Sendmail 帳號與 Microsoft 2003 AD整合
要達成sendmail+dovecot使用AD帳號做整合,必須希達成以下幾要建。
>
Linux 機器不可以與AD機器時間相差超過五分鐘
>
使用samba中的winbind加入網域中並取得網域帳號。
>
Pam認證模組中插入winbind.so達到AD帳號可以登入linux主機。
>
利用pam_mkhomedir.so來自動建立AD帳號的家目錄,不須自己手動建立家目錄。
1 . 測試環境
AD Server Windowns Server 2003
AD Samba CentOS 5.1 (未更新套件)
主機 Hostname IP
PDC adserver 192.168.227.130/24
linux samba samba.example.com.tw 192.168.227.131/24
Domain name example.com.tw
DNS 192.168.227.130
所需安裝套件(CentOS 5.1)
samba-client-3.0.25b-0.el5.4
samba-common-3.0.25b-0.el5.4
samba-3.0.25b-0.el5.4
ntp-4.2.2p1-7.el5
dovecot-1.0-1.2.rc15.el5
使用NTP套件作向AD作時間校正
# ntpdate 192.168.227.130
# hwclock -w
2 . 架設sendmail
(有時會忘記怎麼架,大約半年當機一次,不知是自動更新問題還是套件漏洞,沒去查)
2.1 設定Sendmail所服務的IP範圍
# vi /etc/mail/sendmail.cf
O DaemonPortOptions=Port=smtp,Addr=
127.0.0.1, Name=MTA # 原本
O DaemonPortOptions=Port=smtp,Addr=
0.0.0.0, Name=MTA # 已修改的
2.2 設定接收信件的條件
(@後面的名稱符合這裡的條件的話把它接收下來)
# vi /etc/mail/local-host-names
example.com.tw
samba.example.com.tw
2.3 設定可Relay的條件
預設Relay本機
# vi /etc/mail/access
Connect:192.168.227 RELAY
Connect:example.com.tw RELAY
To:root@example.com.tw DROP #root的信丟棄掉
3 . 將Linux主機加入網域並取得帳號
3.1 設定samba設定檔 smb.conf
# vi /etc/samba/smb.conf
#=================== Global Settings ========================
[global]
workgroup =
EXAMPLE #
架網域的時候有一個網域的NetBios name
netbios name = SAMBA
# ----------------- Domain Members Options ------------------
security =
domain
; passdb backend = tdbsam
realm =
EXAMPLE.COM.TW
password server =
192.168.227.130
idmap uid = 10000 - 20000 #
UID範圍限制
idmap gid = 10000 - 20000 #
GID範圍限制
template shell = /bin/bash #
登入的Shell,郵件相關可以設成/sbin/nologin
template homedir = /home/%U #
登入的時候所使用的家目錄 /home/user
winbind separator = % #
網域與名稱的分隔符號
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
encrypt passwords = yes
若不做分享的話可以把== Share Definitions ==以下的全部拿掉
3.2 編輯 /etc/nsswitch.conf 來修改winbind對帳號的信任
# vi /etc/nsswitch
修改以下位置
passwd: files winbind
shadow: files
group: files winbind
# net rpc join -S adserver.example.com.tw -U administrator
Password: # 輸入網域administrator的密碼
Joined domain EXAMPLE. # 成功了 !!!
# service smb restart # 並非必需要啟動,有分享再啟動
# service winbind restart
3.3 測試是否有跟AD取得帳號與群組
# wbinfo -u
administrator
guest
support_388945a0
krbtgt
00001
00002
00003
# wbinfo -g
domain computers
domain controllers
schema admins
enterprise admins
domain admins
domain users
domain guests
group policy creator owners
dnsupdateproxy
group1
4 Linux 系統登入使用 AD認證
4.1 插入自動建立家目錄的模組 pam_mkhomedir.so
# vi /etc/pam.d/login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session include system-auth
session required pam_loginuid.so
session optional pam_console.so #
在這一行下面新增下一行
session required pam_mkhomedir.so skel=/etc/skel umask=0077 #
新增的一行,自動建立家目錄
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
4.2 Linux帳號使用winbind.so作AD帳號的認證
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient /lib/security/pam_winbind.so #
插入的pam_winbind.so模組
auth sufficient pam_unix.so nullok try_first_pass #
在這一行的上面新增一行
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account sufficient /lib/security/pam_winbind.so #
插入的pam_winbind.so模組
account required pam_unix.so # 在這一行的上面新增一行
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
驗證類型說明
auth - 驗證你輸入的帳號密碼
account - 帳號密碼對了之後,account驗證類型還必須檢驗你的帳號密碼是否過期等等,來決定是否給你登入
password - 改變帳號資訊的時候用到的。
session - 紀錄或是限制登入次數的前置或後製的工作。
驗證控制說明
required - 驗證失敗時仍然繼續,不管後面驗證成功與否,最後都將錯誤傳回給應用程式。
requisite - 驗證失敗則立即結束整個驗證過程,錯誤傳回給應用程式。
sufficient - 驗證成功後不繼續驗證,失敗後繼續驗證。
session - 無論驗證結果如何,均不會影響。
一些資料 (接擷取自http://us3.samba.org/samba/docs/using_samba/toc.html)
Port 137 Used for NetBIOS network browsing
Port 138 Used for NetBIOS name service
Port 139 Used for file and printer sharing and other operations
Port 445 Used by Windows 2000/XP when NetBIOS over TCP/IP is disabled
Table 6-2. Samba variables
Variable Definition
Client variables
%a Client's architecture (see Table 6-1)
%I Client's IP address (e.g., 172.16.1.2)
%m Client's NetBIOS name
%M Client's DNS name
User variables
%u Current Unix username
%U Requested client username (not always used by Samba)
%H Home directory of %u
%g Primary group of %u
%G Primary group of %U
Share variables
%S Current share's name
%P Current share's root directory
%p Automounter's path to the share's root directory, if different from %P
Server variables
%d Current server process ID
%h Samba server's DNS hostname
%L Samba server's NetBIOS name
%N Home directory server, from the automount map
%v samba version
%D 網域名稱
Miscellaneous variables
%R The SMB protocol level that was negotiated
%T The current date and time
%$var The value of environment variable var
