- [root@lamp ~]# yum install samba krb5-server freeradius2 freeradius2-utils
[root@lamp ~]# vim /etc/samba/smb.conf [global] workgroup = test #指定AD域的netbios名称,即test.COM的前面部分 realm = test.com #指定AD域名 netbios name = freeradius #freeradius服务器的主机名 security = ads #指定samba的工作模式为ads password server = testtest.test.com #指定担当身份验证的服务器 winbind separator = + # 指定一个字符作为分隔符,winbind将使用该分隔符来用户或组名。使用该配置将使得域用户表示为"MYDOMAIN+username",域组被表示为"MYDOMAIN+Domain Users" idmap uid = 10000-20000 #写入域账户的uid、gid的范围,该范围是将linux用户,组的ID映射到Windows用户的SID,所以需要确保该段的没有被使用,当winbind启动后也不能在该段建立用户 idmap gid = 10000-20000 winbind enum users = yes #指定winbind服务是否能在系统上创建Windows域用户。一般情况下都要设置为yes,除非你处于某种原因希望关闭该功能 winbind enum groups = yes nt acl support = yes #nt acl 支持 winbind cache time = 0 template shell = /bin/bash template homedir = /home/%D/%U # 用来指定为域用户产生主目录。使用变量替换可使winbind服务把用户主目录设置为/homes/MYDOMAIN/username winbind use default domain =yes [homes] comment = Home Directories path = /home/%D/%U browseable = no writable = yes
valid users = %U
[root@freeradius ~]# vim /etc/nsswitch.conf passwd: files winbind shadow: files winbind
group: files winbind
[root@lamp ~]# vim /etc/krb5.conf [libdefaults] default_realm = test.COM #指定默认域名 dns_lookup_realm = false #无需dns解析域请求包 dns_lookup_kdc = false #是否解析kdc请求报 ticket_lifetime = 24h #指定kerberos票据有效日期 forwardable = yes #允许转发解析请求 [realms] test.COM = { kdc = testtest.test.com:88 #指定KDC服务器和KDC服务器的端口 admin_server = testtest.test.com:749 #指定域控制器和管理端口 default_domain = test.com #指定默认域 } [domain_realm] .example.com = EXAMPLE.COM
example.com = test.COM #设置域的搜索范围,使得域大小写无关
[root@lamp ~]# vim /var/kerberos/krb5kdc/kdc.conf [realms] test.COM = { #master_key_type = des3-hmac-sha1 acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hm ac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc -crc:afs3
}
[root@lamp ~]# kinit administrator@test.COM
Password for administrator@test.COM:
[root@freeradius ~]# /etc/init.d/smb start Starting SMB services: [ OK ] Starting NMB services: [ OK ] [root@freeradius ~]# chkconfig smb on [root@freeradius ~]# chkconfig winbind on
[root@freeradius ~]# service winbind restart
[root@freeradius ~]# net rpc join -U administrator Password:
Joined domain test.
[root@freeradius ~]# wbinfo -t
checking the trust secret via RPC calls succeeded
[root@freeradius ~]# wbinfo -u administrator guest krbtgt ddclic test01
test02
[root@freeradius ~]# wbinfo -g BUILTIN+administrators BUILTIN+users domain computers domain controllers schema admins
enterprise admins
[root@freeradius ~]# getent passwd test1:*:10033:10008:test1:/home/test/test1:/bin/bash test2:*:10034:10008:test2:/home/test/test2:/bin/bash test3:*:10035:10008:test3:/home/test/test3:/bin/bash test4:*:10036:10008:test4:/home/test/test4:/bin/bash
test5:*:10037:10008:test5:/home/test/test5:/bin/bash
[root@freeradius ~]# ntlm_auth --request-nt-key --domain=test.com --username=test --password='123456'
[root@freeradius ~]# vim /etc/raddb/modules/ntlm_auth exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=test.COM --username=%{mschap :User-Name} --password=%{User-Password}"
} }
[root@freeradius ~]# vim /etc/raddb/sites-enabled/default authenticate { ntlm_auth } [root@freeradius ~]# vim /etc/raddb/sites-enabled/inner-tunnel authenticate { ntlm_auth
}
[root@freeradius ~]# vim /etc/raddb/users
DEFAULT Auth-Type = ntlm_auth
[root@freeradius ~]# vim /etc/raddb/policy.conf policy { # Give the ntlm_auth exec module an "authorize" method that sets Auth-Type to itself # but only if it's a valid PAP request, and Auth-Type is not already set to something ntlm_auth.authorize { if (!control:Auth-Type && User-Password) { update control { Auth-Type := ntlm_auth } } }
}
[root@freeradius ~]# radiusd –X [root@freeradius ~]# radtest test '123456' localhost 0 testing123 Sending Access-Request of id 48 to 127.0.0.1 port 1812 User-Name = "test" User-Password = "123456" NAS-IP-Address = 192.168.2.97 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=48, length=20
[root@freeradius ~]# vim /etc/raddb/users
#DEFAULT Auth-Type = ntlm_auth
[root@freeradius ~]# vim /etc/raddb/modules/mschap ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-test.COM} --challenge=%{%{mschap:Challenge}:-00} --n
t-response=%{%{mschap:NT-Response}:-00}"
[root@freeradius ~]# radtest -t mschap test '123456' localhost 0 testing123 Sending Access-Request of id 127 to 127.0.0.1 port 1812 User-Name = "test" NAS-IP-Address = 192.168.2.97 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 MS-CHAP-Challenge = 0x0f1ec04f5f7f3ec2 MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000085c8068f30dcb423d1e6f7ed5db18b53a1d321ceb8f2266c rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=127, length=38
MS-CHAP-Error = "\000E=691 R=1"
Exec-Program output: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc0000022)
Exec-Program-Wait: plaintext: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc0000022)
[root@freeradius ~]# cd /var/cache/samba/ [root@freeradius samba]# chown -R root.radiusd winbindd_privileged/ [root@freeradius samba]# service winbind restart Shutting down Winbind services: [ OK ] Starting Winbind services: [ OK ]
[root@freeradius ~]# radiusd –X
[root@freeradius samba]# radtest -t mschap test '123456' localhost 0 testing123 Sending Access-Request of id 231 to 127.0.0.1 port 1812 User-Name = "test" NAS-IP-Address = 192.168.2.97 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 MS-CHAP-Challenge = 0x58a8d7e945e9ed8f MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000000fcd072553b1813344cbe6d3fc3fe5e1ecbf853eaf5a4a03 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=231, length=84 MS-CHAP-MPPE-Keys = 0x0000000000000000c2bea7b13efd39e82dcd04478fb185370000000000000000 MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006