¤Ä¤°¡¡¤È¿½¤·¤Þ¤¹¡£
½ñÀÒ¤äWeb¥µ¥¤¥È¤Ê¤É¤òõ¤·¤Þ¤·¤¿¤¬¡¢
²¼µÌäÂêÅÀ¤ò²ò·è¤Ç¤¤º¡¢
¤³¤Á¤é¤ËÅê¹Æ¤µ¤»¤Æĺ¤¤Þ¤·¤¿¡£
¢¨Ä¹Ê¸¤Ë¤Ê¤ê¿½¤·Ìõ¤¢¤ê¤Þ¤»¤ó¡£
²¿¤«¤´¶µ¼ø¤¤¤¿¤À¤±¤ë¤È¹¬¤¤¤Ç¤¹¡£
µ¹¤·¤¯¤ª´ê¤¤Ãפ·¤Þ¤¹¡£
¢£´Ä¶
¡¡¡ûWindows Server 2003 R2(°Ê¹ß¡¢WinSV2003R2)
¡¡¡¡¡¦DNS ¥µ¡¼¥Ð
¡¡¡¡¡¦ActiveDirectory¡Ê°Ê¹ß¡¢AD¡Ë
¡¡¡¡¡¦¥Û¥¹¥È̾¡¡¡§¡¡sv01.test.jp
¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡ ¡§¡¡sv03.test.jp
¡¡¡¡¡¦¥°¥ë¡¼¥×¥Ý¥ê¥·¡¼¤Ë¤Æ¡¢¥Ñ¥¹¥ï¡¼¥É¤Ë´Ø¤¹¤ëÀ©¸Â¤ÏÁ´¤Æ³°¤·¤Æ¤¤¤ë¡£
¡¡¡ûRedHatEnterpriseLinux ES v4¡Ê°Ê¹ß¡¢RHELv4¡Ë
¡¡¡¡¡¦Samba¤ÈOpenLDAP¤ò»ÈÍѤ·¤Æ¡¢IDMAP¥Þ¥Ã¥Ô¥ó¥°¤ò¹Ô¤Ã¤Æ¤¤¤ë
¡¡¡¡¡¦Â¾¤Ë¤â RHELv4 ¤¬¿ôÂ椢¤ê¡¢Winbid ¤ò»ÈÍѤ·¡¢
¡¡¡¡¡¡AD ¤Î¥á¥ó¥Ð¥µ¡¼¥Ð¤Ë¤Ê¤Ã¤Æ¤¤¤ë
¡¡¡ûSamba 3.0.24-30
¡¡¡¡¡¦samba.org ¤Î RHELv4 RPM ¥Ñ¥Ã¥±¡¼¥¸»ÈÍÑ
¡¡¡¡¡¦samba.org ¤Ë¤¢¤ë¥Ñ¥Ã¥±¡¼¥¸¤ÏÁ´¤Æ¥¤¥ó¥¹¥È¡¼¥ë
¡¡¡¡¡¦¥Û¥¹¥È̾¡¡¡§¡¡sv02.test.jp
¢£¼Â¸½¤·¤¿¤¤¤³¤È
¡¡RHELv4 ¤«¤é AD ¤Î¥Ñ¥¹¥ï¡¼¥É¤òÊѹ¹¤·¤¿¤¤¡£
¢£ÌäÂêÅÀ
¡¡¡ûRHELv4¤«¤é ¥ê¥â¡¼¥È¤Î AD ¤ËÂФ·¤Æ¡¢
¡¡¡¡¡¦smbpasswd¡ÊWinbindǧ¾Ú´Ä¶¹½ÃÛ»þ¡Ë¡¢
¡¡¡¡¡¦kpasswd¡ÊKerbrosǧ¾Ú´Ä¶¹½ÃÛ»þ¡Ë
¡¡¡¡¤Î¤É¤Á¤é¤ò»ÈÍѤ·¤Æ¤â¡¢¥Ñ¥¹¥ï¡¼¥É¤òÊѹ¹¤¹¤ë¤³¤È¤¬¤Ç¤¤Ê¤¤¡£
¡¡¡¡¢¨¤½¤ì¤¾¤ì¡¢PAM¤ÎÀßÄê¤òÊѹ¹¤·¤Æ»î¤·¤Þ¤·¤¿¡£
¡¡¡ûsmbpasswd ¤Î¼Â¹ÔÎã
¡¡¡¡[user001@xxxxx ~]$ smbpasswd -r sv01
¡¡¡¡Old SMB password:
¡¡¡¡New SMB password:
¡¡¡¡Retype new SMB password:
¡¡¡¡machine itsv01 rejected the password change: Error was : Password restriction.
¡¡¡¡Failed to change password for user001
¡¡¡¡[user001@xxxxx ~]$
¡¡¡ûkpasswd ¤Î¼Â¹ÔÎã
¡¡[user001@xxxxx ~]$ klist
¡¡Ticket cache: FILE:/tmp/krb5cc_1000
¡¡Default principal: user001@xxxxx
¡¡Valid starting Expires Service principal
¡¡04/10/07 15:28:37 04/11/07 01:28:40 krbtgt/TEST.JP@xxxxx
renew until 04/11/07 15:28:37
Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached
[user001@xxxxx ~]$ kpasswd
Password for user001@xxxxx:
Enter new password: :
Enter it again: :
Password change rejected
¢£¾õ¶·
¡¡¡ûAD ¤Ç¥Ñ¥¹¥ï¡¼¥É¤òÊѹ¹¤·¤¿ºÝ¤Ë RHELv4 ¤«¤é
¡¡¡¡¿·¤·¤¤¥Ñ¥¹¥ï¡¼¥É¤Ç¥í¥°¥¤¥ó¤Ç¤¤ë¡£
¡¡¡ûwbinfo ¤Ë¤è¤ë SID¤ÈUID¡¦GID ¤ÏÌäÂê¤Ê¤¯³Îǧ¤Ç¤¤ë¡£
¢£»î¤·¤¿¤³¤È
¡¡¡û$ smbpasswd -r sv01
¡¡¡û$ smbpasswd -r SV01
¡¡¡û# smbpasswd -r sv01 -U user001
¡¡¡û# smbpasswd -r SV01 -U user001
¢£ÀßÄêÆâÍÆ
¡û/etc/nsswitch.onf
°Ê²¼Äɵ
passwd: files winbind
shadow: files winbind
group: files winbind
¡û/etc/samba/smb.conf
[global]
workgroup = TEST
dos charset = CP932
unix charset = UTF-8
display charset = UTF-8
realm = TEST.JP
security = ADS
netbios name = SV02
idmap uid = 1000-2000
idmap gid = 1000-2000
idmap backend = ldap:ldap://localhost
ldap admin dn = cn=Manager,dc=test,dc=jp
ldap suffix = dc=test,dc=jp
ldap idmap suffix = ou=Idmap
winbind cache time = 15
winbind separator = @
winbind use default domain = yes
template homedir = /home/%U
template shell = /bin/bash
password server = sv01.test.jp sv03.test.jp
obey pam restrictions = yes
log level = 10
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
template shell = /bin/false
¡û/etc/kr5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = TEST.JP
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
TEST.JP = {
kdc = sv01.test.jp:88
admin_server = sv01.test.jp:749
default_domain = test.jp
}
[domain_realm]
.test.jp = TEST.JP
test.jp = TEST.JP
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
¡û/etc/pam.d/ssd ¡ÊKerberos ǧ¾Ú¸¡¾Ú»þÀßÄê¡Ë
auth sufficient /lib/security/pam_krb5.so
auth sufficient /lib/security/pam_unix.so
account sufficient /lib/security/pam_krb5.so
account sufficient /lib/security/pam_unix.so
session required /lib/security/pam_mkhomedir.so skel=/etc/skel
umask=0077
¡û/etc/pam.d/ssd ¡ÊWinbind ǧ¾Ú¸¡¾Ú»þÀßÄê¡Ë
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so
account sufficient /lib/security/pam_winbind.so
account sufficient /lib/security/pam_unix.so
session required /lib/security/pam_mkhomedir.so skel=/etc/skel
umask=0077
¢£»²¹Í
¡¡¡ûÅý¹çǧ¾Ú¤ÎÀßÄê¡ÊWinbind+Kerberos¡Ë
¡¡¡¡¡ http://rina.jpn.ph/~rance/server/mail04.html
¡¡¡ûActiveDirectory ¤È Linux ¤Ë¤è¤ë¥·¥¹¥Æ¥à¹½ÃÛ¥¬¥¤¥É
¡¡¡¡¡¦½¨ÏÂ¥·¥¹¥Æ¥à ½ñÀÒ
¡¡¡ûÅ°Äì²òÀâ Samba LDAP ¥µ¡¼¥Ð¹½ÃÛ
¡¡¡¡¡¦µ»½ÑɾÏÀ¼Ò ½ñÀÒ
¡¡¡û¸¡º÷¥¨¥ó¥¸¥ó¤Ë¤è¤ë¸¡º÷
¡¡¤Ê¤É
µ¹¤·¤¯¤ª´ê¤¤Ãפ·¤Þ¤¹¡£
Åê¹Æ¼Ô xml-rpc : 2007年4月10日 20:43