
| + | # directory mask = 0770 | ||
| + | # | ||
| + | #[test] | ||
| + | # comment = TEST | ||
| + | # inherit acls = Yes | ||
| + | # path = /home/MYDOM | ||
| + | # read only = No | ||
| + | # | ||
| + | #[netlogon] | ||
| + | # comment = | ||
| + | # inherit acls = Yes | ||
| + | # path = /home/MYDOM | ||
| + | # read only = Yes | ||
| + | |||
| + | |||
| + | #[share] | ||
| + | # comment = Shared Directory | ||
| + | # path = /tmp | ||
| + | # Valid Users = @MYDOM+test123 MYDOM+tester MYDOM+tester2 | ||
| + | # ;public = no | ||
| + | # writable = yes | ||
| + | # browseable = yes | ||
| + | # | ||
| + | #komplette Gruppe 'test123' = @MYDOM+test123 | ||
| + | #einzelner User 'tester' = MYDOM+tester | ||
| + | </code> | ||
| + | |||
| + | * winbind nimmt sich seine Config aus der smb.conf. | ||
| + | |||
| + | * Samba-Server dem ADS hinzufügen: | ||
| + | <code> | ||
| + | # net ads join -U domadmin | ||
| + | domadmin's password: | ||
| + | Using short domain name -- MYDOM | ||
| + | Joined 'FILER' to realm 'MYDOM.LOCAL' | ||
| + | |||
| + | # net ads testjoin | ||
| + | Join is OK | ||
| + | </code> | ||
| + | |||
| + | * Userliste des ADS auslesen, mit samba-Tool "net": | ||
| + | <code> | ||
| + | # net ads user | ||
| + | Administrator | ||
| + | Guest | ||
| + | ... usw. | ||
| + | </code> | ||
| + | |||
| + | * samba starten: | ||
| + | <code> | ||
| + | /etc/init.d/smb start | ||
| + | </code> | ||
| + | |||
| + | * winbind starten: | ||
| + | <code> | ||
| + | /etc/init.d/winbind start | ||
| + | </code> | ||
| + | * oder mit Debug-Ausgabe via: | ||
| + | <code> | ||
| + | /usr/sbin/winbindd -n -F -i -d 3 -s /etc/samba/smb.conf | ||
| + | </code> | ||
| + | |||
| + | * winbind testen mit wbinfo: | ||
| + | <code> | ||
| + | # wbinfo -t | ||
| + | checking the trust secret via RPC calls succeeded | ||
| + | |||
| + | # wbinfo -m | ||
| + | MYDOM | ||
| + | </code> | ||
| + | |||
| + | * Userliste des ADS auslesen, mit wbinfo: | ||
| + | <code> | ||
| + | # wbinfo -u | ||
| + | administrator | ||
| + | guest | ||
| + | support_471112a0 | ||
| + | krbtgt | ||
| + | ... | ||
| + | |||
| + | # wbinfo -g | ||
| + | domain computers | ||
| + | domain controllers | ||
| + | domain admins | ||
| + | domain users | ||
| + | domain guests | ||
| + | group policy creator owners | ||
| + | dnsupdateproxy | ||
| + | ... | ||
| + | |||
| + | # wbinfo --sequence | ||
| + | BUILTIN : 1226919242 | ||
| + | FILER : 1226919242 | ||
| + | MYDOM : 1054342 | ||
| + | </code> | ||
| + | |||
| + | * Default-Homeverzeichnis-Basis für die AD-User ist "/home/MYDOM", also Verzeichnis erstellen: | ||
| + | <code> | ||
| + | # mkdir /home/MYDOM | ||
| + | </code> | ||
| + | |||
| + | |||
| + | ==== nsswitch ==== | ||
| + | |||
| + | * passwd und group in /etc/nsswitch.conf folgendermaßen anpassen (die anderen Bereiche nicht ändern !): | ||
| + | <code> | ||
| + | ... | ||
| + | #passwd: compat | ||
| + | #group: compat | ||
| + | passwd: compat winbind | ||
| + | group: compat winbind | ||
| + | ... | ||
| + | </code> | ||
| + | * hier die komplette /etc/nsswitch.conf fürs Protokoll: | ||
| + | <code> | ||
| + | passwd: compat winbind | ||
| + | group: compat winbind | ||
| + | |||
| + | hosts: files dns | ||
| + | networks: files dns | ||
| + | |||
| + | services: files | ||
| + | protocols: files | ||
| + | rpc: files | ||
| + | ethers: files | ||
| + | netmasks: files | ||
| + | netgroup: files nis | ||
| + | publickey: files | ||
| + | |||
| + | bootparams: files | ||
| + | automount: files nis | ||
| + | aliases: files | ||
| + | </code> | ||
| + | |||
| + | * nun kann man sich mit "getent passwd" eine Userliste (Linux + AD-User) auslesen/anzeigen: | ||
| + | <code> | ||
| + | # getent passwd | ||
| + | at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash | ||
| + | bin:x:1:1:bin:/bin:/bin/bash | ||
| + | daemon:x:2:2:Daemon:/sbin:/bin/bash | ||
| + | ftp:x:40:49:FTP account:/srv/ftp:/bin/bash | ||
| + | games:x:12:100:Games account:/var/games:/bin/bash | ||
| + | gdm:x:50:104:Gnome Display Manager daemon:/var/lib/gdm:/bin/false | ||
| + | haldaemon:x:101:102:User for haldaemon:/var/run/hal:/bin/false | ||
| + | hpsmh:x:103:1000::/opt/hp/hpsmh:/sbin/nologin | ||
| + | lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash | ||
| + | mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false | ||
| + | messagebus:x:100:101:User for D-BUS:/var/run/dbus:/bin/false | ||
| + | nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash | ||
| + | ntp:x:74:103:NTP daemon:/var/lib/ntp:/bin/false | ||
| + | postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false | ||
| + | root:x:0:0:root:/root:/bin/bash | ||
| + | sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false | ||
| + | suse-ncc:x:102:105:Novell Customer Center User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bash | ||
| + | wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false | ||
| + | linuxuser:x:4711:0:Hans Wurst:/home/linuxuser:/bin/bash | ||
| + | administrator:*:10000:10000:Administrator:/home/MYDOM/administrator:/bin/false | ||
| + | guest:*:10001:10001:Guest:/home/MYDOM/guest:/bin/false | ||
| + | support_471112a0:*:10002:10000:SUPPORT_471112a0:/home/MYDOM/support_471112a0:bin/false | ||
| + | krbtgt:*:10004:10000:krbtgt:/home/PAYZONE-INT/krbtgt:/bin/false | ||
| + | ... | ||
| + | </code> | ||
| + | Die letzten 4 User des obigen Beispiels kommen aus dem Active Directory. | ||
| + | |||
| + | * oder mit "getent group" eine Gruppenliste (Linux + AD-Gruppen). | ||
| + | |||
| + | * testen mit chown/chgrp: | ||
| + | <code> | ||
| + | # touch testfile | ||
| + | # chown administrator testfile | ||
| + | # chgrp "domain users" testfile | ||
| + | # ls -l testfile | ||
| + | -rw-rw-r-- 1 administrator domain users 0 2008-11-17 11:59 testfile | ||
| + | </code> | ||
| + | |||
| + | * falls es dabei folgende Fehler gibt, läuft wahrscheinlich noch der nscd: | ||
| + | <code> | ||
| + | # chown administrator testfile | ||
| + | chown: »administrator«: ungültiger Benutzer | ||
| + | # chgrp "Domain users" testfile | ||
| + | chgrp: ungültige Gruppe »Domain users« | ||
| + | </code> | ||
| + | |||
| + | * dann nscd stoppen und aus den rc-Skripten entfernen, danach sollte es funktionieren: | ||
| + | <code> | ||
| + | # /etc/init.d/nscd status | ||
| + | Checking for Name Service Cache Daemon: running | ||
| + | # /etc/init.d/nscd stop | ||
| + | Shutting down Name Service Cache Daemon done | ||
| + | # chkconfig -d nscd | ||
| + | nscd 0:off 1:off 2:off 3:off 4:off 5:off 6:off | ||
| + | </code> | ||
| + | |||
| + | |||
| + | ==== ssh-Login für AD-User ==== | ||
| + | |||
| + | Dieser Abschnitt beschreibt die Konfiguration falls die AD-User sich via SSH auf dem Linux-System einloggen sollen. | ||
| + | Wenn dies nicht gewünscht ist dann den Abschnitt einfach überspringen. | ||
| + | |||
| + | * in /etc/ssh/sshd_config: | ||
| + | <code> | ||
| + | ... | ||
| + | UsePAM yes | ||
| + | ... | ||
| + | </code> | ||
| + | |||
| + | * in /etc/samba/smb.conf im global-Bereich folgendes einfügen: | ||
| + | <code> | ||
| + | template shell = /bin/bash | ||
| + | </code> | ||
| + | |||
| + | * in /etc/pam.d/common-auth: | ||
| + | <code> | ||
| + | auth sufficient pam_winbind.so | ||
| + | auth required pam_unix2.so | ||
| + | </code> | ||
| + | |||
| + | * ggf. Homeverzeichnis für AD-User erstellen: | ||
| + | <code> | ||
| + | # mkdir /home/MYDOM/administrator | ||
| + | # chown -R administrator."domain admins" /home/MYDOM/administrator | ||
| + | </code> | ||
| + | |||
| + | * von remote mit dem AD-User (administrator) und dem AD-Passwort via SSH einloggen ! | ||
| + | |||
| + | |||
| + | ==== quota (linux-kernel 2.6) ==== | ||
| + | |||
| + | * kernel benötigt quota-Support, das ist beim SLES10-Default-kernel schon drin: | ||
| + | <code> | ||
| + | CONFIG_QUOTA=y | ||
| + | CONFIG_QUOTACTL=y | ||
| + | </code> | ||
| + | |||
| + | * quota-Tools installieren: | ||
| + | <code> | ||
| + | SuSE: | ||
| + | # rpm -qa | grep quota | ||
| + | quota-3.13-17.11 | ||
| + | |||
| + | Debian: | ||
| + | # apt-get install quota | ||
| + | </code> | ||
| + | |||
| + | * Filesystem-Optionen usrquota und grpquota in /etc/fstab eintragen, Beispiel: | ||
| + | <code> | ||
| + | /dev/hda1 /home ext3 defaults,usrquota,grpquota 0 2 | ||
| + | </code> | ||
| + | * un re-mounten: | ||
| + | <code> | ||
| + | mount -o remount /home | ||
| + | </code> | ||
| + | * falls ein DRBD-Filesystem im heartbeat-Cluster läuft in /etc/ha.d/haresources konfigurieren: | ||
| + | <code> | ||
| + | filer-01 \ | ||
| + | drbddisk::r0 \ | ||
| + | Filesystem::/dev/drbd0::/home::ext3::defaults,usrquota,grpquota \ | ||
| + | ... | ||
| + | </code> | ||
| + | |||
| + | * quota-Tabellen erstellen: | ||
| + | <code> | ||
| + | # touch /home/aquota.user | ||
| + | # touch /home/aquota.group | ||
| + | </code> | ||
| + | * und quota-Tabellen initialisieren: | ||
| + | <code> | ||
| + | # quotacheck -vaugm | ||
| + | </code> | ||
| + | |||
| + | * quota einrichten: | ||
| + | <code> | ||
| + | # edquota <username> | ||
| + | # edquota -g <groupname> | ||
| + | </code> | ||
| + | * edquota benutzt den Default-Editor ($EDITOR), bei mir "vi". | ||
| + | <code> | ||
| + | # edquota hans.wurst | ||
| + | Disk quotas for user hans.wurst (uid 10025): | ||
| + | Filesystem blocks soft hard inodes soft hard | ||
| + | /dev/drbd0 4 0 0 1 0 0 | ||
| + | </code> | ||
| + | |||
| + | * soft-, hard-Limits und grace-Period: | ||
| + | * soft-Limit kann während der grace-Period durchaus überschritten werden | ||
| + | * beim hard-Limit ist Schluss, der User darf nicht mehr auf die Platte schreiben. | ||
| + | |||
| + | * Die edquota-Werte sind 1 kilobyte blocks, also 1GB = 1000000. | ||
| + | * Beispiel soft-Limit=1GB, hard-Limit=1.5GB | ||
| + | <code> | ||
| + | # edquota hans.wurst | ||
| + | Disk quotas for user hans.wurst (uid 10025): | ||
| + | Filesystem blocks soft hard inodes soft hard | ||
| + | /dev/drbd0 4 1000000 1500000 1 0 0 | ||
| + | </code> | ||
| + | * kontrollieren/anzeigen mit: | ||
| + | <code> | ||
| + | # quota hans.wurst | ||
| + | Disk quotas for user hans.wurst (uid 10025): | ||
| + | Filesystem blocks quota limit grace files quota limit grace | ||
| + | /dev/drbd0 4 1000000 1500000 1 0 0 | ||
| + | </code> | ||
| + | |||
| + | * quota prüfen: | ||
| + | * als user eigene quota prüfen: | ||
| + | <code> | ||
| + | # quota | ||
| + | </code> | ||
| + | * als root quota anderer User prüfen: | ||
| + | <code> | ||
| + | # quota <username> | ||
| + | </code> | ||
| + | * als root quota-Report ausgeben: | ||
| + | <code> | ||
| + | # repquota /home | ||
| + | *** Report for user quotas on device /dev/drbd0 | ||
| + | Block grace time: 7days; Inode grace time: 7days | ||
| + | Block limits File limits | ||
| + | User used soft hard grace used soft hard grace | ||
| + | ---------------------------------------------------------------------- | ||
| + | nobody -- 67952 0 0 213 0 0 | ||
| + | root -- 444832 0 0 4990 0 0 | ||
| + | ... | ||
| + | </code> | ||
| + | * quota-Meldungen auslösen, wird via cron automatisiert ausgeführt (z.B. /etc/cron.daily/quota): | ||
| + | <code> | ||
| + | warnquota | ||
| + | </code> | ||
| + | * Konfiguration von warnquota in /etc/warnquota.conf | ||
| + | |||
| + | * quota deaktivieren: | ||
| + | <code> | ||
| + | # quotaoff -v /home | ||
| + | </code> | ||
| + | * quota aktivieren: | ||
| + | <code> | ||
| + | # quotaon -v /home | ||
| + | </code> | ||
| + | |||
| + | * quota-Einstellungen eines User auf einen anderen übertragen: | ||
| + | * Beispiel: Peter soll die quota-Einstellungen von Hans übernehmen: | ||
| + | <code> | ||
| + | # edquota -p hans peter | ||
| + | </code> | ||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | ==== Trouble-Shooting ==== | ||
| + | |||
| + | <code> | ||
| + | # wbinfo -u | ||
| + | Error looking up domain users | ||
| + | |||
| + | ?????????????????????? | ||
| + | kerberos_kinit_password host/FILER@MYDOM.LOCAL failed: Client not found in Kerberos database | ||
| + | ads_connect for domain MYDOM failed: Client not found in Kerberos database | ||
| + | ?????????????????????? | ||
| + | </code> | ||
| + | |||
| + | <code> | ||
| + | # wbinfo --sequence | ||
| + | FILER : 1225459694 | ||
| + | BUILTIN : 1225459694 | ||
| + | PAYZONE-INT : DISCONNECTED <------- ???????????????????????????????? | ||
| + | </code> | ||
| + | |||
2009_windowsserver.txt · Zuletzt geändert: 2009/11/28 14:31 (Externe Bearbeitung)
Seiten-Werkzeuge
Falls nicht anders bezeichnet, ist der Inhalt dieses Wikis unter der folgenden Lizenz veröffentlicht: CC Attribution-Noncommercial-Share Alike 4.0 International
