Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- • krb5-user (Kerberos client, for recieving TGT and user authentication)
- • samba (Samba for joining the AD with the Linux-box)
- • smbclient (mounting the home-directory)
- • winbind (second way of user-authentication, if Kerberos fails for any reason)
- • libpam-winbind (PA-Module for winbind)
- • libpam-mount (Not sure about this one)
- • libpam-ccreds (Storing credentials, if the DC is not reachable)
- • libpam-krb5 (PAM-Module for Kerberos)
- • cifs-utils (Mounting cif shares)
- net ads join member -k -S DC1.DOMAIN.LOCAL -U {User_with_admin_rights} createcomputer=IT/BLA osName=Debian osVer=`cat /etc/debian_version` -d 1
- kinit -V user@DOMAIN.LOCAL
- root@testbox / % klist
- Ticket cache: FILE:/tmp/krb5cc_0
- Default principal: user@DOMAIN.LOCAL
- Valid starting Expires Service principal
- 14.12.2015 09:47:01 14.12.2015 19:47:01 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
- renew until 15.12.2015 09:46:57
- Dec 14 13:19:58 testbox login[2875]: pam_krb5(login:auth): user username@DOMAIN.LOCAL authenticated as username@DOMAIN.LOCAL
- Dec 14 13:20:01 testbox login[2875]: FAILED LOGIN (1) on '/dev/pts/2' FOR 'UNKNOWN', User not known to the underlying authentication module
- [*] Kerberos authentication
- [*] Ccreds credential caching - password saving
- [*] Unix authentication
- [*] Winbind NT/Active Directory authentication
- [*] Mount volumes for user
- [*] Ccreds credential caching - password checking
- [libdefaults]
- default_realm = DOMAIN
- krb4_config = /etc/krb.conf
- krb4_realms = /etc/krb.realms
- kdc_timesync = 1
- ccache_type = 4
- forwardable = true
- proxiable = true
- v4_instance_resolve = false
- v4_name_convert = {
- host = {
- rcmd = host
- ftp = ftp
- }
- plain = {
- something = something-else
- }
- }
- fcc-mit-ticketflags = true
- [realms]
- DOMAIN.LOCAL = {
- kdc = DC1.domain.local
- kdc = DC2.domain.local
- kdc = DC.domain.local
- kdc = DC4.domain.local
- kdc = DC5.domain.local
- admin_server = DC1.domain.local
- default_domain = domain
- }
- [domain_realm]
- kerberos.server = DOMAIN.LOCAL
- [login]
- krb4_convert = true
- krb4_get_tickets = false
- [logging]
- kdc = FILE:/var/log/krb5.log
- admin_server = FILE:/var/log/krb5/kadmind.log
- default = SYSLOG:NOTICE:DAEMON
- #======================= Global Settings =======================
- [global]
- security = ADS
- encrypt passwords = yes
- realm = DOMAIN.LOCAL
- winbind enum users = yes
- winbind enum groups = yes
- winbind use default domain = yes
- winbind refresh tickets = yes
- template homedir = /home/%D/%U
- template shell = /bin/bash
- client use spnego = yes
- client ntlmv2 auth = yes
- encrypt passwords = yes
- restrict anonymous = 2
- domain master = no
- local master = no
- preferred master = no
- os level = 0
- workgroup = DOMAIN
- ; wins server = w.x.y.z
- dns proxy = no
- ; interfaces = 127.0.0.0/8 eth0
- ; bind interfaces only = yes
- log file = /var/log/samba/log.%m
- max log size = 1000
- syslog = 0
- panic action = /usr/share/samba/panic-action %d
- #####
- server role = standalone server
- passdb backend = tdbsam
- obey pam restrictions = yes
- unix password sync = yes
- passwd program = /usr/bin/passwd %u
- passwd chat = *Entersnews*spassword:* %nn *Retypesnews*spassword:* %nn *passwordsupdatedssuccessfully* .
- pam password change = yes
- map to guest = bad user
- ########
- ; logon path = \%Nprofiles%U
- ; logon drive = H:
- ; logon script = logon.cmd
- ; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
- ; add machine script = /usr/sbin/useradd -g machines -c "%u machineaccount" -d /var/lib/samba -s /bin/false %u
- ; add group script = /usr/sbin/addgroup --force-badname %g
- ##########
- ; include = /home/samba/etc/smb.conf.%m
- ; idmap uid = 10000-20000
- ; idmap gid = 10000-20000
- ; template shell = /bin/bash
- ; usershare max shares = 100
- usershare allow guests = yes
- #======================= Share Definitions =======================
- [homes]
- comment = Home Directories
- browseable = no
- read only = yes
- create mask = 0700
- directory mask = 0700
- valid users = %S
- ;[netlogon]
- ; comment = Network Logon Service
- ; path = /home/samba/netlogon
- ; guest ok = yes
- ; read only = yes
- ;[profiles]
- ; comment = Users profiles
- ; path = /home/samba/profiles
- ; guest ok = no
- ; browseable = no
- ; create mask = 0600
- ; directory mask = 0700
- hosts: files dns
- networks: files
- protocols: db files
- services: db files
- ethers: db files
- rpc: db files
- netgroup: nis
- [global]
- workgroup = DOMAIN
- security = ADS
- realm = DOMAIN.LOCAL
- netbios name = HOSTNAME
- dedicated keytab file = /etc/krb5.keytab
- kerberos method = secrets and keytab
- idmap config DOMAIN : default = yes
- idmap config DOMAIN : backend = ad
- idmap config DOMAIN : schema_mode = rfc2307
- idmap config DOMAIN : readonly = yes
- idmap config DOMAIN : range = 10000-1999999
- idmap cache time = 604800
- template homedir = /home/%D/%U
- template shell = /bin/bash
- winbind trusted domains only = no
- winbind use default domain = yes
- winbind enum users = no
- winbind enum groups = no
- winbind refresh tickets = yes
- winbind expand groups = 4
- winbind offline logon = true
- winbind nss info = rfc2307
- domain master = no
- local master = no
- vfs objects = acl_xattr
- map acl inherit = yes
- store dos attributes = yes
- client ldap sasl wrapping = sign
- encrypt passwords = yes
- client use spnego = yes
- client ntlmv2 auth = yes
- restrict anonymous = 2
- dns proxy = no
- log file = /var/log/samba/log.%m
- max log size = 1000
- syslog = 0
- panic action = /usr/share/samba/panic-action %d
- server role = member server
- passdb backend = tdbsam
- obey pam restrictions = yes
- unix password sync = yes
- passwd program = /usr/bin/passwd %u
- passwd chat = *Entersnews*spassword:* %nn *Retypesnews*spassword:* %nn *passwordsupdatedssuccessfully* .
- pam password change = yes
- map to guest = bad user
- v4_instance_resolve = false
- v4_name_convert = {
- host = {
- rcmd = host
- ftp = ftp
- }
- plain = {
- something = something-else
- }
- }
- fcc-mit-ticketflags = true
- [realms]
- DOMAIN.LOCAL = {
- kdc = DC1.DOMAIN.local
- admin_server = DC1.DOMAIN.local
- default_domain = DOMAIN.local
- }
- [domain_realm]
- .DOMAIN.local = DOMAIN.LOCAL
- DOMAIN.local = DOMAIN.LOCAL
- [login]
- krb4_convert = true
- krb4_get_tickets = false
- [logging]
- default = SYSLOG:DEBUG:DAEMON
- session optional pam_mount.so
- <?xml version="1.0" encoding="utf-8" ?>
- <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
- <pam_mount>
- <debug enable="0" />
- <mntoptions deny="suid,dev" />
- <mntoptions allow="*" />
- <mntoptions deny="*" />
- -->
- <mntoptions require="nosuid,nodev" />
- <logout wait="100000" hup="yes" term="yes" kill="no" />
- <volume options="username=%(USER)" fstype="cifs" server="server.domain.local" path="User/%(USER)" mountpoint="/home/domain/%(USER)/Shares/%(DOMAIN_USER)" />
- <volume options="username=%(USER)" fstype="cifs" server="server.domain.local" path="Data" mountpoint="/home/domain/%(USER)/Shares/Data" />
- <umount>umount %(MNTPT)</umount>
- <mkmountpoint enable="1" remove="false" />
- </pam_mount>
Add Comment
Please, Sign In to add comment