• # Voici la configuration complète (Résolu)

    Posté par . En réponse au message AD Samba4 Client LDAP (Résolu). Évalué à 2. Dernière modification le 29 juillet 2016 à 09:35.

    Sommaire

    Bonjour à tous chose promise chose dû ;-)

    Vous trouverez les étapes pour la configuration de la connexion ssh avec le home monté en NFS. Les connexion seront autorisées pour certains utilisateur. Nous verront cela dans les explications

    La configuration fonctionne sur Debian 7 et 8.

    Resolv.conf

    vim /etc/resolv.conf
    search 'mondomaine.fr'
    nameserver 'ipseveurdns'

    NTP

    Paquets

    apt-get install ntpdate

    Configuration

    vi /etc/default/ntpdate

    ajoutez l'option -u dans

    NTPOPTIONS="-u"

    démarrage du service... enfin mise à l'heure quoi :

    #/usr/sbin/ntpdate-debian

    Crontab

    crontab -e
    # Synchro NTP AD
    18 0 * * * /usr/sbin/ntpdate-debian
    @reboot /usr/sbin/ntpdate-debian

    Kerberos

    Paquets

    apt-get install krb5-user libpam-krb5

    Configuration

    vi /etc/krb5.conf
    [libdefaults]
     default_realm = 'mondomaine.fr'
     ticket_lifetime = 24000
     fowardable = true
    proxiable = true
    dns_fallback = no
    [realms]
     'mondomaine.fr' = {
     #si vous avez plusieurs DC 
     kdc = dc01.'mondomaine.fr'
     kdc = dc02.'mondomaine.fr'
     kdc = dc03.'mondomaine.fr'
     admin_server = 'mondomaine.fr'
     default_domain = 'mondomaine.fr'
     }
    [domain_realm]
     .'mondomaine.fr' = 'mondomaine.fr'
    'mondomaine.fr' = 'mondomaine.fr'

    Ticket

    kinit Administrateur@'mondomaine.fr'
    Password for Administrateur@'mondomaine.fr'

    Afficher le ticket

    klist
    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: Administrateur@'mondomaine.fr'
    Valid starting Expires Service principal
    27/06/2016 16:59:59 27/06/2016 23:39:41 krbtgt/'mondomaine.fr'@'mondomaine.fr'

    Samba

    Paquets

    apt-get install samba winbind libnss-winbind

    nsswitch.conf

    vim /etc/nsswitch.conf
    passwd:compat winbind
    group:compat winbind
    shadow:compat winbind

    Configuration

    vi /etc/samba/smb.conf
    [global]
     netbios name = "NOM SRV MOINS DE 15 CHARACTERES"
     security = ADS
     realm = 'mondomaine.fr'
     workgroup = 'masociete'
     winbind separator = /
     idmap uid = 10000-20000
     idmap gid = 10000-20000
     winbind enum users = yes
     winbind enum groups = yes
     template home dir = /home/%D/%U
     template shell = /bin/bash
     client use spnego = yes
     winbind use default domain = yes
     domain master = no
     local master = no
     preferred master = no
     os level = 0
    /etc/init.d/samba restart

    Intégration AD

    net join ads -U Administrateur -S 'DC'.'mondomaine.fr'
    service winbind restart

    Authentification (PAM)

    Les configurations concernant l'authentification doivent être réalisées avec précautions.

    Paquets

    #apt-get install libpam-winbind libpam-krb5

    Configuration

    Tous les fichiers doivent être recopié .old par exemple.

    Testez sur le second terminal si la connexion ssh en root est toujours UP après la configuration
    Dans mon illustration seul les DEV et le Support peuvent se connecter en SSH
    pour connecter l’ID d’un groupe il faut faire la commande suivante

    wbinfo -n « le nom du groupe »

    Utilisez aussi la commande id « user » pour lister les groupes d’un user « type » je vous laisse regarder les différentes option de la commande wbinfo

    cd /etc/pam.d
    cp common-auth common-auth.old && cp common-account common-account.old && cp common-session common-session.old
    vim common-auth
    #users locaux
    auth [success=3 default=ignore] pam_unix.so nullok_secure try_first_pass
    #groupe DEV
    auth [success=2 default=ignore] pam_winbind.so require_membership_of=S-1-5-21-535638378-3513273978-3571618535-3921 krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
    #groupe support
    auth [success=1 default=ignore] pam_winbind.so require_membership_of=S-1-5-21-535638378-3513273978-3571618535-3169 krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
    # here's the fallback if no module succeeds
    auth requisite pam_deny.so
    # prime the stack with a positive return value if there isn't one already;
    # this avoids us returning an error just because nothing sets a success code
    # since the modules above will each just jump around
    auth required pam_permit.so
    # and here are more per-package modules (the "Additional" block)
    # end of pam-auth-update config
    vim common-account
    #
    # /etc/pam.d/common-account - authorization settings common to all services
    #
    # This file is included from other service-specific PAM config files,
    # and should contain a list of the authorization modules that define
    # the central access policy for use on the system. The default is to
    # only deny service to users whose accounts are expired in /etc/shadow.
    #
    # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
    # To take advantage of this, it is recommended that you configure any
    # local modules either before or after the default block, and use
    # pam-auth-update to manage selection of other modules. See
    # pam-auth-update(8) for details.
    #
    # here are the per-package modules (the "Primary" block)
    account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
    account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so
    # here's the fallback if no module succeeds
    account requisite pam_deny.so
    # prime the stack with a positive return value if there isn't one already;
    # this avoids us returning an error just because nothing sets a success code
    # since the modules above will each just jump around
    account required pam_permit.so
    # and here are more per-package modules (the "Additional" block)
    # end of pam-auth-update config
    #vim common-session
    #
    # /etc/pam.d/common-session - session-related modules common to all services
    #
    # This file is included from other service-specific PAM config files,
    # and should contain a list of modules that define tasks to be performed
    # at the start and end of sessions of *any* kind (both interactive and
    # non-interactive).
    #
    # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
    # To take advantage of this, it is recommended that you configure any
    # local modules either before or after the default block, and use
    # pam-auth-update to manage selection of other modules. See
    # pam-auth-update(8) for details.
    # here are the per-package modules (the "Primary" block)
    session [default=1] pam_permit.so
    # here's the fallback if no module succeeds
    session requisite pam_deny.so
    # prime the stack with a positive return value if there isn't one already;
    # this avoids us returning an error just because nothing sets a success code
    # since the modules above will each just jump around
    session required pam_permit.so
    # and here are more per-package modules (the "Additional" block)
    session required pam_unix.so
    # end of pam-auth-update config
    ##add 
    session optional pam_winbind.so
    session optional pam_mkhomedir.so skel=/etc/skel umask=077
    ##end add

    Sudo

    Seuls les utilisateurs membres du groupe "Team Support" seront autorisés à passer en root

    apt-get install sudo
    visudo
    #autorisation des users du group Support
    %team\ support ALL=(ALL) ALL

    Testez la connexion avec un user du domaine

     ssh 'srv'-xxx -l 'usertest'
    'usertest'@'srv'-xxx's password:
    'usertest'@'srv'-xxx:~$

    Home itinérant

    Serveur NFS

    Nous allons créer le home du user
    Sur le serveur lnx-gw-srv

    cd /mnt/nfs/homes
    cp -rvf templateuser "user nom AD"

    Paquets (client NFS)

    apt-get install autofs

    Configuration

    Client NFS

    vim /etc/auto.master

    ajoutez la ligne suivante

    /home/'masociete' /etc/auto.home --timeout=600
    vim /etc/auto.home

    insérez

    * -fstype=nfs,soft,intr,rsize=8192,wsize=8192,nosuid,tcp ‘monserveurNFS':/mnt/nfs/homes/&
    service autofs restart

    Configuration pam.d

    Modifiez le fichier common-session

    vim /etc/pam.d/common-session #
    # /etc/pam.d/common-session - session-related modules common to all services
    #
    # This file is included from other service-specific PAM config files,
    # and should contain a list of modules that define tasks to be performed
    # at the start and end of sessions of *any* kind (both interactive and
    # non-interactive).
    #
    # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
    # To take advantage of this, it is recommended that you configure any
    # local modules either before or after the default block, and use
    # pam-auth-update to manage selection of other modules. See
    # pam-auth-update(8) for details.
    # here are the per-package modules (the "Primary" block)
    session [default=1] pam_permit.so
    # here's the fallback if no module succeeds
    session requisite pam_deny.so
    # prime the stack with a positive return value if there isn't one already;
    # this avoids us returning an error just because nothing sets a success code
    # since the modules above will each just jump around
    session required pam_permit.so
    # and here are more per-package modules (the "Additional" block)
    session required pam_unix.so
    # end of pam-auth-update config
    ##add test
    session optional pam_winbind.so
    session optional pam_mkhomedir.so
    ##end test

    Testez la connexion

    PS:
    Si vous ne souhaitez pas de montage home, modifiez le fichier common-session
    remplacez

    session optional pam_mkhomedir.so
    

    par

    pam_mkhomedir.so skel=/etc/skel umask=077
    

    Un home sera créé en local