Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
— |
2009_windowsserver [2009/11/28 14:31] (aktuell) |
||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
+ | *[[http://193.171.7.43/StepbyStep/default.aspx|Step-by-Step Windows Server Installationsanleitungen]] | ||
+ | |||
+ | ====== Windows Server Anbindung mit openSUSE ====== | ||
+ | |||
+ | zypper in kr5_client pam_krb | ||
+ | |||
+ | */etc/hosts | ||
+ | <file> | ||
+ | 127.0.0.1 localhost d4e.local | ||
+ | |||
+ | # special IPv6 addresses | ||
+ | ::1 localhost ipv6-localhost ipv6-loopback | ||
+ | |||
+ | fe00::0 ipv6-localnet | ||
+ | |||
+ | ff00::0 ipv6-mcastprefix | ||
+ | ff02::1 ipv6-allnodes | ||
+ | ff02::2 ipv6-allrouters | ||
+ | ff02::3 ipv6-allhosts | ||
+ | 127.0.0.2 d4e.weiz.local d4e | ||
+ | 192.168.1.253 weiz.local | ||
+ | </file> | ||
+ | */etc/resolv.conf | ||
+ | <file> | ||
+ | nameserver 192.168.1.253 | ||
+ | </file> | ||
+ | */etc/HOSTNAME | ||
+ | <file> | ||
+ | d4e.weiz.local | ||
+ | </file> | ||
+ | */etc/ntp.conf | ||
+ | *Hinzufügen | ||
+ | <file> | ||
+ | server weiz.local | ||
+ | </file> | ||
+ | |||
+ | *insserv ntp | ||
+ | *rcntp restart | ||
+ | |||
+ | |||
+ | */etc/krb5.conf | ||
+ | <file> | ||
+ | [libdefaults] | ||
+ | default_realm = WEIZ.LOCAL | ||
+ | clockskew = 300 | ||
+ | |||
+ | [realms] | ||
+ | WEIZ.LOCAL = { | ||
+ | kdc = weiz.local | ||
+ | admin_server = weiz.local | ||
+ | default_domain = weiz.local | ||
+ | } | ||
+ | |||
+ | [domain_realm] | ||
+ | .weiz.local = WEIZ.LOCAL | ||
+ | weiz.local = WEIZ.LOCAL | ||
+ | [appdefaults] | ||
+ | pam = { | ||
+ | ticket_lifetime = 1d | ||
+ | renew_lifetime = 1d | ||
+ | forwardable = true | ||
+ | proxiable = false | ||
+ | minimum_uid = 1 | ||
+ | } | ||
+ | </file> | ||
+ | |||
+ | */etc/samba/smb.conf | ||
+ | <file> | ||
+ | [global] | ||
+ | security = ADS | ||
+ | realm = WEIZ.LOCAL | ||
+ | password server = 192.168.1.253 | ||
+ | workgroup = WEIZ | ||
+ | encrypt passwords = yes | ||
+ | client use spnego = yes | ||
+ | winbind use default domain = yes | ||
+ | winbind refresh tickets = yes | ||
+ | log level = 0 | ||
+ | idmap uid = 10000-20000 | ||
+ | idmap gid = 10000-20000 | ||
+ | template home dir = /home/%U | ||
+ | template shell = /bin/bash | ||
+ | domain master = no | ||
+ | template homedir = /home/%D/%U | ||
+ | usershare allow guests = No | ||
+ | </file> | ||
+ | |||
+ | *insserv smb | ||
+ | *rcsmb restart | ||
+ | *insserv winbind | ||
+ | *rcwinbind restart | ||
+ | |||
+ | */etc/nsswitch.conf | ||
+ | <file> | ||
+ | passwd: files nis winbind compat ldap | ||
+ | group: compat ldap winbind | ||
+ | shadow: files nis winbind compat | ||
+ | |||
+ | hosts: files dns | ||
+ | networks: files | ||
+ | |||
+ | services: db files | ||
+ | protocols: db files | ||
+ | ethers: db files | ||
+ | rpc: db files | ||
+ | netgroup: nis | ||
+ | </file> | ||
+ | *etc/pam.d/common-account-pc | ||
+ | <file> | ||
+ | account requisite pam_unix2.so | ||
+ | account sufficient pam_localuser.so | ||
+ | account sufficient pam_ldap.so use_first_pass | ||
+ | account required pam_winbind.so use_first_pass | ||
+ | </file> | ||
+ | *etc/pam.d/common-auth-pc | ||
+ | <file> | ||
+ | auth required pam_env.so | ||
+ | auth sufficient pam_unix2.so | ||
+ | auth sufficient pam_ldap.so use_first_pass | ||
+ | auth required pam_winbind.so use_first_pass | ||
+ | </file> | ||
+ | *etc/pam.d/common-password-pc | ||
+ | <file> | ||
+ | password sufficient pam_winbind.so | ||
+ | password requisite pam_pwcheck.so nullok cracklib | ||
+ | password sufficient pam_unix2.so use_authtok nullok | ||
+ | password required pam_ldap.so try_first_pass use_authtok | ||
+ | </file> | ||
+ | *etc/pam.d/common-session-pc | ||
+ | <file> | ||
+ | session optional pam_mkhomedir.so | ||
+ | session required pam_limits.so | ||
+ | session required pam_unix2.so | ||
+ | session optional pam_ldap.so | ||
+ | session required pam_winbind.so | ||
+ | session optional pam_umask.so | ||
+ | </file> | ||
+ | *etc/pam.d/gdm | ||
+ | <file> | ||
+ | auth optional pam_mount.so | ||
+ | auth include common-auth | ||
+ | account include common-account | ||
+ | password include common-password | ||
+ | session required pam_loginuid.so | ||
+ | session include common-session | ||
+ | auth optional pam_gnome_keyring.so | ||
+ | session optional pam_gnome_keyring.so auto_start | ||
+ | session optional pam_mount.so | ||
+ | </file> | ||
+ | *etc/pam.d/login | ||
+ | <file> | ||
+ | auth optional pam_mount.so | ||
+ | auth requisite pam_nologin.so | ||
+ | auth [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad] pam_securetty.so | ||
+ | auth include common-auth | ||
+ | account include common-account | ||
+ | password include common-password | ||
+ | session required pam_loginuid.so | ||
+ | session include common-session | ||
+ | session required pam_lastlog.so nowtmp | ||
+ | session optional pam_mail.so standard | ||
+ | session optional pam_ck_connector.so | ||
+ | session optional pam_mount.so | ||
+ | </file> | ||
+ | *etc/pam.d/xdm | ||
+ | <file> | ||
+ | auth optional pam_mount.so | ||
+ | auth include common-auth | ||
+ | account include common-account | ||
+ | password include common-password | ||
+ | session required pam_loginuid.so | ||
+ | session include common-session | ||
+ | session optional pam_mount.so | ||
+ | </file> | ||
+ | *etc/security/pam_mount.conf.xml | ||
+ | <file> | ||
+ | <?xml version="1.0" encoding="utf-8" ?> | ||
+ | <pam_mount> | ||
+ | |||
+ | <debug enable="0" /> | ||
+ | <mkmountpoint enable="1" remove="true" /> | ||
+ | <fsckloop device="/dev/loop7" /> | ||
+ | <mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" /> | ||
+ | <!-- | ||
+ | <mntoptions deny="suid,dev" /> | ||
+ | <mntoptions allow="*" /> | ||
+ | <mntoptions deny="*" /> | ||
+ | --> | ||
+ | <mntoptions require="nosuid,nodev" /> | ||
+ | |||
+ | <path>/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin</path> | ||
+ | <lsof>lsof %(MNTPT)</lsof> | ||
+ | <fsck>fsck -p %(FSCKTARGET)</fsck> | ||
+ | <losetup>losetup -p0 "%(before=\"-e\" CIPHER)" | ||
+ | "%(ifnempty=\"-k\" KEYBITS)" %(KEYBITS) %(FSCKLOOP) %(VOLUME)</losetup> | ||
+ | <unlosetup>losetup -d %(FSCKLOOP)</unlosetup> | ||
+ | <cifsmount>mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o | ||
+ | "user=%(USER),uid=%(USERUID),gid=%(USERGID)%(before=\",\" OPTIONS)"</cifsmount> | ||
+ | <davmount>mount -t davfs %(SERVER)/%(VOLUME) %(MNTPT) -o | ||
+ | "username=%(USER),uid=%(USERUID),gid=%(USERGID)%(before=\",\" | ||
+ | OPTIONS)"</davmount> | ||
+ | <smbmount>smbmount //%(SERVER)/%(VOLUME) %(MNTPT) -o | ||
+ | "username=%(USER),uid=%(USERUID),gid=%(USERGID)%(before=\",\" OPTIONS)"</smbmount> | ||
+ | <smbumount>smbumount %(MNTPT)</smbumount> | ||
+ | <ncpmount>ncpmount %(SERVER)/%(USER) %(MNTPT) -o | ||
+ | "pass-fd=0,volume=%(VOLUME)%(before=\",\" OPTIONS)"</ncpmount> | ||
+ | <ncpumount>ncpumount %(MNTPT)</ncpumount> | ||
+ | <fusemount>mount.fuse %(VOLUME) %(MNTPT) | ||
+ | "%(ifnempty=\"-o\" OPTIONS)" %(OPTIONS)</fusemount> | ||
+ | <fuseumount>fusermount -u %(MNTPT)</fuseumount> | ||
+ | <truecryptmount>truecrypt %(VOLUME) %(MNTPT)</truecryptmount> | ||
+ | <truecryptumount>truecrypt -d %(MNTPT)</truecryptumount> | ||
+ | <fd0ssh>pmt-fd0ssh</fd0ssh> | ||
+ | <umount>umount %(MNTPT)</umount> | ||
+ | <lclmount>mount -p0 -t %(FSTYPE) %(VOLUME) %(MNTPT) | ||
+ | "%(ifnempty=\"-o\" OPTIONS)" %(OPTIONS)</lclmount> | ||
+ | <cryptmount>mount -t crypt "%(ifnempty=\"-o\" OPTIONS)" %(OPTIONS) | ||
+ | %(VOLUME) %(MNTPT)</cryptmount> | ||
+ | <nfsmount>mount %(SERVER):%(VOLUME) %(MNTPT) | ||
+ | "%(ifnempty=\"-o\" OPTIONS)" %(OPTIONS)</nfsmount> | ||
+ | <mntcheck>mount</mntcheck> | ||
+ | <pmvarrun>pmvarrun -u %(USER) -o %(OPERATION)</pmvarrun> | ||
+ | |||
+ | <volume user="*" fstype="cifs" server="192.168.1.253" path="%(USER)" | ||
+ | mountpoint="/home/WEIZ/%(USER)/server" options="dir_mode=0755,iocharset=utf8" /> | ||
+ | |||
+ | <msg-authpw>pam_mount password:</msg-authpw> | ||
+ | <msg-sessionpw>reenter password for pam_mount:</msg-sessionpw> | ||
+ | |||
+ | </pam_mount> | ||
+ | </file> | ||
+ | */etc/security/pam_winbind.conf | ||
+ | <file> | ||
+ | # | ||
+ | # pam_winbind configuration file | ||
+ | # | ||
+ | # /etc/security/pam_winbind.conf | ||
+ | # | ||
+ | |||
+ | [global] | ||
+ | krb5_auth = yes | ||
+ | krb5_ccache_type = FILE | ||
+ | |||
+ | # turn on debugging | ||
+ | ;debug = no | ||
+ | |||
+ | # turn on extended PAM state debugging | ||
+ | ;debug_state = no | ||
+ | |||
+ | # request a cached login if possible | ||
+ | # (needs "winbind offline logon = yes" in smb.conf) | ||
+ | ;cached_login = no | ||
+ | |||
+ | # authenticate using kerberos | ||
+ | ;krb5_auth = no | ||
+ | |||
+ | # when using kerberos, request a "FILE" krb5 credential cache type | ||
+ | # (leave empty to just do krb5 authentication but not have a ticket | ||
+ | # afterwards) | ||
+ | ;krb5_ccache_type = | ||
+ | |||
+ | # make successful authentication dependend on membership of one SID | ||
+ | # (can also take a name) | ||
+ | ;require_membership_of = | ||
+ | |||
+ | # password expiry warning period in days | ||
+ | ;warn_pwd_expire = 14 | ||
+ | |||
+ | # omit pam conversations | ||
+ | ;silent = no | ||
+ | </file> | ||
+ | |||
+ | *mv /etc/ldap.conf /etc/ldap.conf.bak | ||
+ | *net ads join -U Administrator%Passwort -S 192.168.1.253 (Fehlermeldung ignorieren!) = Domänenanmeldung | ||
+ | |||
+ | *rcxdm restart | ||
+ | *Beim Anmelden: In der Taskleiste Domäne auswählen | ||
+ | |||
+ | |||
+ | ---- | ||
+ | |||
+ | *[[http://support.microsoft.com/kb/942564|Zu beachten für Windows Server 2008]] | ||
+ | | ||
+ | ---- | ||
+ | |||
+ | ====== Samba-Member-Server im ADS mit Win2003-Server ====== | ||
+ | |||
+ | ==== Vorraussetzungen ==== | ||
+ | |||
+ | * Testsysteme waren: | ||
+ | * Linux: SuSE SLES10-SP1 -> 192.168.123.10, Hostname: filer.mydom.local | ||
+ | * Folgende Pakete installieren: | ||
+ | * krb5, samba, samba-winbind ... so ungefähr: | ||
+ | <code> | ||
+ | # rpm -qa | egrep 'samba|kerberos|winbind|krb' | ||
+ | yast2-samba-client-2.13.36-0.8 | ||
+ | samba-winbind-3.0.24-2.23 | ||
+ | samba-client-3.0.24-2.23 | ||
+ | yast2-samba-server-2.13.22-0.8 | ||
+ | samba-3.0.24-2.23 | ||
+ | pam_krb5-2.2.3-18.2 | ||
+ | krb5-client-1.4.3-19.17 | ||
+ | samba-vscan-0.3.6b-42.49 | ||
+ | krb5-1.4.3-19.17 | ||
+ | yast2-kerberos-client-2.13.11-0.10 | ||
+ | krb5-apps-clients-1.4.3-19.17 | ||
+ | samba-krb-printing-3.0.24-2.23 | ||
+ | </code> | ||
+ | Hinweis: \\ | ||
+ | Das samba-winbind-RPM des SLES10-SP0 macht vermutlich Probleme. \\ | ||
+ | Bzw. ich hatte SLES10-SP1, allerdings wurde samba-winbind wohl von der SP0-DVD nachinstalliert. \\ | ||
+ | Das führte immer zu einem "Error looking up domain users"-Fehler bei "wbinfo -u"... siehe unten ! \\ | ||
+ | |||
+ | * Windows: Win2003-Server-R2 -> 192.168.123.1, Hostname: domcontroller.mydom.local | ||
+ | * als Active-Directory-Server einrichten: | ||
+ | * Start -> Ausführen -> dcpromo -> weiter, weiter weiter... | ||
+ | * DNS-Server ist der Windows-Rechner, also den Linux-Rechner dort eintragen (Forward+Reverse-Lookup). | ||
+ | * Der Linux-Rechner benutzt Win2003 als DNS-Server, also mit folgender /etc/resolv.conf: | ||
+ | <code> | ||
+ | nameserver 192.168.123.1 | ||
+ | search mydom.intern | ||
+ | </code> | ||
+ | * DNS-Auflösungen muss auf beiden Servern funktionieren, am besten vorher testen: | ||
+ | * auf Linux mit dem "host"-Befehl: | ||
+ | <code> | ||
+ | # host filer.mydom.local | ||
+ | filer.mydom.local has address 192.168.123.10 | ||
+ | # host 192.168.123.10 | ||
+ | 10.123.168.192.in-addr.arpa domain name pointer filer.mydom.local. | ||
+ | # host domcontroller.mydom.local | ||
+ | domcontroller.mydom.local has address 192.168.123.1 | ||
+ | # host 192.168.123.1 | ||
+ | 1.123.168.192.in-addr.arpa domain name pointer domcontroller.mydom.local. | ||
+ | </code> | ||
+ | * auf Windows mit "nslookup". | ||
+ | |||
+ | |||
+ | ==== kerberos ==== | ||
+ | |||
+ | * kerberos config, /etc/krb5.conf: | ||
+ | <code> | ||
+ | [libdefaults] | ||
+ | default_realm = MYDOM.LOCAL | ||
+ | clockskew = 300 | ||
+ | |||
+ | [realms] | ||
+ | MYDOM.LOCAL = { | ||
+ | kdc = DOMCONTROLLER.MYDOM.LOCAL | ||
+ | default_domain = MYDOM.LOCAL | ||
+ | } | ||
+ | |||
+ | [domain_realm] | ||
+ | .mydom.local = MYDOM.LOCAL | ||
+ | mydom.local = MYDOM.LOCAL | ||
+ | |||
+ | [logging] | ||
+ | default = SYSLOG:NOTICE:DAEMON | ||
+ | |||
+ | [appdefaults] | ||
+ | pam = { | ||
+ | ticket_lifetime = 1d | ||
+ | renew_lifetime = 1d | ||
+ | forwardable = true | ||
+ | proxiable = false | ||
+ | retain_after_close = false | ||
+ | minimum_uid = 0 | ||
+ | debug = false | ||
+ | } | ||
+ | </code> | ||
+ | |||
+ | * kerberos Ticket anfordern: | ||
+ | <code> | ||
+ | # kinit domadmin@MYDOM.LOCAL | ||
+ | Password for domadmin@MYDOM.LOCAL: ***** | ||
+ | </code> | ||
+ | |||
+ | * kerberos-Ticket anzeigen: | ||
+ | <code> | ||
+ | # klist | ||
+ | Ticket cache: FILE:/tmp/krb5cc_0 | ||
+ | Default principal: domadmin@MYDOM.LOCAL | ||
+ | |||
+ | Valid starting Expires Service principal | ||
+ | 10/31/08 13:41:33 10/31/08 23:41:42 krbtgt/MYDOM.LOCAL@MYDOM.LOCAL | ||
+ | renew until 11/01/08 13:41:33 | ||
+ | |||
+ | |||
+ | Kerberos 4 ticket cache: /tmp/tkt0 | ||
+ | klist: You have no tickets cached | ||
+ | </code> | ||
+ | |||
+ | |||
+ | ==== samba & winbind ==== | ||
+ | |||
+ | * samba config, /etc/samba/smb.conf: | ||
+ | <code> | ||
+ | [global] | ||
+ | workgroup = MYDOM | ||
+ | realm = MYDOM.LOCAL | ||
+ | netbios name = filer | ||
+ | server string = Fileserver | ||
+ | #log level = 3 | ||
+ | security = ADS | ||
+ | encrypt passwords = yes | ||
+ | password server = domcontroller.mydom.local | ||
+ | #password level = N | ||
+ | client use spnego = yes | ||
+ | idmap uid = 10000-20000 | ||
+ | idmap gid = 10000-20000 | ||
+ | # | ||
+ | domain master = no | ||
+ | local master = no | ||
+ | preferred master = no | ||
+ | os level = 0 | ||
+ | # | ||
+ | winbind use default domain = yes | ||
+ | winbind refresh tickets = yes | ||
+ | winbind separator = + | ||
+ | winbind separator = \ | ||
+ | #winbind separator = / | ||
+ | # | ||
+ | ##winbind enum users and groups should be used with caution in active directories greater than 200 users or groups, | ||
+ | ##as enumeration is an expensive process and likely to timeout and cause login failures. | ||
+ | ##during login, the full passwd and group will be "enumerated" every time from your active directory server. enumeration is not required for a successful login. | ||
+ | winbind enum users = yes | ||
+ | winbind enum groups = yes | ||
+ | |||
+ | #[backup] | ||
+ | # comment = Backup | ||
+ | # path = /test | ||
+ | # browseable = yes | ||
+ | # read only = no | ||
+ | # guest ok = no | ||
+ | # valid users = @alle | ||
+ | # create mask = 0770 | ||
+ | # directory mask = 0770 | ||
+ | # | ||
+ | #[test] | ||
+ | # comment = TEST | ||
+ | # inherit acls = Yes | ||
+ | # path = /home/MYDOM | ||
+ | # read only = No | ||
+ | # | ||
+ | #[netlogon] | ||
+ | # comment = | ||
+ | # inherit acls = Yes | ||
+ | # path = /home/MYDOM | ||
+ | # read only = Yes | ||
+ | |||
+ | |||
+ | #[share] | ||
+ | # comment = Shared Directory | ||
+ | # path = /tmp | ||
+ | # Valid Users = @MYDOM+test123 MYDOM+tester MYDOM+tester2 | ||
+ | # ;public = no | ||
+ | # writable = yes | ||
+ | # browseable = yes | ||
+ | # | ||
+ | #komplette Gruppe 'test123' = @MYDOM+test123 | ||
+ | #einzelner User 'tester' = MYDOM+tester | ||
+ | </code> | ||
+ | |||
+ | * winbind nimmt sich seine Config aus der smb.conf. | ||
+ | |||
+ | * Samba-Server dem ADS hinzufügen: | ||
+ | <code> | ||
+ | # net ads join -U domadmin | ||
+ | domadmin's password: | ||
+ | Using short domain name -- MYDOM | ||
+ | Joined 'FILER' to realm 'MYDOM.LOCAL' | ||
+ | |||
+ | # net ads testjoin | ||
+ | Join is OK | ||
+ | </code> | ||
+ | |||
+ | * Userliste des ADS auslesen, mit samba-Tool "net": | ||
+ | <code> | ||
+ | # net ads user | ||
+ | Administrator | ||
+ | Guest | ||
+ | ... usw. | ||
+ | </code> | ||
+ | |||
+ | * samba starten: | ||
+ | <code> | ||
+ | /etc/init.d/smb start | ||
+ | </code> | ||
+ | |||
+ | * winbind starten: | ||
+ | <code> | ||
+ | /etc/init.d/winbind start | ||
+ | </code> | ||
+ | * oder mit Debug-Ausgabe via: | ||
+ | <code> | ||
+ | /usr/sbin/winbindd -n -F -i -d 3 -s /etc/samba/smb.conf | ||
+ | </code> | ||
+ | |||
+ | * winbind testen mit wbinfo: | ||
+ | <code> | ||
+ | # wbinfo -t | ||
+ | checking the trust secret via RPC calls succeeded | ||
+ | |||
+ | # wbinfo -m | ||
+ | MYDOM | ||
+ | </code> | ||
+ | |||
+ | * Userliste des ADS auslesen, mit wbinfo: | ||
+ | <code> | ||
+ | # wbinfo -u | ||
+ | administrator | ||
+ | guest | ||
+ | support_471112a0 | ||
+ | krbtgt | ||
+ | ... | ||
+ | |||
+ | # wbinfo -g | ||
+ | domain computers | ||
+ | domain controllers | ||
+ | domain admins | ||
+ | domain users | ||
+ | domain guests | ||
+ | group policy creator owners | ||
+ | dnsupdateproxy | ||
+ | ... | ||
+ | |||
+ | # wbinfo --sequence | ||
+ | BUILTIN : 1226919242 | ||
+ | FILER : 1226919242 | ||
+ | MYDOM : 1054342 | ||
+ | </code> | ||
+ | |||
+ | * Default-Homeverzeichnis-Basis für die AD-User ist "/home/MYDOM", also Verzeichnis erstellen: | ||
+ | <code> | ||
+ | # mkdir /home/MYDOM | ||
+ | </code> | ||
+ | |||
+ | |||
+ | ==== nsswitch ==== | ||
+ | |||
+ | * passwd und group in /etc/nsswitch.conf folgendermaßen anpassen (die anderen Bereiche nicht ändern !): | ||
+ | <code> | ||
+ | ... | ||
+ | #passwd: compat | ||
+ | #group: compat | ||
+ | passwd: compat winbind | ||
+ | group: compat winbind | ||
+ | ... | ||
+ | </code> | ||
+ | * hier die komplette /etc/nsswitch.conf fürs Protokoll: | ||
+ | <code> | ||
+ | passwd: compat winbind | ||
+ | group: compat winbind | ||
+ | |||
+ | hosts: files dns | ||
+ | networks: files dns | ||
+ | |||
+ | services: files | ||
+ | protocols: files | ||
+ | rpc: files | ||
+ | ethers: files | ||
+ | netmasks: files | ||
+ | netgroup: files nis | ||
+ | publickey: files | ||
+ | |||
+ | bootparams: files | ||
+ | automount: files nis | ||
+ | aliases: files | ||
+ | </code> | ||
+ | |||
+ | * nun kann man sich mit "getent passwd" eine Userliste (Linux + AD-User) auslesen/anzeigen: | ||
+ | <code> | ||
+ | # getent passwd | ||
+ | at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash | ||
+ | bin:x:1:1:bin:/bin:/bin/bash | ||
+ | daemon:x:2:2:Daemon:/sbin:/bin/bash | ||
+ | ftp:x:40:49:FTP account:/srv/ftp:/bin/bash | ||
+ | games:x:12:100:Games account:/var/games:/bin/bash | ||
+ | gdm:x:50:104:Gnome Display Manager daemon:/var/lib/gdm:/bin/false | ||
+ | haldaemon:x:101:102:User for haldaemon:/var/run/hal:/bin/false | ||
+ | hpsmh:x:103:1000::/opt/hp/hpsmh:/sbin/nologin | ||
+ | lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash | ||
+ | mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false | ||
+ | messagebus:x:100:101:User for D-BUS:/var/run/dbus:/bin/false | ||
+ | nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash | ||
+ | ntp:x:74:103:NTP daemon:/var/lib/ntp:/bin/false | ||
+ | postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false | ||
+ | root:x:0:0:root:/root:/bin/bash | ||
+ | sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false | ||
+ | suse-ncc:x:102:105:Novell Customer Center User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bash | ||
+ | wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false | ||
+ | linuxuser:x:4711:0:Hans Wurst:/home/linuxuser:/bin/bash | ||
+ | administrator:*:10000:10000:Administrator:/home/MYDOM/administrator:/bin/false | ||
+ | guest:*:10001:10001:Guest:/home/MYDOM/guest:/bin/false | ||
+ | support_471112a0:*:10002:10000:SUPPORT_471112a0:/home/MYDOM/support_471112a0:bin/false | ||
+ | krbtgt:*:10004:10000:krbtgt:/home/PAYZONE-INT/krbtgt:/bin/false | ||
+ | ... | ||
+ | </code> | ||
+ | Die letzten 4 User des obigen Beispiels kommen aus dem Active Directory. | ||
+ | |||
+ | * oder mit "getent group" eine Gruppenliste (Linux + AD-Gruppen). | ||
+ | |||
+ | * testen mit chown/chgrp: | ||
+ | <code> | ||
+ | # touch testfile | ||
+ | # chown administrator testfile | ||
+ | # chgrp "domain users" testfile | ||
+ | # ls -l testfile | ||
+ | -rw-rw-r-- 1 administrator domain users 0 2008-11-17 11:59 testfile | ||
+ | </code> | ||
+ | |||
+ | * falls es dabei folgende Fehler gibt, läuft wahrscheinlich noch der nscd: | ||
+ | <code> | ||
+ | # chown administrator testfile | ||
+ | chown: »administrator«: ungültiger Benutzer | ||
+ | # chgrp "Domain users" testfile | ||
+ | chgrp: ungültige Gruppe »Domain users« | ||
+ | </code> | ||
+ | |||
+ | * dann nscd stoppen und aus den rc-Skripten entfernen, danach sollte es funktionieren: | ||
+ | <code> | ||
+ | # /etc/init.d/nscd status | ||
+ | Checking for Name Service Cache Daemon: running | ||
+ | # /etc/init.d/nscd stop | ||
+ | Shutting down Name Service Cache Daemon done | ||
+ | # chkconfig -d nscd | ||
+ | nscd 0:off 1:off 2:off 3:off 4:off 5:off 6:off | ||
+ | </code> | ||
+ | |||
+ | |||
+ | ==== ssh-Login für AD-User ==== | ||
+ | |||
+ | Dieser Abschnitt beschreibt die Konfiguration falls die AD-User sich via SSH auf dem Linux-System einloggen sollen. | ||
+ | Wenn dies nicht gewünscht ist dann den Abschnitt einfach überspringen. | ||
+ | |||
+ | * in /etc/ssh/sshd_config: | ||
+ | <code> | ||
+ | ... | ||
+ | UsePAM yes | ||
+ | ... | ||
+ | </code> | ||
+ | |||
+ | * in /etc/samba/smb.conf im global-Bereich folgendes einfügen: | ||
+ | <code> | ||
+ | template shell = /bin/bash | ||
+ | </code> | ||
+ | |||
+ | * in /etc/pam.d/common-auth: | ||
+ | <code> | ||
+ | auth sufficient pam_winbind.so | ||
+ | auth required pam_unix2.so | ||
+ | </code> | ||
+ | |||
+ | * ggf. Homeverzeichnis für AD-User erstellen: | ||
+ | <code> | ||
+ | # mkdir /home/MYDOM/administrator | ||
+ | # chown -R administrator."domain admins" /home/MYDOM/administrator | ||
+ | </code> | ||
+ | |||
+ | * von remote mit dem AD-User (administrator) und dem AD-Passwort via SSH einloggen ! | ||
+ | |||
+ | |||
+ | ==== quota (linux-kernel 2.6) ==== | ||
+ | |||
+ | * kernel benötigt quota-Support, das ist beim SLES10-Default-kernel schon drin: | ||
+ | <code> | ||
+ | CONFIG_QUOTA=y | ||
+ | CONFIG_QUOTACTL=y | ||
+ | </code> | ||
+ | |||
+ | * quota-Tools installieren: | ||
+ | <code> | ||
+ | SuSE: | ||
+ | # rpm -qa | grep quota | ||
+ | quota-3.13-17.11 | ||
+ | |||
+ | Debian: | ||
+ | # apt-get install quota | ||
+ | </code> | ||
+ | |||
+ | * Filesystem-Optionen usrquota und grpquota in /etc/fstab eintragen, Beispiel: | ||
+ | <code> | ||
+ | /dev/hda1 /home ext3 defaults,usrquota,grpquota 0 2 | ||
+ | </code> | ||
+ | * un re-mounten: | ||
+ | <code> | ||
+ | mount -o remount /home | ||
+ | </code> | ||
+ | * falls ein DRBD-Filesystem im heartbeat-Cluster läuft in /etc/ha.d/haresources konfigurieren: | ||
+ | <code> | ||
+ | filer-01 \ | ||
+ | drbddisk::r0 \ | ||
+ | Filesystem::/dev/drbd0::/home::ext3::defaults,usrquota,grpquota \ | ||
+ | ... | ||
+ | </code> | ||
+ | |||
+ | * quota-Tabellen erstellen: | ||
+ | <code> | ||
+ | # touch /home/aquota.user | ||
+ | # touch /home/aquota.group | ||
+ | </code> | ||
+ | * und quota-Tabellen initialisieren: | ||
+ | <code> | ||
+ | # quotacheck -vaugm | ||
+ | </code> | ||
+ | |||
+ | * quota einrichten: | ||
+ | <code> | ||
+ | # edquota <username> | ||
+ | # edquota -g <groupname> | ||
+ | </code> | ||
+ | * edquota benutzt den Default-Editor ($EDITOR), bei mir "vi". | ||
+ | <code> | ||
+ | # edquota hans.wurst | ||
+ | Disk quotas for user hans.wurst (uid 10025): | ||
+ | Filesystem blocks soft hard inodes soft hard | ||
+ | /dev/drbd0 4 0 0 1 0 0 | ||
+ | </code> | ||
+ | |||
+ | * soft-, hard-Limits und grace-Period: | ||
+ | * soft-Limit kann während der grace-Period durchaus überschritten werden | ||
+ | * beim hard-Limit ist Schluss, der User darf nicht mehr auf die Platte schreiben. | ||
+ | |||
+ | * Die edquota-Werte sind 1 kilobyte blocks, also 1GB = 1000000. | ||
+ | * Beispiel soft-Limit=1GB, hard-Limit=1.5GB | ||
+ | <code> | ||
+ | # edquota hans.wurst | ||
+ | Disk quotas for user hans.wurst (uid 10025): | ||
+ | Filesystem blocks soft hard inodes soft hard | ||
+ | /dev/drbd0 4 1000000 1500000 1 0 0 | ||
+ | </code> | ||
+ | * kontrollieren/anzeigen mit: | ||
+ | <code> | ||
+ | # quota hans.wurst | ||
+ | Disk quotas for user hans.wurst (uid 10025): | ||
+ | Filesystem blocks quota limit grace files quota limit grace | ||
+ | /dev/drbd0 4 1000000 1500000 1 0 0 | ||
+ | </code> | ||
+ | |||
+ | * quota prüfen: | ||
+ | * als user eigene quota prüfen: | ||
+ | <code> | ||
+ | # quota | ||
+ | </code> | ||
+ | * als root quota anderer User prüfen: | ||
+ | <code> | ||
+ | # quota <username> | ||
+ | </code> | ||
+ | * als root quota-Report ausgeben: | ||
+ | <code> | ||
+ | # repquota /home | ||
+ | *** Report for user quotas on device /dev/drbd0 | ||
+ | Block grace time: 7days; Inode grace time: 7days | ||
+ | Block limits File limits | ||
+ | User used soft hard grace used soft hard grace | ||
+ | ---------------------------------------------------------------------- | ||
+ | nobody -- 67952 0 0 213 0 0 | ||
+ | root -- 444832 0 0 4990 0 0 | ||
+ | ... | ||
+ | </code> | ||
+ | * quota-Meldungen auslösen, wird via cron automatisiert ausgeführt (z.B. /etc/cron.daily/quota): | ||
+ | <code> | ||
+ | warnquota | ||
+ | </code> | ||
+ | * Konfiguration von warnquota in /etc/warnquota.conf | ||
+ | |||
+ | * quota deaktivieren: | ||
+ | <code> | ||
+ | # quotaoff -v /home | ||
+ | </code> | ||
+ | * quota aktivieren: | ||
+ | <code> | ||
+ | # quotaon -v /home | ||
+ | </code> | ||
+ | |||
+ | * quota-Einstellungen eines User auf einen anderen übertragen: | ||
+ | * Beispiel: Peter soll die quota-Einstellungen von Hans übernehmen: | ||
+ | <code> | ||
+ | # edquota -p hans peter | ||
+ | </code> | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ==== Trouble-Shooting ==== | ||
+ | |||
+ | <code> | ||
+ | # wbinfo -u | ||
+ | Error looking up domain users | ||
+ | |||
+ | ?????????????????????? | ||
+ | kerberos_kinit_password host/FILER@MYDOM.LOCAL failed: Client not found in Kerberos database | ||
+ | ads_connect for domain MYDOM failed: Client not found in Kerberos database | ||
+ | ?????????????????????? | ||
+ | </code> | ||
+ | |||
+ | <code> | ||
+ | # wbinfo --sequence | ||
+ | FILER : 1225459694 | ||
+ | BUILTIN : 1225459694 | ||
+ | PAYZONE-INT : DISCONNECTED <------- ???????????????????????????????? | ||
+ | </code> | ||
+ | |||