pozor, Windows server 2008, 2008R2, 2010, 2011 a novější mají oproti předchozím verzím hodně bezpečnostních vylepšení, používají také jiné šifrování a i struktura AD je aktualizována. Z těchto důvodů je nutné použít sambu o minimální verzi 3.3.9 a vyšší, jinak se v následujícím postupu dočkáte nepěkných a nečekaných chyb !!
toto zatim text nanecisto, budu to jeste editovat a doplnovat…
K tomuto tematu jiz psali jini a hodne. A taky asi lepe, nez ja, ale presto bych rad neco doplnil.
Pro uplne zacatecniky hned od zacatku rikam, ze nema cenu pokouset se nastavit sambu pres graficke rozhrani, jakym je napr. patricny drak v distribuci Mandriva.
Tim nastavite maximalne tak sdileni odpovidajici zhruba tomu ceho docilite na xp stanici. Tzn rozliseni uzivatelu podle lokalnich uctu
My vsak potrebujeme autentifikaci uzivatelu za pomoci adresare AD.
Nema cenu tady popisovat cely proces od zacatku do konce, takovych navodu je spousta. Nejlepsi je asi tento:http://www.abclinuxu.cz/clanky/site/integrace-linuxoveho-serveru-do-domeny-windows-2003 Je vycerpavajici a vynikajici.
Napriklad nastaveni autentifikace PAM jsem ovsem v knizce Linux ve svete windows nenasel. Bohuzel zrovna to je vec, kterou i zmineny navod popisuje jen zevrubne a proto sem pridavam vysledek sveho snazeni /funguje pod Mandriva 2009/:
/etc/pam.d/samba:
#%PAM-1.0
auth include system-auth-winbind
account required pam_nologin.so
account include system-auth-winbind
session required pam_mkhomedir.so skel=/etc/skel umask=0022
session include system-auth-winbind
tzn. vsude misto system-auth bude nyni system-auth-winbind
toto bude fungovat, pouze pokud mate pripraveny /etc/pam.d/system-auth-winbind
pokud jej nenaleznete, radeji vubec neupravujte puvodni system-auth, nebot byste se take uz nemuseli nikdy prihlasit.
radsi pridejte nasledujici radky do /etc/pam.d/samba:
auth sufficient pam_winbind.so
auth include system-auth try_first_pass
account required pam_nologin.so
account sufficient pam_winbind.so
account include system-auth try_first_pass
session required pam_mkhomedir.so skel=/etc/skel umask=0022
session sufficient pam_winbind.so
session include system-auth try_first_pass
Pozor, je potreba zachovat poradi, nebot ve spojeni s parametry sufficient, required a include rozhoduje o vysledku autenfikace.
zde konkretne:
1 zkusi se winbind (overeni uzivatele AD pres Kerberos nebo Ldap ), pokud uspeje – jsme prihlaseni
2 zkusi se lokalni prihlaseni
podobne i account a session
dale jeste je vhodne nastavit podobne i autentizaci ssh demona,
aby bylo mozne jednoduse pres terminal ssh vyzkouset, zda nam prihlasovani pro AD uzivatele funguje:
/etc/pam.d/sshd:
#%PAM-1.0
auth required pam_listfile.so item=user sense=deny file=/etc/ssh/denyusers
auth include system-auth-winbind
auth required pam_nologin.so
account required pam_nologin.so
account include system-auth-winbind
password include system-auth-winbind
session include system-auth-winbind
session required pam_mkhomedir.so skel=/etc/skel umask=0022
a dale je jeste nutne nakonfigurovat ssh demona, aby pouzival PAM autentifikaci:
/etc/ssh/sshd.config
(neplest si s ssh.config)
# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2
# HostKey for protocol version 1
HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Logging
# obsoletes QuietMode and FascistLogging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don’t trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don’t read the user’s ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
KerberosAuthentication yes
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to ‘yes’ to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of “PermitRootLogin without-password”.
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to ‘no’.
UsePAM yes
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
#AllowAgentForwarding yes
AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/lib/ssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
nyni muzeme vyzkouset pomoci wbinfo -t zda nam jede winbind, pomoci wbinfo -u zda vidi i strukturu AD, a pomoci wbinfo -K zda bezi i kerberos
dale zkusime z windows klienta napr. pomoci PUTTY:http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html ssh kanal a prihlaseni k serveru
pokud to vsechno probehne OK muzeme se vrhnout na konfiguraci samby.
a o tom zas priste