Ubuntu使用PBIS认证
1:下载
https://github.com/BeyondTrust/pbis-open/releases
wget https://github.com/BeyondTrust/pbis-open/releases/download/8.8.0/pbis-open-8.8.0.506.linux.x86_64.deb.sh
2:安装,默认设置即可
chmod +x pbis-open-8.5.4.334.linux.x86_64.deb.sh
sh pbis-open-8.5.4.334.linux.x86_64.deb.sh
3:加域
cd /opt/pbis/bin/
domainjoin-cli join test.net admin
4:可能用得到的自定义设置
/opt/pbis/bin/config HomeDirTemplate '%H/%D/%U'
/opt/pbis/bin/config LoginShellTemplate /bin/bash
/opt/pbis/bin/config HomeDirUmask 077
/opt/pbis/bin/config UserDomainPrefix test.net
/opt/pbis/bin/config AssumeDefaultDomain true
#/opt/pbis/bin/config Requiremembershipof test\\LinuxUser test\\new # 允许LinuxUser用户组 及 new用户登录
#允许用户组为sudoer
%test\\LinuxAdmins ALL=(ALL:ALL) ALL
如果用来使用的是winbind+samba认证
1:先退出域
net ads leave -U test.net administrator
2:把原来/etc/pam.d/ 下面的winbind相关项删除,还有/etc/nsswitch.conf 里面的winbind删除
cat /etc/pam.d/common-account
account [success=ok new_authtok_reqd=ok default=ignore] pam_lsass.so unknown_ok
account [success=2 new_authtok_reqd=done default=ignore] pam_lsass.so
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
#--------------------------------------------------
cat /etc/pam.d/common-auth
auth [success=2 default=ignore] pam_lsass.so
auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
#--------------------------------------------------
cat /etc/pam.d/common-password
password [success=2 default=ignore] pam_lsass.so
password [success=1 default=ignore] pam_unix.so obscure try_first_pass sha512
password requisite pam_deny.so
password required pam_permit.so
#--------------------------------------------------
cat /etc/pam.d/common-session
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session optional pam_lsass.so
session required pam_unix.so
session optional pam_systemd.so
#--------------------------------------------------
cat /etc/pam.d/common-session-noninteractive
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session optional pam_lsass.so
session required pam_unix.so
#--------------------------------------------------
cat /etc/nsswitch.conf
passwd: compat lsass
group: compat lsass
shadow: compat
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
3:如果还要使用samba,可以删除winbind(用不到了)。
net cache flush #不执行此操作,samba还是使用原来winbind的UID
#--------------------------------------------------
cat /etc/samba/smb.conf
[global]
server string = %h server (Samba, Ubuntu)
security = ads
workgroup = TEST
realm = TEST.NET
client ntlmv2 auth = yes
encrypt passwords = yes
log file = /var/log/samba/log.%m
max log size = 1000
panic action = /usr/share/samba/panic-action %d
machine password timeout = 0
[homes]
comment = Home Directories
browseable = no
read only = no
create mask = 0700
directory mask = 0700
/opt/pbis/bin/samba-interop-install --install #这样就可以使用pbis认证samba了
另外bash提示符是 test\username 这样的格式,然后为了美观把格式改为 username 这样
sed -i "58s#^.*\$#&\nmodify_username()\n{\n echo \$USER | awk -F\\\\\\\\ '{print \$NF}'\n}\n#;s#\\\\u#\$(modify_username)#g" /etc/skel/.bashrc
samba出现这样的错误
#Bad talloc magic value - access after free
apt-get install libtalloc2
加域时出现
#Error: ERROR_GEN_FAILURE [code 0x0000001f]
apt-get remove avahi-daemon
转载: http://www.voidcn.com/article/p-oujlouli-bms.html