|
|
Должен быть установлен krb5-workstation:
[root@igor_asp11 etc]# yum list | grep krb5 krb5-devel.i386 1.4.1-6.110.5.5asp installed krb5-libs.i386 1.4.1-6.110.5.5asp installed krb5-workstation.i386 1.4.1-6.110.5.5asp installed pam_krb5.i386 2.1.15-2 installed krb5-auth-dialog.i386 0.2-5 base krb5-server.i386 1.4.1-6.110.5.5asp updates-released [root@igor_asp11 etc]#
Имеем по факту. Сеть под управлением windows2003. Имя сервера контроллера домена - server.ad.bgp.
[root@igor_asp11 etc]# grep 'HOSTNAME' /etc/sysconfig/network
HOSTNAME=igor_asp11
[root@igor_asp11 etc]#
[root@igor_asp11 etc]# less /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = AD.BGP
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
# forwardable = yes
[realms]
AD.BGP = {
kdc = SERVER:88
admin_server = SERVER
default_domain = AD.BGP
}
[domain_realm]
.ad.bgp = AD.BGP
ad.bgp = AD.BGP
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Получаем билет:
[root@igor_asp11 etc]# kinit igor@AD.BGP Password for igor@AD.BGP:
Домен - заглавными!!! Иначе рискуем получить что-то типа такого:
kinit(v5): KDC reply did not match expectations while getting
initial credentials
Проверяем наличие билета:
[root@igor_asp11 etc]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: igor@AD.BGP
Valid starting Expires Service principal
07/08/08 16:55:47 07/09/08 02:55:51 krbtgt/AD.BGP@AD.BGP
renew until 07/09/08 16:55:47
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root@igor_asp11 etc]#
Настраиваем самбу (для доступа к ресурсам AD важна клиентская часть)
[root@igor_asp11 etc]# grep -v "#" /etc/samba/smb.conf | grep -v ";" [global] workgroup = AD server string = A.Admin security = ADS encrypt passwords = true netbios name = igor_asp11 realm = AD.BGP load printers = yes hosts allow = 192.168. cups options = raw log file = /var/log/samba/%m.log max log size = 50 dns proxy = no [homes] comment = Home Directories browseable = no writable = yes [printers] comment = All Printers path = /usr/spool/samba browseable = no guest ok = no writable = no printable = yes [root@igor_asp11 etc]#
Вводим компьютер в домен (у igor - права администратора домена)
[root@igor_asp11 etc]# net ads join -U igor igor's password: Using short domain name -- AD Joined 'IGOR_ASP11' to realm 'AD.BGP' [root@igor_asp11 etc]#
Во оснастке "AD пользователи и компьютеры" в контейнере computers появляется наша машина:
В gnome идем в переход -> сетевые серверы, вводим пароль:
И получаем доступ к сети:
