|
Должен быть установлен krb5-workstation:
[root@igor_asp11 etc]# yum list | grep krb5 krb5-devel.i386 1.4.1-6.110.5.5asp installed krb5-libs.i386 1.4.1-6.110.5.5asp installed krb5-workstation.i386 1.4.1-6.110.5.5asp installed pam_krb5.i386 2.1.15-2 installed krb5-auth-dialog.i386 0.2-5 base krb5-server.i386 1.4.1-6.110.5.5asp updates-released [root@igor_asp11 etc]#
Имеем по факту. Сеть под управлением windows2003. Имя сервера контроллера домена - server.ad.bgp.
[root@igor_asp11 etc]# grep 'HOSTNAME' /etc/sysconfig/network HOSTNAME=igor_asp11 [root@igor_asp11 etc]# [root@igor_asp11 etc]# less /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = AD.BGP dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h # forwardable = yes [realms] AD.BGP = { kdc = SERVER:88 admin_server = SERVER default_domain = AD.BGP } [domain_realm] .ad.bgp = AD.BGP ad.bgp = AD.BGP [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
Получаем билет:
[root@igor_asp11 etc]# kinit igor@AD.BGP Password for igor@AD.BGP:
Домен - заглавными!!! Иначе рискуем получить что-то типа такого:
kinit(v5): KDC reply did not match expectations while getting initial credentials
Проверяем наличие билета:
[root@igor_asp11 etc]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: igor@AD.BGP Valid starting Expires Service principal 07/08/08 16:55:47 07/09/08 02:55:51 krbtgt/AD.BGP@AD.BGP renew until 07/09/08 16:55:47 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [root@igor_asp11 etc]#
Настраиваем самбу (для доступа к ресурсам AD важна клиентская часть)
[root@igor_asp11 etc]# grep -v "#" /etc/samba/smb.conf | grep -v ";" [global] workgroup = AD server string = A.Admin security = ADS encrypt passwords = true netbios name = igor_asp11 realm = AD.BGP load printers = yes hosts allow = 192.168. cups options = raw log file = /var/log/samba/%m.log max log size = 50 dns proxy = no [homes] comment = Home Directories browseable = no writable = yes [printers] comment = All Printers path = /usr/spool/samba browseable = no guest ok = no writable = no printable = yes [root@igor_asp11 etc]#
Вводим компьютер в домен (у igor - права администратора домена)
[root@igor_asp11 etc]# net ads join -U igor igor's password: Using short domain name -- AD Joined 'IGOR_ASP11' to realm 'AD.BGP' [root@igor_asp11 etc]#
Во оснастке "AD пользователи и компьютеры" в контейнере computers появляется наша машина:
В gnome идем в переход -> сетевые серверы, вводим пароль:
И получаем доступ к сети: