Samba를 사용할 필요가 없으며 AD는 Kerberos 및 LDAP를 직접 지원합니다. 대부분의 배포에서 외부 소프트웨어를 사용할 이유가 없습니다.
데비안 / 우분투의 경우 libnss-ldap 및 libpam-krb5로 수행 할 수 있습니다. 100 % 달성하기위한 몇 가지 요령이 있습니다. 이것은 Linux 사용자를 위해 "unixHomeDirectory"가 채워져 있고 Linux 상자가 Windows 시스템에서 공통으로 NTP를 사용하고 (Kerberos에 필요함) 일반 텍스트 NSS 조회 (비밀번호가 아닌 그룹 멤버쉽 정보 등)로도 괜찮다고 가정합니다. TLS를 사용하지만 설정하기가 더 복잡합니다). TLS를 사용하도록 설정되어 있지 않으면 PAM에서 암호 또는 인증 소스로 pam_ldap이 없어야합니다.
/etc/ldap.conf
# LDAP Configuration for libnss-ldap and libpam-ldap.
# Permit host to continue boot process with out contacting LDAP server
bind_policy soft
# Define LDAP servers to use for queries, these must be Global Catalog servers
uri ldap://ldap.site.company.local
# Define root search location for queries
base dc=company,dc=local
#debug 1
# LDAP version, almost always going to be v3, it is quite mature
ldap_version 3
# Username used to proxy authentication. You can have this in a separate file owned by root for security OR use TLS/SSL (see man page)
# Do NOT use LDAP for authentication if you are using plain text binds, use Kerberos instead (and LDAP for authorization only). See libpam-krb5.
binddn cn=ldap-auth-svc,ou=ldap,ou=services,dc=site,dc=company,dc=local
# Password for proxy acct
bindpw SooperSekeretPazzwerd
# TCP port to perform queries on, 3268 is a Global Catalog port which will reply for all users in *.company.local
port 3268
# Search range scope (sub = all)
scope sub
# Tell the client to close TCP connctions after 30 seconds, Windows will do this on the server side anyways, this will prevent errors from showing up in the logs.
idle_timelimit 30
# Expect queries for group membership to return DN for group members instead of usernames (lets you use MSAD group membership seamlessly)
nss_schema rfc2307bis
# Filters - User accounts must have a UID >= 2000 to be recognized in this configuration and must have a unixHomeDirectory defined.
nss_base_group dc=company,dc=local?sub?&(objectClass=group)(gidNumber=*)
nss_base_user dc=company,dc=local?sub?&(objectClass=user)(!(objectClass=localputer))(uidNumber>=2000)(unixHomeDirectory=*)
nss_base_shadow dc=company,dc=local?sub?&(objectClass=user)(!(objectClass=localputer))(uidNumber>=2000)(unixHomeDirectory=*)
# Object Class mappings. You may want to have the posixAccount to map to "mail" and have users login with their email addresses, i.e. "nss_map_objectclass posixAccount mail".
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
# Attribute mappings.
nss_map_attribute uniqueMember member
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
# Attribute in LDAP to query to match the username used by PAM for authentication
pam_login_attribute sAMAccountName
# Filter for objects which are allowed to login via PAM
pam_filter objectclass=User
Linux 상자에서 AD에 대해 알고있는 DNS 서버를 사용한다고 가정하고 /etc/krb5.conf를 편집 할 필요는 없습니다 (적절한 SRV 레코드가있는 _msdcs 영역을 확인할 수 있음)
/etc/nsswitch.conf에는 사용자, 그룹, 섀도에 대한 "파일 ldap"이 있어야합니다.
SSSD를 사용하는 Red Hat의 경우 :
/etc/sssd/sssd.conf
[domain/AD]
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
ldap_uri = ldap://ldap.company.local:3268/
ldap_search_base = dc=company,dc=com
ldap_default_bind_dn = cn=ldap-auth-svc,ou=ldap,ou=services,dc=site,dc=company,dc=local
ldap_default_authtok = SooperSekeretPazzwerd
ldap_schema = rfc2307bis
ldap_user_object_class = user
ldap_group_object_class = group
ldap_user_name = sAMAccountName
ldap_user_home_directory = unixHomeDirectory
enumerate = true
ldap_tls_reqcert = never
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_id_use_start_tls = False
cache_credentials = True
krb5_realm = SITE.COMPANY.COM
case_sensitive = false
[sssd]
services = nss, pam
config_file_version = 2
domains = AD
[nss]
filter_users = root,named,avahi,nscd