Linux podpięty do AD
$ cat /etc/openldap/ldap.confTLS_REQCERT allow
host 192.168.1.1
base dc=example,dc=com
$ cat /etc/ldap.conf
host 192.168.1.1
uri ldap://ntpdc.example.com
port 389
ssl no
base dc=example,dc=com
scope sub
binddn LDAP@example.com
bindpw haslohaslo
nss_base_passwd dc=example,dc=com?sub
nss_base_shadow dc=example,dc=com?sub
nss_base_group dc=example,dc=com?sub&(objectCategory=group)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup user
nss_map_attribute gecos name
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
pam_password ad
nss_map_attribute userPassword authPassword
$ cat /etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM
clockskew = 300
[realms]
EXAMPLE.COM = {
kdc = ntpdc.example.com
admin_server = ntpdc.example.com
default_domain = example.com
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = FILE:/var/log/krb5/krb5libs.log
[domain_realm]
.example.com = EXAMPLE.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimum_uid = 1
clockskew = 300
external = sshd
use_shmem = sshd
}
$ cat /etc/samba/smb.conf
[global]
workgroup = EXAMPLE
realm = EXAMPLE.COM
preferred master = no
security = ads
encrypt passwords = true
log file = /var/log/samba/%m.log
log level = 3
dos charset = CP1250
unix charset = UTF8
display charset = UTF8
idmap gid = 10000-20000
idmap uid = 10000-20000
template homedir = /home/%D/%U
template shell = /bin/bash
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind refresh tickets = yes
winbind separator = +
passdb backend = tdbsam
idmap backend = ad
winbind nss info = rfc2307
oplocks = yes
max xmit = 65535
dead time = 15
getwd cache = yes
large readwrite = no
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
load printers = no
$ cat /etc/nsswitch.conf
passwd: files winbind ldap
shadow: files windind ldap
group: files winbind ldap
$ nano /etc/pam.d/ [tab]
{auth,account,password} sufficient pam_winbind.so use_first_pass
$ net groupmap add rid=1000 ntgroup="Development" unixgroup=dev type=d
# lepiej zamiast tego nadac grupie nt atrybut gidNumber taki sam jak gid uniksowy
$ nano /etc/samba/smb.conf
[project]
comment = 'Remote project'
path = /home/dev/project
browseable = yes
read only = no
map inherit acl = no
inherit acls = no
inherit permissions = no
create mask = 664
directory mask = 775
valid users = @"EXAMPLE+Development"
admin users = @"EXAMPLE+Domain Admins"
force user = dev
force group = dev
$ cat /etc/apache2/vhosts.d/svn.conf
DAV svn
SVNPath /var/lib/svn/svnrepo
AuthBasicProvider ldap
AuthType Basic
AuthName "Subversion svnrepo repository"
AuthzSVNAccessFile /var/lib/svn/svn-acl
AuthLDAPURL ldap://192.168.1.1:389/OU=IT,dc=example,dc=com?samAccountName?sub?(objectCategory=person)
AuthLDAPBindDN "example\LDAP"
AuthLDAPBindPassword "haslohaslo"
Require valid-user
0 komentarze:
Prześlij komentarz