{"id":46,"date":"2012-07-18T12:40:00","date_gmt":"2012-07-18T10:40:00","guid":{"rendered":"https:\/\/test.n3oxid.fr\/?p=46"},"modified":"2021-04-18T21:20:39","modified_gmt":"2021-04-18T19:20:39","slug":"integration-dun-systeme-gnu-linux-debian-dans-un-domaine-active-directory","status":"publish","type":"post","link":"https:\/\/www.n3oxid.fr\/?p=46","title":{"rendered":"Int\u00e9gration d’un syst\u00e8me GNU\/Linux Debian dans un domaine Active Directory"},"content":{"rendered":"\n

Synchronisation d’horloges<\/h2>\n\n\n\n

Installation du paquet :<\/p>\n\n\n\n

# aptitude install ntp\n<\/pre>\n\n\n\n
Configuration du NTP :<\/p>\n\n\n\n
# vim \/etc\/ntp.conf\n<\/pre>\n\n\n\n
# \/etc\/ntp.conf, configuration for ntpd; see ntp.conf(5) for help\n\ndriftfile \/var\/lib\/ntp\/ntp.drift\n\n\n# Enable this if you want statistics to be logged.\n#statsdir \/var\/log\/ntpstats\/\n\nstatistics loopstats peerstats clockstats\nfilegen loopstats file loopstats type day enable\nfilegen peerstats file peerstats type day enable\nfilegen clockstats file clockstats type day enable\n\n\n# You do need to talk to an NTP server or two (or three).\n#server ntp.your-provider.example\n\n# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will\n# pick a different set every time it starts up.  Please consider joining the\n# pool: <http:\/\/www.pool.ntp.org\/join.html>\nserver ntp.home.local\n#server 0.debian.pool.ntp.org iburst\n#server 1.debian.pool.ntp.org iburst\n#server 2.debian.pool.ntp.org iburst\n#server 3.debian.pool.ntp.org iburst\n\n\n# Access control configuration; see \/usr\/share\/doc\/ntp-doc\/html\/accopt.html for\n# details.  The web page <http:\/\/support.ntp.org\/bin\/view\/Support\/AccessRestrictions>\n# might also be helpful.\n#\n# Note that \"restrict\" applies to both servers and clients, so a configuration\n# that might be intended to block requests from certain clients could also end\n# up blocking replies from your own upstream servers.\n\n# By default, exchange time with everybody, but don't allow configuration.\nrestrict -4 default kod notrap nomodify nopeer noquery\nrestrict -6 default kod notrap nomodify nopeer noquery\n\n# Local users may interrogate the ntp server more closely.\nrestrict 127.0.0.1\nrestrict ::1\n\n# Clients from this (example!) subnet have unlimited access, but only if\n# cryptographically authenticated.\n#restrict 10.20.30.0 mask 255.255.255.0 notrust\n\n\n# If you want to provide time to your local subnet, change the next line.\n# (Again, the address is an example only.)\n#broadcast 10.20.30.255\n\n# If you want to listen to time broadcasts on your local subnet, de-comment the\n# next lines.  Please do this only if you trust everybody on the network!\n#disable auth\n#broadcastclient\n<\/pre>\n\n\n\n
Prise en compte de la configuration :<\/p>\n\n\n\n
# \/etc\/init.d\/ntp restart\n<\/pre>\n\n\n\n
V\u00e9rification de la synchronisation NTP :<\/p>\n\n\n\n
# ntpq -p\n<\/pre>\n\n\n\n
R\u00e9solution de noms<\/h2>\n\n\n\n
Configuration des param\u00e8tres de r\u00e9solution de noms :<\/p>\n\n\n\n
# vim \/etc\/resolv.conf\n<\/pre>\n\n\n\n
domain home.local\nsearch home.local\nnameserver 10.20.30.2\nnameserver 10.20.30.3\nnameserver 10.20.30.4\n<\/pre>\n\n\n\n
Samba \/ Winbind<\/h2>\n\n\n\n
Installation des paquets :<\/p>\n\n\n\n
# aptitude install winbind samba-common smbclient\n<\/pre>\n\n\n\n
Sauvegarde de la configuration d’origine :<\/p>\n\n\n\n
# cp \/etc\/samba\/smb.conf \/etc\/samba\/smb.conf.original\n<\/pre>\n\n\n\n
Configuration de Samba\/Winbind :<\/p>\n\n\n\n
# > \/etc\/samba\/smb.conf\n# vim \/etc\/samba\/smb.conf\n<\/pre>\n\n\n\n
[global]\n    workgroup = HOME\n    realm = HOME.LOCAL\n    server string = %h server\n    security = ADS\n    password server = 10.20.30.2, 10.20.30.3, 10.20.30.4\n    client use spnego = yes\n    client ntlmv2 auth = yes\n    encrypt passwords = yes\n    syslog = 0\n    log file = \/var\/log\/samba\/log.%m\n    max log size = 1000\n    announce version = 4\n    announce as = NT Workstation\n    dns proxy = No\n    idmap uid = 167771-335549\n    idmap gid = 167771-335549\n    winbind use default domain = yes\n    invalid users = root\n    winbind cache time = 60\n    winbind enum users = yes\n    winbind enum groups = yes\n    winbind cache time = 10\n    template homedir = \/home\/%D\/%U\n    template shell = \/bin\/bash\n    restrict anonymous = 2\n    domain master = no\n    local master = no\n    preferred master = no\n    os level = 0\n<\/pre>\n\n\n\n
Cr\u00e9ation du r\u00e9pertoire racine pour les r\u00e9pertoires personnels des utilisateurs du domaine :<\/p>\n\n\n\n
# mkdir \/home\/HOME\n<\/pre>\n\n\n\n
Prise en compte de la configuration :<\/p>\n\n\n\n
# \/etc\/init.d\/winbind restart\n<\/pre>\n\n\n\n
Kerberos<\/h2>\n\n\n\n
Installation des paquets :<\/p>\n\n\n\n
# aptitude install krb5-user krb5-config\n<\/pre>\n\n\n\n
Sauvegarde de la configuration d’origine :<\/p>\n\n\n\n
# cp \/etc\/krb5.conf \/etc\/krb5.conf.original\n<\/pre>\n\n\n\n
Configuration de Kerberos :<\/p>\n\n\n\n
# > \/etc\/krb5.conf\n# vim \/etc\/krb5.conf\n<\/pre>\n\n\n\n
[libdefaults]\n        default_realm = HOME.LOCAL\n        dns_lookup_realm = false\n        dns_lookup_kdc = false\n# The following krb5.conf variables are only for MIT Kerberos.\n        krb4_config = \/etc\/krb.conf\n        krb4_realms = \/etc\/krb.realms\n        kdc_timesync = 1\n        ccache_type = 4\n        forwardable = true\n        proxiable = true\n\n# The following encryption type specification will be used by MIT Kerberos\n# if uncommented.  In general, the defaults in the MIT Kerberos code are\n# correct and overriding these specifications only serves to disable new\n# encryption types as they are added, creating interoperability problems.\n#\n# Thie only time when you might need to uncomment these lines and change\n# the enctypes is if you have local software that will break on ticket\n# caches containing ticket encryption types it doesn't know about (such as\n# old versions of Sun Java).\n\n#       default_tgs_enctypes = des3-hmac-sha1\n#       default_tkt_enctypes = des3-hmac-sha1\n#       permitted_enctypes = des3-hmac-sha1\n\n# The following libdefaults parameters are only for Heimdal Kerberos.\n#       v4_instance_resolve = false\n#       v4_name_convert = {\n#               host = {\n#                       rcmd = host\n#                       ftp = ftp\n#               }\n#               plain = {\n#                       something = something-else\n#               }\n#       }\n#       fcc-mit-ticketflags = true\n\n<\/pre>\n\n\n
[realms]<\/p>\n\n\n\n
HOME.LOCAL = { kdc = 10.20.30.2 kdc = 10.20.30.3 kdc = 10.20.30.4 admin_server = 10.20.30.2 }<\/p>\n\n\n
[domain_realm]<\/p>\n\n\n\n
.home.local = HOME.LOCAL home.local = HOME.LOCAL<\/p>\n\n\n
[login]<\/p>\n\n\n\n
krb4_convert = true krb4_get_tickets = false<\/p>\n\n\n
[logging]<\/p>\n\n\n\n
default = FILE:\/var\/log\/krb5.log kdc = FILE:\/var\/log\/krb5kdc.log admin-server = FILE:\/var\/log\/krb5adm.log<\/p>\n\n\n
[appdefaults]<\/p>\n\n\n\n
pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }<\/p>\n\n\n\n
Rejoindre le domaine et s’authentifier<\/h2>\n\n\n\n
Jointure au domaine :<\/p>\n\n\n\n
# net -U administrator ads join\n<\/pre>\n\n\n\n
(Test) Lister les utilisateurs du domaine :<\/p>\n\n\n\n
# wbinfo -u\n<\/pre>\n\n\n\n
Modification des param\u00e8tres d’authentification :<\/p>\n\n\n\n
# vim \/etc\/nsswitch.conf\n<\/pre>\n\n\n\n
# \/etc\/nsswitch.conf\n#\n# Example configuration of GNU Name Service Switch functionality.\n# If you have the `glibc-doc-reference' and `info' packages installed, try:\n# `info libc \"Name Service Switch\"' for information about this file.\n\npasswd:         compat winbind\ngroup:          compat winbind\nshadow:         compat winbind\n\nhosts:          files dns\nnetworks:       files\n\nprotocols:      db files\nservices:       db files\nethers:         db files\nrpc:            db files\n\nnetgroup:       nis\n<\/pre>\n\n\n\n
Permettre la cr\u00e9ation du r\u00e9pertoire personnel d’un utilisateur du domaine :<\/p>\n\n\n\n
# vim \/etc\/pam.d\/common-session\n<\/pre>\n\n\n\n
#\n# \/etc\/pam.d\/common-session - session-related modules common to all services\n#\n# This file is included from other service-specific PAM config files,\n# and should contain a list of modules that define tasks to be performed\n# at the start and end of sessions of *any* kind (both interactive and\n# non-interactive).\n#\n# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.\n# To take advantage of this, it is recommended that you configure any\n# local modules either before or after the default block, and use\n# pam-auth-update to manage selection of other modules.  See\n# pam-auth-update(8) for details.\n\n# here are the per-package modules (the \"Primary\" block)\nsession [default=1]                     pam_permit.so\n# here's the fallback if no module succeeds\nsession requisite                       pam_deny.so\n# prime the stack with a positive return value if there isn't one already;\n# this avoids us returning an error just because nothing sets a success code\n# since the modules above will each just jump around\nsession required                        pam_permit.so\n# and here are more per-package modules (the \"Additional\" block)\nsession required                        pam_unix.so\nsession required                        pam_mkhomedir.so umask=0022 skel=\/etc\/skel\nsession optional                        pam_winbind.so\n# end of pam-auth-update config\n<\/pre>\n\n\n\n
(Test) Lister la base des utilisateurs pouvant s’authentifier :<\/p>\n\n\n\n
# getent passwd\n<\/pre>\n\n\n\n
N’autorisez que les membres du groupe “GNETWORK” \u00e0 acc\u00e9der en SSH au serveur :<\/p>\n\n\n\n
# vim \/etc\/pam.d\/sshd\n<\/pre>\n\n\n\n
# PAM configuration for the Secure Shell service\n\n# Read environment variables from \/etc\/environment and\n# \/etc\/security\/pam_env.conf.\nauth       required     pam_env.so # [1]\n# In Debian 4.0 (etch), locale-related environment variables were moved to\n# \/etc\/default\/locale, so read that as well.\nauth       required     pam_env.so envfile=\/etc\/default\/locale\n\n# Standard Un*x authentication.\n@include common-auth\n\n# Disallow non-root logins when \/etc\/nologin exists.\naccount    required     pam_nologin.so\n\n# Only allow GNETWORK Active Directory group  members\naccount    required     pam_succeed_if.so user ingroup GNETWORK\n\n# Uncomment and edit \/etc\/security\/access.conf if you need to set complex\n# access limits that are hard to express in sshd_config.\n# account  required     pam_access.so\n\n# Standard Un*x authorization.\n@include common-account\n\n# Standard Un*x session setup and teardown.\n@include common-session\n\n# Print the message of the day upon successful login.\nsession    optional     pam_motd.so # [1]\n\n# Print the status of the user's mailbox upon successful login.\nsession    optional     pam_mail.so standard noenv # [1]\n\n# Set up user limits from \/etc\/security\/limits.conf.\nsession    required     pam_limits.so\n\n# Set up SELinux capabilities (need modified pam)\n# session  required     pam_selinux.so multiple\n\n# Standard Un*x password updating.\n@include common-password\n<\/pre>\n\n\n\n
Droits sudo pour le groupe “GNETWORK” :<\/p>\n\n\n\n
# vim \/etc\/sudoers\n<\/pre>\n\n\n\n
# \/etc\/sudoers\n#\n# This file MUST be edited with the 'visudo' command as root.\n#\n# See the man page for details on how to write a sudoers file.\n#\n\nDefaults        env_reset\n\n# Host alias specification\n\n# User alias specification\n\n# Cmnd alias specification\n\n# User privilege specification\nroot    ALL=(ALL) ALL\n%GNETWORK    ALL=(ALL) NOPASSWD: ALL\n\n# Allow members of group sudo to execute any command\n# (Note that later entries override this, so you might need to move\n# it further down)\n%sudo ALL=(ALL) ALL\n#\n#includedir \/etc\/sudoers.d<\/pre>\n","protected":false},"excerpt":{"rendered":"
Synchronisation d’horloges Installation du paquet : # aptitude install ntp Configuration du NTP : # vim \/etc\/ntp.conf # \/etc\/ntp.conf, configuration for ntpd; see ntp.conf(5) for help driftfile \/var\/lib\/ntp\/ntp.drift # Enable this if …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[8,9,21],"class_list":["post-46","post","type-post","status-publish","format-standard","hentry","category-computing","tag-debian","tag-linux","tag-microsoft"],"_links":{"self":[{"href":"https:\/\/www.n3oxid.fr\/index.php?rest_route=\/wp\/v2\/posts\/46","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.n3oxid.fr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.n3oxid.fr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.n3oxid.fr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.n3oxid.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=46"}],"version-history":[{"count":1,"href":"https:\/\/www.n3oxid.fr\/index.php?rest_route=\/wp\/v2\/posts\/46\/revisions"}],"predecessor-version":[{"id":47,"href":"https:\/\/www.n3oxid.fr\/index.php?rest_route=\/wp\/v2\/posts\/46\/revisions\/47"}],"wp:attachment":[{"href":"https:\/\/www.n3oxid.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=46"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.n3oxid.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=46"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.n3oxid.fr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=46"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}