{"id":123,"date":"2019-01-07T15:18:49","date_gmt":"2019-01-07T14:18:49","guid":{"rendered":"http:\/\/blog.nosland.com\/?p=123"},"modified":"2019-01-07T15:22:04","modified_gmt":"2019-01-07T14:22:04","slug":"mise-sur-le-domaine-poste-linux","status":"publish","type":"post","link":"http:\/\/blog.nosland.com\/?p=123","title":{"rendered":"Mise sur le domaine Poste Linux"},"content":{"rendered":"\n

Test\u00e9 sous Debian 8<\/p>\n\n\n\n

V\u00e9rification des DNS  <\/h4>\n\n\n\n

\/etc\/resolv.conf :
nameserver 192.168.73.100<\/p>\n\n\n\n

Le nameserver doit \u00eatre le DNS qui r\u00e9sout votre ActiveDirectory <\/p>\n\n\n\n

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nInstallation de ntpdate pour synchro du poste avec contr\u00f4leur de domaine\n\n\n\n<\/h4>\n\n\n\n

# Apt-get install ntpdate
# ntpdate domaincontoler.nosland.com<\/p>\n\n\n\n

Il est important que le poste soit bien syncho au niveau du temps avec les contr\u00f4leurs de domaines de l’AD. <\/p>\n\n\n\n

Installation de Kerberos et configuration<\/h4>\n\n\n\n

# apt-get install krb5-user
# cp -p \/etc\/krb5.conf \/etc\/krb5.conf.orig
# vi \/etc\/krb5.con <\/p>\n\n\n\n

Ajouter et\/ou modifier le fichier avec les lignes : <\/p>\n\n\n\n

[libdefaults]<\/em>
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 default_realm = NOSLAND.COM<\/em>
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 dns_lookup_kdc = false<\/em>
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ticket_lifetime = 24h<\/em>
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 renew_lifetime = 7d<\/em>
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 forwardable = true<\/em>
[realms]<\/em>
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 NOSLAND.COM = {<\/em>
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 kdc = dc1.nosland.com<\/em>
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 kdc = dc2.nosland.com<\/em>
\u00a0 kdc = dc3.nosland.com<\/em>
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0admin_server = dc1.nosland.com<\/em>
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 default_domain = nosland.com<\/em>
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/em>
[domain_realm]<\/em>
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 .nosland.com = NOSLAND.COM<\/em>
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 nosland.com = NOSLAND.COM<\/em><\/p>\n\n\n\n

Afin de tester si la configuration est OK : <\/p>\n\n\n\n

# kdestroy
# klist
# kinit username@NOSLAND.COM<\/a>
# klist<\/p>\n\n\n\n

Configuration samba <\/h4>\n\n\n\n

# mv \/etc\/samba\/smb.conf \/etc\/samba\/smb.origine
# vi \/etc\/samba\/smb.conf<\/p>\n\n\n\n

[global]<\/em>
        workgroup = NOSLAND<\/em>
        security = ADS<\/em>
        realm = NOSLAND.COM<\/em>
        password server = dc1.nosland.com<\/em>
        domain logons = no<\/em>
        encrypt passwords = yes<\/em>
        template homedir = \/home\/%D\/%U<\/em>
        template shell = \/bin\/bash<\/em>
        winbind enum groups = yes<\/em>
        winbind enum users = yes<\/em>
        winbind trusted domains only = no<\/em>
        winbind use default domain = yes<\/em>
        domain master = no<\/em>
        local master = no<\/em>
        prefered master = no<\/em>
        os level = 0<\/em>
        idmap config * : backend = tdb<\/em>
        idmap config * : range = 11000-20000<\/em>
        idmap config NOSLAND : backend = rid<\/em>
        idmap config NOSLAND : range=10000000-19000000<\/em>
        idmap config NOSLAND : base_rid = 0<\/em>
   dns proxy = no<\/em>
   log file = \/var\/log\/samba\/log.%m<\/em>
   max log size = 1000<\/em>
   syslog = 0<\/em>
   panic action = \/usr\/share\/samba\/panic-action %d<\/em><\/p>\n\n\n\n

Inscription de la machine dans le domaine<\/h4>\n\n\n\n

On a besoin d\u2019un lib PAM pour kerberos : <\/p>\n\n\n\n

# apt-get install libpam-krb5
# \/etc\/init.d\/winbind stop
# \/etc\/init.d\/samba restart
# \/etc\/init.d\/winbind start
# net join -S dc -U administrateur    { saisir au prompt le password admin} <\/em>
# net ads testjoin
# net ads info
# wbinfo -u
# wbinfo \u2013g<\/p>\n\n\n\n

La commande wbinfo \u2013u<\/em>
doit renvoyer l\u2019ensemble des utilisateurs Active Directory <\/p>\n\n\n\n

La commande wbinfo \u2013g <\/em>
doit renvoyer l\u2019ensemble des groupes de s\u00e9curit\u00e9s de l\u2019AD. <\/p>\n\n\n\n

Ajout de winbind pour l\u2019authentification  <\/h4>\n\n\n\n

On a besoin d\u2019un paquet PAM en plus : <\/p>\n\n\n\n

# apt-get install libnss-winbind libpam-winbind <\/p>\n\n\n\n

Modification de nsswitch : <\/p>\n\n\n\n

# vi \/etc\/nsswitch.conf <\/p>\n\n\n\n

passwd:         compat winbind<\/em>
group:          compat winbind<\/em>
shadow:         compat winbind<\/em>
gshadow:        files<\/em>
hosts:          files dns<\/em>
networks:       files<\/em>
protocols:      db files<\/em>
services:       db files<\/em>
ethers:         db files<\/em>
rpc:            db files<\/em>
netgroup:       nis<\/em><\/p>\n\n\n\n

Test de configuration : <\/p>\n\n\n\n

# getent passwd <\/p>\n\n\n\n

Doit renvoyer l\u2019ensemble des users locaux (\/etc\/passwd) +\ntous les users AD<\/p>\n\n\n\n

# getent group<\/p>\n\n\n\n

Doit renvoyer l\u2019ensemble des groupes locaux & des groupes AD. <\/p>\n\n\n\n

Modification du syst\u00e8me d\u2019authentification<\/h4>\n\n\n\n

# pam-auth-update<\/p>\n\n\n\n

\"\"
Tout cocher<\/figcaption><\/figure>\n\n\n\n

Ajouter \u00e0 \/etc\/pam.d\/common-session <\/p>\n\n\n\n

session optional                        pam_krb5.so minimum_uid=1000<\/p>\n\n\n\n

(permet la cr\u00e9ation du dossier au premier login) <\/p>\n\n\n\n

Cr\u00e9er le Dossier \/home\/domaine (\/home\/%U de smb.conf) <\/p>\n\n\n\n

# mkdir \/home\/NOSLAND
# chmod 777 \/home\/NOSLAND<\/p>\n","protected":false},"excerpt":{"rendered":"

Test\u00e9 sous Debian 8 V\u00e9rification des DNS  \/etc\/resolv.conf : nameserver 192.168.73.100 Le nameserver doit \u00eatre le DNS qui r\u00e9sout votre ActiveDirectory…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[6],"tags":[],"_links":{"self":[{"href":"http:\/\/blog.nosland.com\/index.php?rest_route=\/wp\/v2\/posts\/123"}],"collection":[{"href":"http:\/\/blog.nosland.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/blog.nosland.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/blog.nosland.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/blog.nosland.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=123"}],"version-history":[{"count":2,"href":"http:\/\/blog.nosland.com\/index.php?rest_route=\/wp\/v2\/posts\/123\/revisions"}],"predecessor-version":[{"id":126,"href":"http:\/\/blog.nosland.com\/index.php?rest_route=\/wp\/v2\/posts\/123\/revisions\/126"}],"wp:attachment":[{"href":"http:\/\/blog.nosland.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=123"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/blog.nosland.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=123"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/blog.nosland.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=123"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}