Windows Server 2012 AD Settings
1. Create a new organizational unit OU
Establishing OUs for users in advance is to make AD user management simple and clear.
2. Create new users and user groups
When creating a new user, at the same time assign the user to the correct user group, and at the same time set the user's Primary Group (primary user group). Each user may belong to multiple groups, select a suitable and meaningful group as the Primary Group. The Linux system will obtain the gidNumber from the Primary Group, and the permissions of the file system will show that the user belongs to the Primary Group.
3. Edit Unix Extended Attributes of Users and Groups
Select the user or group in the AD management center, select the extended property page, and enter a unique uidNumber and a specific gidNumber. In order to avoid repetition and confusion, it is recommended that administrators plan and assign the uid and gid values and ranges of each user and group in advance (refer to the Linux smb.conf settings below), and then enter the AD management center to operate.
When an AD user logs in to Linux, the uid and gid are obtained from AD, which can be verified by the id command after login.
When a Windows user accesses Oracle ZS, the user's sid will be converted into the uid and gid preset in AD by the IDMU of Oracle ZS. This can be ssh Oracle ZS, enter the shell, enter /export/ to view the file system verification, or it can be verified by the Show Mappings tool in the Identity Mapping in the Oracle ZS management interface.
This will ensure that Linux and Windows users share access to the files in the ZS.
Oracle ZS Setup
1. Set up DNS, NTP, AD
Set DNS, NTP in Configuration->Services, and then join the AD domain.
2. Set IDMU
In the Identity Mapping in Configuration->Services, select IDMU, click Apply, no other configuration input is required.
3. Verify IDMU
Use the Show Mappings tool of Identity Mapping to check the obtained uid and gid. If the uidNumber and gidNumber of the AD user are the same, it is correct. If there is a temporarily assigned id, it is incorrect.
4. FS initial creation
If it is a mixed environment of Windows and Linux clients, it is recommended to select the UNIX permission mode to create the file system. This is flexible, and also makes the permissions of files and folders created by Linux and Windows more consistent. If you choose to use Windows default permissions, the default permissions of the Root directory will be 755.
5. ACL attribute settings
The ACL attribute of the file system does not need to be modified by default. Basic permissions for access have little effect.
Note: If someone concludes that ACL attributes have an impact on permissions, please email me and I will fix it.
Redhat Linux 6 setup
1. Configure SELinux security parameters
SELinux is enabled by default when Redhat 6 is installed.
1.1. Verify if Enable
# getenforce
Enforcing
1.2. Operation of Enable
# getenforce
Permissive
# setenforce 1
# getenforce
Enforcing
1.3. Edit /etc/selinux/config and confirm that it is also Enable when restarting
SELINUX=enforcing
2. Configure samba
2.1. Install the samba package
# yum -y install samba samba-client samba-common samba-winbind \
samba-winbind-clients
2.2. Verifying that samba is running
# service smb start
# service smb status
# ps -aef | grep smb
2.3. Making samba run at system startup
# chkconfig smb on
# chkconfig --list smb
3. Synchronize NTP
3.1. Editing /etc/ntp.conf
# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats
server (ntp server name) iburst
server (ntp server ip) iburst
3.2. Applying NTP Modifications
Redhat Linux 6:
# service ntpd stop
# ntpdate (ntp server ip)
# service ntpd start
Windows Server:
C:\Users\Administrator> w32tm /query /status | find "Source"
How to Create Windows Server AD Server as NTP Server
C:\WINSRV1>w32tm /config \
/manualpeerlist:"ntp server name or ip" \
/syncfromflags:manual /update
C:\WINSRV1>w32tm /query /status
3.3. Making NTP run at system startup
# chkconfig ntpd on
# chkconfig --list ntpd
4. Configure DNS
4.1. Editing /etc/resolv.conf
domain mydomain
search mydomain
nameserver (DNS server ip)
4.2. Editing /etc/sysconfig/network
HOSTNAME=xxx.mydomain (client server name)
5. Edit /etc/hosts file
Modify and simplify the content of the /etc/hosts file to:
127.0.0.1 localhost
xxx.xxx.xxx.xxx(local static ip) xxx.mydomain (client server name)\ xxx (client server name)
6. Install and configure the Kerberos client
6.1. Installing the Kerberos client
# yum -y install krb5workstation
6.2. Verifying that the Kerberos client was successfully installed
# yum list installed | grep krb5
krb5libs.x86_64 1.922.el6_2.1 @rhel6serverrpms
krb5workstation.x86_64 1.922.el6_2.1 @rhel6serverrpms
pam_krb5.x86_64 2.3.119.el6 \ @anacondaRedHatEnterpriseLinux201111171049.x86_64/6.2
6.3. Modify the Kerberos configuration file /etc/krb5.conf, see bold
Backup the krb5.conf file before modification
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE: /var/log/krb5kdc.log
admin_server = FILE: /var/log/kadmind.log
[libdefaults]
default_realm = MYDOMAIN
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
MYDOMAIN = {
kdc = XXX.mydomain (AD Server)
admin_server = XXX.mydomain (AD Server)
}
[domain_realm]
.mydomain = MYDOMAIN
mydomain = MYDOMAIN
6.4. Verifying the Kerberos configuration
Clear credentials
# kdestroy
# klist
Get new Kerberos credentials
# kinit administrator@MYDOMAIN
Verify that new credentials are obtained
# klist
7. Install oddjob-mkhomedir
Install the oddjob-mkhomedir package to ensure that the user home directory can be created correctly.
7.1. Installation
# yum install oddjobmkhomedir.x86_64
7.2. Start the service and have the oddjobd service run at system startup
# service oddjobd start
# chkconfig oddjobd on
# chkconfig --list oddjobd
8. Automatically create home directory
Add a line to the following two configuration files
/etc/pam.d/system-auth
/etc/pam.d/sshd
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
Note: umask=0077 means that the owner of the home directory has full permissions, the main group and others have no permissions. It can be set to umaks=0022, which means that the owner has all permissions, the main group and others have only read permissions.
9. Expand the range of uid and gid assignments for AD users
Allow users with uidNumber and gidNumber < 30000 in AD user extended attributes to log in to Linux
Place the /etc/pam.d/passwd-auth and /etc/pam.d/system-auth files:
account sufficient pam_succeed_if.so uid < 500 quiet
changed to:
account sufficient pam_succeed_if.so uid < 30000 quiet
Note: The value of 30000 is the cap value of the smb.conf configuration item idmap config (MYDOMAIN NetBIOS Name): range = 10000-29999 .
10. Configure samba/winbind
10.1. Edit /etc/samba/smb.conf, see bold
Backup /etc/samba/smb.conf before modification
10.2. Configuring smb.conf with AD mapping mode
The backend = ad mode is to directly obtain the uidNumber and gidNumber of AD users and groups. It is necessary to set the uidNumber and gidNumber in the extended attributes of AD user management in advance. Both users and groups must be set. The range of values is the configuration item idmap config (MYDOMAIN NetBIOS Name): range = 10000-29999 decision.
[global]
workgroup = (MYDOMAIN NetBIOS Name)
password server = XXX.MYDOMAIN(AD Server)
realm = MYDOMAIN
security = ads
idmap uid = 30000-39999
idmap guide = 30000-39999
idmap config (MYDOMAIN NetBIOS Name) : backend = ad
idmap config (MYDOMAIN NetBIOS Name) : default = yes
idmap config (MYDOMAIN NetBIOS Name) : range = 10000-29999
idmap config (MYDOMAIN NetBIOS Name) : schema_mode = rfc2307
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind separator = +
winbind use default domain = true
template homedir = /home/%D/%U
template shell = /bin/bash
winbind offline logon = true
10.3. Validation configuration files
# testparm
10.4. Clearing existing samba cache files
# service smb stop
# service winbind stop
# rm -f / var / lib / samba / *
# service smb start
# service winbind start
Note: If you find that the group name is not displayed correctly after logging in with an AD account, you can try this operation and log in again.
10.5. Clearing Kerberos Credentials
# kdestroy
# klist
10.6. Join AD
# net join -S XXX.MYDOMAIN(AD Server) -U administrator
10.7. Testing AD Link
# net ads testjoin
# net ads info
10.8. Start winbind and samba services to activate the new configuration
# wbinfo -u
# wbinfo -g
11. Verify login service
# ssh aduser1@mydomain
# hostname
# id
# pwd
# ls -ld
# echo $SHELL
Note: The configuration process can be simplified through the graphical window, but it is still recommended to supplement and check the accuracy according to the above configuration and commands. Redhat Linux graphical configuration command system-config-authentication, text window graphical configuration command is setup