Intégration d’un système GNU/Linux Debian dans un domaine Active Directory

Synchronisation d’horloges

Installation du paquet :

# aptitude install ntp

Configuration du NTP :

# vim /etc/ntp.conf
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help

driftfile /var/lib/ntp/ntp.drift


# Enable this if you want statistics to be logged.
#statsdir /var/log/ntpstats/

statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable


# You do need to talk to an NTP server or two (or three).
#server ntp.your-provider.example

# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
# pick a different set every time it starts up.  Please consider joining the
# pool: <http://www.pool.ntp.org/join.html>
server ntp.home.local
#server 0.debian.pool.ntp.org iburst
#server 1.debian.pool.ntp.org iburst
#server 2.debian.pool.ntp.org iburst
#server 3.debian.pool.ntp.org iburst


# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.

# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery

# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1

# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 10.20.30.0 mask 255.255.255.0 notrust


# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 10.20.30.255

# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines.  Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient

Prise en compte de la configuration :

# /etc/init.d/ntp restart

Vérification de la synchronisation NTP :

# ntpq -p

Résolution de noms

Configuration des paramètres de résolution de noms :

# vim /etc/resolv.conf
domain home.local
search home.local
nameserver 10.20.30.2
nameserver 10.20.30.3
nameserver 10.20.30.4

Samba / Winbind

Installation des paquets :

# aptitude install winbind samba-common smbclient

Sauvegarde de la configuration d’origine :

# cp /etc/samba/smb.conf /etc/samba/smb.conf.original

Configuration de Samba/Winbind :

# > /etc/samba/smb.conf
# vim /etc/samba/smb.conf
[global]
    workgroup = HOME
    realm = HOME.LOCAL
    server string = %h server
    security = ADS
    password server = 10.20.30.2, 10.20.30.3, 10.20.30.4
    client use spnego = yes
    client ntlmv2 auth = yes
    encrypt passwords = yes
    syslog = 0
    log file = /var/log/samba/log.%m
    max log size = 1000
    announce version = 4
    announce as = NT Workstation
    dns proxy = No
    idmap uid = 167771-335549
    idmap gid = 167771-335549
    winbind use default domain = yes
    invalid users = root
    winbind cache time = 60
    winbind enum users = yes
    winbind enum groups = yes
    winbind cache time = 10
    template homedir = /home/%D/%U
    template shell = /bin/bash
    restrict anonymous = 2
    domain master = no
    local master = no
    preferred master = no
    os level = 0

Création du répertoire racine pour les répertoires personnels des utilisateurs du domaine :

# mkdir /home/HOME

Prise en compte de la configuration :

# /etc/init.d/winbind restart

Kerberos

Installation des paquets :

# aptitude install krb5-user krb5-config

Sauvegarde de la configuration d’origine :

# cp /etc/krb5.conf /etc/krb5.conf.original

Configuration de Kerberos :

# > /etc/krb5.conf
# vim /etc/krb5.conf
[libdefaults]
        default_realm = HOME.LOCAL
        dns_lookup_realm = false
        dns_lookup_kdc = false
# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#       default_tgs_enctypes = des3-hmac-sha1
#       default_tkt_enctypes = des3-hmac-sha1
#       permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
#       v4_instance_resolve = false
#       v4_name_convert = {
#               host = {
#                       rcmd = host
#                       ftp = ftp
#               }
#               plain = {
#                       something = something-else
#               }
#       }
#       fcc-mit-ticketflags = true

[realms]

HOME.LOCAL = { kdc = 10.20.30.2 kdc = 10.20.30.3 kdc = 10.20.30.4 admin_server = 10.20.30.2 }

[domain_realm]

.home.local = HOME.LOCAL home.local = HOME.LOCAL

[login]

krb4_convert = true krb4_get_tickets = false

[logging]

default = FILE:/var/log/krb5.log kdc = FILE:/var/log/krb5kdc.log admin-server = FILE:/var/log/krb5adm.log

[appdefaults]

pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }

Rejoindre le domaine et s’authentifier

Jointure au domaine :

# net -U administrator ads join

(Test) Lister les utilisateurs du domaine :

# wbinfo -u

Modification des paramètres d’authentification :

# vim /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat winbind

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Permettre la création du répertoire personnel d’un utilisateur du domaine :

# vim /etc/pam.d/common-session
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
session [default=1]                     pam_permit.so
# here's the fallback if no module succeeds
session requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required                        pam_unix.so
session required                        pam_mkhomedir.so umask=0022 skel=/etc/skel
session optional                        pam_winbind.so
# end of pam-auth-update config

(Test) Lister la base des utilisateurs pouvant s’authentifier :

# getent passwd

N’autorisez que les membres du groupe “GNETWORK” à accéder en SSH au serveur :

# vim /etc/pam.d/sshd
# PAM configuration for the Secure Shell service

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth       required     pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
auth       required     pam_env.so envfile=/etc/default/locale

# Standard Un*x authentication.
@include common-auth

# Disallow non-root logins when /etc/nologin exists.
account    required     pam_nologin.so

# Only allow GNETWORK Active Directory group  members
account    required     pam_succeed_if.so user ingroup GNETWORK

# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account  required     pam_access.so

# Standard Un*x authorization.
@include common-account

# Standard Un*x session setup and teardown.
@include common-session

# Print the message of the day upon successful login.
session    optional     pam_motd.so # [1]

# Print the status of the user's mailbox upon successful login.
session    optional     pam_mail.so standard noenv # [1]

# Set up user limits from /etc/security/limits.conf.
session    required     pam_limits.so

# Set up SELinux capabilities (need modified pam)
# session  required     pam_selinux.so multiple

# Standard Un*x password updating.
@include common-password

Droits sudo pour le groupe “GNETWORK” :

# vim /etc/sudoers
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults        env_reset

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL) ALL
%GNETWORK    ALL=(ALL) NOPASSWD: ALL

# Allow members of group sudo to execute any command
# (Note that later entries override this, so you might need to move
# it further down)
%sudo ALL=(ALL) ALL
#
#includedir /etc/sudoers.d

Leave a Reply