Yadda Ake Sarrafa Samba4 AD Infrastructure daga Layin Umurnin Linux - Kashi na 2


Wannan koyawa za ta ƙunshi wasu mahimman umarnin yau da kullun da kuke buƙatar amfani da su don sarrafa Samba4 AD Domain Controller kayayyakin aiki, kamar ƙara, cirewa, kashewa ko jera masu amfani da ƙungiyoyi.

Za mu kuma duba yadda ake gudanar da manufofin tsaro na yanki da yadda ake ɗaure masu amfani da AD zuwa ingantaccen PAM na gida domin masu amfani da AD su sami damar yin shiga cikin gida akan Linux Domain Controller.

  1. Ƙirƙiri Kayan Aikin AD tare da Samba4 akan Ubuntu 16.04 - Kashi na 1
  2. Sarrafa Samba4 Active Directory Infrastructure daga Windows10 ta hanyar RSAT – Sashe na 3
  3. Sarrafa Samba4 AD Mai Gudanar da Domain DNS da Manufofin Rukuni daga Windows – Sashe na 4

Mataki 1: Sarrafa Samba AD DC daga layin umarni

1. Ana iya sarrafa Samba AD DC ta hanyar amfani da layin umarni na samba-kayan aiki wanda ke ba da babbar dama don gudanar da yankin ku.

Tare da taimakon kayan aikin samba-kayan aiki zaka iya sarrafa masu amfani da yanki kai tsaye da ƙungiyoyi, Manufofin Rukunin yanki, rukunin yanar gizo, sabis na DNS, kwafin yanki da sauran ayyukan yanki masu mahimmanci.

Don duba duk aikin samba-kayan aikin kawai rubuta umarnin tare da tushen gata ba tare da wani zaɓi ko siga ba.

# samba-tool -h

2. Yanzu, bari mu fara amfani da samba-tool utility don gudanar da Samba4 Active Directory da sarrafa mu masu amfani.

Domin ƙirƙirar mai amfani akan AD yi amfani da umarni mai zuwa:

# samba-tool user add your_domain_user

Don ƙara mai amfani tare da mahimman filaye da yawa waɗanda AD ke buƙata, yi amfani da maƙasudi mai zuwa:

--------- review all options --------- 
# samba-tool user add -h  
# samba-tool user add your_domain_user --given-name=your_name --surname=your_username [email  --login-shell=/bin/bash

3. Ana iya samun lissafin duk masu amfani da yankin samba AD ta hanyar ba da umarni mai zuwa:

# samba-tool user list

4. Don share mai amfani da yanki na samba AD yi amfani da haɗin gwiwar da ke ƙasa:

# samba-tool user delete your_domain_user

5. Sake saita kalmar sirri ta mai amfani da yankin samba ta aiwatar da umarnin da ke ƙasa:

# samba-tool user setpassword your_domain_user

6. Domin kashe ko kunna asusun samba AD User account yi amfani da umarnin da ke ƙasa:

# samba-tool user disable your_domain_user
# samba-tool user enable your_domain_user

7. Hakanan, ana iya sarrafa ƙungiyoyin samba tare da tsarin umarni mai zuwa:

--------- review all options --------- 
# samba-tool group add –h  
# samba-tool group add your_domain_group

8. Share rukunin yanki na samba ta hanyar ba da umarnin da ke ƙasa:

# samba-tool group delete your_domain_group

9. Don nuna duk ƙungiyoyin yanki na samba suna gudanar da umarni mai zuwa:

# samba-tool group list

10. Don lissafa duk membobin yankin samba a cikin takamaiman rukuni yi amfani da umarnin:

# samba-tool group listmembers "your_domain group"

11. Ƙara/cire memba daga rukunin yanki na samba za a iya yi ta hanyar ba da ɗaya daga cikin umarni masu zuwa:

# samba-tool group addmembers your_domain_group your_domain_user
# samba-tool group remove members your_domain_group your_domain_user

12. Kamar yadda aka ambata a baya, ana iya amfani da layin umarni na samba-tool don sarrafa manufofin yankin samba da tsaro.

Don duba saitunan kalmar sirri na yankin samba yi amfani da umarnin da ke ƙasa:

# samba-tool domain passwordsettings show

13. Domin gyara tsarin samba na kalmar sirri, kamar matakin rikitarwa na kalmar sirri, tsufan kalmar sirri, tsayi, tsoffin kalmar sirri nawa don tunawa da sauran abubuwan tsaro da ake buƙata don Mai sarrafa Domain yi amfani da hoton da ke ƙasa azaman jagora.

---------- List all command options ---------- 
# samba-tool domain passwordsettings -h 

Kada a taɓa amfani da ƙa'idodin manufofin kalmar sirri kamar yadda aka kwatanta a sama akan yanayin samarwa. Ana amfani da saitunan da ke sama don dalilai na nunawa kawai.

Mataki 2: Samba Tantancewar Gida ta Amfani da Active Directory Accounts

14. Ta hanyar tsoho, masu amfani da AD ba za su iya yin login gida akan tsarin Linux a waje da yanayin Samba AD DC ba.

Domin shiga cikin tsarin tare da asusun Active Directory kuna buƙatar yin canje-canje masu zuwa akan tsarin Linux ɗin ku kuma canza Samba4 AD DC.

Da farko, buɗe babban fayil ɗin sanyi na samba kuma ƙara layin da ke ƙasa, idan ya ɓace, kamar yadda aka kwatanta a hoton da ke ƙasa.

$ sudo nano /etc/samba/smb.conf

Tabbatar cewa waɗannan maganganun sun bayyana akan fayil ɗin daidaitawa:

winbind enum users = yes
winbind enum groups = yes

15. Bayan kun yi canje-canje, yi amfani da mai amfani na testparm don tabbatar da cewa ba a sami kurakurai akan fayil ɗin sanyi na samba kuma sake kunna samba daemons ta hanyar ba da umarnin da ke ƙasa.

$ testparm
$ sudo systemctl restart samba-ad-dc.service

16. Na gaba, muna buƙatar canza fayilolin sanyi na PAM na gida don Samba4 Active Directory asusun su sami damar tantancewa da buɗe wani zaman kan tsarin gida da ƙirƙirar kundin gida don masu amfani a farkon shiga.

Yi amfani da umarnin pam-auth-update don buɗe saurin daidaitawar PAM kuma tabbatar kun kunna duk bayanan martaba na PAM ta amfani da maɓallin [space] kamar yadda aka kwatanta a hoton da ke ƙasa.

Lokacin da aka gama latsa maɓallin [Tab] don matsawa zuwa Ok kuma yi amfani da canje-canje.

$ sudo pam-auth-update

17. Yanzu, buɗe fayil /etc/nsswitch.conf tare da editan rubutu kuma ƙara bayanin winbind a ƙarshen kalmar sirri da layin rukuni kamar yadda aka kwatanta a hoton da ke ƙasa.

$ sudo vi /etc/nsswitch.conf

18. A ƙarshe, gyara fayil ɗin /etc/pam.d/common-password, bincika layin ƙasa kamar yadda aka kwatanta akan hoton da ke ƙasa kuma cire bayanin use_authtok.

Wannan saitin yana tabbatar da cewa masu amfani da Active Directory zasu iya canza kalmar sirri daga layin umarni yayin da aka inganta su a cikin Linux. Tare da wannan saitin a kunne, masu amfani da AD da aka inganta a cikin gida akan Linux ba za su iya canza kalmar wucewa ta na'ura mai kwakwalwa ba.

password       [success=1 default=ignore]      pam_winbind.so try_first_pass

Cire zaɓin use_authtok a duk lokacin da aka shigar da ɗaukakawar PAM kuma a yi amfani da su zuwa samfuran PAM ko duk lokacin da kuka aiwatar da umarnin sabunta-pam-auth-update.

19. Samba4 binaries ya zo tare da ginannen winbindd daemon kuma an kunna shi ta tsohuwa.

Don wannan dalili ba a buƙatar ku don kunna daban da gudanar da winbind daemon wanda kunshin winbind ya bayar daga ma'ajin Ubuntu na hukuma.

Idan an fara tsohuwar sabis ɗin winbind akan tsarin ka tabbata ka kashe shi kuma dakatar da sabis ɗin ta hanyar ba da umarni na ƙasa:

$ sudo systemctl disable winbind.service
$ sudo systemctl stop winbind.service

Ko da yake, ba ma buƙatar sake gudanar da tsohon winbind daemon, har yanzu muna buƙatar shigar da kunshin Winbind daga ma'ajiyar ajiya don shigarwa da amfani da kayan aikin wbinfo.

Ana iya amfani da mai amfani na Wbinfo don tambayar masu amfani da Active Directory da ƙungiyoyi daga mahangar winbindd daemon.

Umurnai masu zuwa suna kwatanta yadda ake tambayar masu amfani da AD da ƙungiyoyi ta amfani da wbinfo.

$ wbinfo -g
$ wbinfo -u
$ wbinfo -i your_domain_user

20. Baya ga wbinfo utility za ka iya amfani da getent umurnin line utility don tambaya Active Directory database daga Name Service Canja dakunan karatu da aka wakilta a /etc/nsswitch.conf fayil.

Umarnin bututu ta hanyar tace grep don taƙaita sakamakon game da kawai mai amfani da mulkin AD ɗin ku ko bayanan rukuni.

# getent passwd | grep TECMINT
# getent group | grep TECMINT

Mataki na 3: Shiga cikin Linux tare da Mai Amfani mai Active Directory

21. Domin tabbatarwa akan tsarin tare da mai amfani da Samba4 AD, kawai yi amfani da madaidaicin sunan mai amfani na AD bayan umarnin su -.

A farkon shiga za a nuna saƙo a kan na'ura mai ba da hanya tsakanin hanyoyin sadarwa wanda ke sanar da ku cewa an ƙirƙiri kundin adireshin gida akan hanyar tsarin /home/$DOMAIN/ tare da mashin sunan mai amfani na AD.

Yi amfani da umarnin id don nuna ƙarin bayani game da ingantaccen mai amfani.

# su - your_ad_user
$ id
$ exit

22. Don canza kalmar sirri don ingantaccen mai amfani da AD a rubuta passwd umarni a cikin console bayan kun yi nasarar shiga cikin tsarin.

$ su - your_ad_user
$ passwd

23. Ta hanyar tsoho, ba a ba masu amfani da Active Directory tare da tushen gata don yin ayyukan gudanarwa akan Linux ba.

Don ba da ikon tushen ga mai amfani AD dole ne ka ƙara sunan mai amfani zuwa rukunin sudo na gida ta hanyar ba da umarnin da ke ƙasa.

Tabbatar cewa kun haɗa daular, slash da AD sunan mai amfani tare da ambaton ASCII guda ɗaya.

# usermod -aG sudo 'DOMAIN\your_domain_user'

Don gwada idan mai amfani da AD yana da tushen gata akan tsarin gida, shiga kuma gudanar da umarni, kamar sabunta-samun sabuntawa, tare da izini sudo.

# su - tecmint_user
$ sudo apt-get update

24. Idan kuna son ƙara tushen gata ga duk asusun ƙungiyar Active Directory, gyara /etc/sudoers fayil ta amfani da umarnin visudo kuma ƙara layin ƙasa bayan layin gata na tushen, kamar yadda aka kwatanta akan hoton da ke ƙasa:

%DOMAIN\\your_domain\  group ALL=(ALL:ALL) ALL

Kula da sudoers syntax don kada ku fasa abubuwa.

Fayil ɗin Sudoers baya amfani sosai da amfani da alamun ambato ASCII, don haka tabbatar da yin amfani da % don nuna cewa kuna magana ne ga ƙungiya kuma kuyi amfani da baya don tserewa slash na farko bayan yankin. suna da wani koma baya don tserewa sarari idan sunan ƙungiyar ku ya ƙunshi sarari (mafi yawan rukunin AD ɗin da aka gina suna ɗauke da sarari ta tsohuwa). Har ila yau, rubuta daular tare da manyan haruffa.

Wannan ke nan a yanzu! Sarrafa Samba4 AD kayayyakin more rayuwa kuma za a iya samu da dama kayan aiki daga Windows muhallin, kamar ADUC, DNS Manager, GPM ko wani, wanda za a iya samu ta shigar RSAT kunshin daga Microsoft download page.

Don gudanar da Samba4 AD DC ta hanyar abubuwan amfani na RSAT, yana da matukar mahimmanci don shiga tsarin Windows cikin Samba4 Active Directory. Wannan shine batun koyaswar mu na gaba, har sai ku kasance tare da TecMint.