Haɗa Ubuntu 16.04 zuwa AD azaman Memba na yanki tare da Samba da Winbind - Sashe na 8
Wannan koyawa tana bayyana yadda ake haɗa injin Ubuntu zuwa yankin Samba4 Active Directory don tabbatar da asusun AD tare da ACL na gida don fayiloli da kundayen adireshi ko don ƙirƙira da taswirar hannun jari don masu amfani da yanki (yi aiki azaman uwar garken fayil).
- Ƙirƙiri Kayan Aikin Gida Mai Aiki tare da Samba4 akan Ubuntu
Mataki 1: Tsarin Farko don Haɗa Ubuntu zuwa Samba4 AD
1. Kafin ka fara shiga mai masaukin Ubuntu a cikin Active Directory DC kana buƙatar tabbatar da cewa an daidaita wasu ayyuka yadda yakamata akan injin gida.
Wani muhimmin bangare na injin ku yana wakiltar sunan mai masauki. Saita sunan injin da ya dace kafin shiga yankin tare da taimakon umarnin hostnamectl ko ta hanyar gyara /etc/hostname file da hannu.
# hostnamectl set-hostname your_machine_short_name # cat /etc/hostname # hostnamectl
2. A mataki na gaba, buɗe kuma da hannu gyara saitunan cibiyar sadarwar injin ku tare da saitunan IP masu dacewa. Mafi mahimmancin saituna anan sune adiresoshin IP na DNS waɗanda ke nuna baya ga mai sarrafa yankin ku.
Shirya /etc/network/interfaces file kuma ƙara bayanin DNS-nameservers tare da daidaitattun adiresoshin IP ɗin ku da sunan yanki kamar yadda aka kwatanta akan hoton da ke ƙasa.
Hakanan, tabbatar da cewa adiresoshin IP iri ɗaya na DNS da sunan yankin an ƙara su zuwa /etc/resolv.conf fayil.
A kan hoton da ke sama, 192.168.1.254 da 192.168.1.253 sune adiresoshin IP na Samba4 AD DC kuma Tecmint.lan yana wakiltar sunan yankin AD wanda duk injinan da aka haɗa cikin daula za su yi tambaya.
3. Sake kunna sabis na cibiyar sadarwa ko sake kunna injin don amfani da sabbin saitunan cibiyar sadarwa. Ba da umarnin ping akan sunan yankin ku don gwada idan ƙudurin DNS yana aiki kamar yadda aka zata.
Ya kamata AD DC ta sake kunnawa da FQDN. Idan kun saita uwar garken DHCP a cikin hanyar sadarwar ku don sanya saitunan IP ta atomatik don rundunonin LAN ɗin ku, tabbatar kun ƙara adiresoshin IP na AD DC zuwa saitunan DHCP uwar garken DNS.
# systemctl restart networking.service # ping -c2 your_domain_name
4. Ƙarshen mahimmanci mai mahimmanci da ake buƙata yana wakilta ta hanyar aiki tare lokaci. Sanya kunshin ntpdate, tambaya da lokacin daidaitawa tare da AD DC ta hanyar ba da umarni na ƙasa.
$ sudo apt-get install ntpdate $ sudo ntpdate -q your_domain_name $ sudo ntpdate your_domain_name
5. A mataki na gaba shigar da software da injin Ubuntu ke buƙata don haɗawa gaba ɗaya cikin yankin ta hanyar aiwatar da umarnin da ke ƙasa.
$ sudo apt-get install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind
Yayin shigar da fakitin Kerberos ya kamata a umarce ku da ku shigar da sunan tsohuwar daular ku. Yi amfani da sunan yankinku tare da manyan haruffa kuma danna maɓallin Shigar don ci gaba da shigarwa.
6. Bayan duk fakitin sun gama shigarwa, gwada amincin Kerberos akan asusun gudanarwa na AD kuma jera tikitin ta hanyar ba da umarni na ƙasa.
# kinit ad_admin_user # klist
Mataki 2: Haɗa Ubuntu zuwa Samba4 AD DC
7. Mataki na farko na haɗa na'urar Ubuntu cikin yankin Samba4 Active Directory shine a gyara fayil ɗin sanyi na Samba.
Ajiye tsohuwar fayil ɗin sanyi na Samba, wanda mai sarrafa fakitin ya bayar, don farawa da tsaftataccen tsari ta hanyar aiwatar da umarni masu zuwa.
# mv /etc/samba/smb.conf /etc/samba/smb.conf.initial # nano /etc/samba/smb.conf
A kan sabon fayil ɗin daidaitawar Samba ƙara layukan da ke ƙasa:
[global]
workgroup = TECMINT
realm = TECMINT.LAN
netbios name = ubuntu
security = ADS
dns forwarder = 192.168.1.1
idmap config * : backend = tdb
idmap config *:range = 50000-1000000
template homedir = /home/%D/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
Maye gurbin rukunin aiki, daula, sunan netbios da masu canji na dns tare da saitunanku na al'ada.
Winbind yana amfani da tsohowar siginar yanki yana haifar da sabis na winbind don kula da kowane sunan mai amfani na AD wanda bai cancanta ba azaman masu amfani da AD. Ya kamata ku bar wannan sigar idan kuna da sunayen asusun tsarin gida waɗanda suka mamaye asusun AD.
8. Yanzu ya kamata ku sake kunna duk samba daemons kuma ku daina cire ayyukan da ba dole ba kuma ku kunna tsarin sabis na samba gabaɗaya ta hanyar ba da umarni na ƙasa.
$ sudo systemctl restart smbd nmbd winbind $ sudo systemctl stop samba-ad-dc $ sudo systemctl enable smbd nmbd winbind
9. Haɗa injin Ubuntu zuwa Samba4 AD DC ta hanyar ba da umarni mai zuwa. Yi amfani da sunan asusun AD DC tare da gata na mai gudanarwa domin ɗaurin mulki ya yi aiki kamar yadda aka zata.
$ sudo net ads join -U ad_admin_user
10. Daga na'urar Windows mai kayan aikin RSAT zaka iya bude AD UC sannan ka shiga kwandon Computers. Anan, yakamata a jera injin ɗin ku na Ubuntu.
Mataki 3: Sanya Tabbatar da Asusu na AD
11. Domin yin tantancewar asusun AD akan injin gida, kuna buƙatar canza wasu ayyuka da fayiloli akan injin gida.
Da farko, buɗe kuma shirya fayil ɗin sanyi na Sabis ɗin Suna (NSS).
$ sudo nano /etc/nsswitch.conf
Na gaba a saka darajar winbind don passwd da layin rukuni kamar yadda aka kwatanta a ƙasa.
passwd: compat winbind group: compat winbind
12. Domin a gwada idan na'urar Ubuntu ta sami nasarar haɗa na'urar zuwa runm run wbinfo umurnin zuwa jeri domain accounts da kungiyoyi.
$ wbinfo -u $ wbinfo -g
13. Har ila yau, duba Winbind nsswitch module ta hanyar ba da umarnin getent da bututun sakamakon ta hanyar tacewa kamar grep don ƙunsar fitarwa kawai don takamaiman masu amfani da yanki ko ƙungiyoyi.
$ sudo getent passwd| grep your_domain_user $ sudo getent group|grep 'domain admins'
14. Domin tabbatarwa akan injin Ubuntu tare da asusun yanki kuna buƙatar gudanar da umarnin pam-auth-update tare da tushen gata kuma ƙara duk shigarwar da ake buƙata don sabis na winbind kuma don ƙirƙirar kundayen adireshi ta atomatik ga kowane asusun yanki a farkon shiga.
Duba duk shigarwar ta latsa maɓalli [space] kuma danna Ok don amfani da sanyi.
$ sudo pam-auth-update
15. A kan tsarin Debian kuna buƙatar gyara /etc/pam.d/common-account fayil da hannu da layin da ke gaba don ƙirƙirar gidaje ta atomatik don masu amfani da yanki ta atomatik.
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
16. Domin masu amfani da Active Directory su sami damar canza kalmar sirri daga layin umarni a cikin Linux buɗe /etc/pam.d/fayil kalmar sirri na gama gari kuma cire bayanin use_authtok daga layin kalmar sirri don a ƙarshe duba kamar yadda yake ƙasa.
password [success=1 default=ignore] pam_winbind.so try_first_pass
17. Don tantancewa akan mai masaukin Ubuntu tare da asusun Samba4 AD yi amfani da sigar sunan mai amfani bayan su - umarni. Gudun umarnin id don samun ƙarin bayani game da asusun AD.
$ su - your_ad_user
Yi amfani da umarnin pwd don ganin adireshin mai amfani na yankinku na yanzu da umarnin passwd idan kuna son canza kalmar wucewa.
18. Don amfani da asusun yanki tare da tushen gata akan injin Ubuntu, kuna buƙatar ƙara sunan mai amfani na AD zuwa rukunin tsarin sudo ta hanyar ba da umarnin da ke ƙasa:
$ sudo usermod -aG sudo your_domain_user
Shiga cikin Ubuntu tare da asusun yanki kuma sabunta tsarin ku ta hanyar gudanar da umarni na sabuntawa da dacewa don bincika idan mai amfani da yankin yana da tushen gata.
19. Don ƙara tushen gata ga rukunin yanki, buɗe ƙarshen edit /etc/sudoers fayil ta amfani da umarnin visudo kuma ƙara layin da ke gaba kamar yadda aka kwatanta akan hoton da ke ƙasa.
%YOUR_DOMAIN\\your_domain\ group ALL=(ALL:ALL) ALL
Yi amfani da baya-baya don tserewa wuraren da ke ƙunshe a cikin sunan rukunin yankinku ko don tserewa koma baya na farko. A cikin misalin da ke sama ana kiran rukunin yanki na yankin TECMIN \yankin admins.
Alamar kashi da ta gabata (%) alama ce ta nuna cewa muna magana ne ga ƙungiya, ba sunan mai amfani ba.
20. Idan kuna gudanar da sigar hoto ta Ubuntu kuma kuna son shiga cikin tsarin tare da mai amfani da yanki, kuna buƙatar canza manajan nuni na LightDM ta hanyar gyara /usr/share/lightdm/lightdm.conf.d/50-ubuntu .conf fayil, ƙara layin masu zuwa kuma sake kunna injin don nuna canje-canje.
greeter-show-manual-login=true greeter-hide-users=true
Ya kamata yanzu ya sami damar yin shiga akan Desktop ɗin Ubuntu tare da asusun yanki ta amfani da ko dai your_domain_username ko [email _domain.tld ko your_domain\your_domain_username format.