ActiveDirectoryと連携してLinuxサーバへSSH接続

今回はCentOS6でSSH接続が出来るように設定しますんで、過去記事“LinuxでActive Directoryドメインに参加”とは
若干違う部分があります。

■設定環境
　Active Directoryドメイン　 　　　:ys-network.info
　Linuxサーバ(クライアント)　　　　:192.168.0.2(HOGE)
　Active Directoryサーバ(FQDN):192.168.0.1(AD.YS-NETWORK.INFO)

■概要
1. 必要なパッケージをインストール
2. /etc/samba/smb.confを設定
3. /etc/resolv.confを設定
4. /etc/krb5.confを設定
5. /etc/pam.d/system-auth-acの設定を変更
6. /etc/pam.d/password-auth-acの設定を変更
7. /etc/nsswitch.confの設定を変更
8. /etc/hostsの設定を変更
9. Linuxサーバ(クライアント)でActive Directoryドメインに参加
10. Winbindサービスを起動
11. SSH接続してみる

1. 必要なパッケージをインストール

# yum install samba-winbind samba-winbind-clients krb5-workstation
～～～～～～～～～～～～～～省略～～～～～～～～～～～～～～
Dependencies Resolved

===================================================================================
 Package                       Arch       Version             Repository      Size
===================================================================================
Installing:
 samba-winbind                 x86_64     3.5.6-86.el6_1.4    updates        3.6 M
 samba-winbind-clients         x86_64     3.5.6-86.el6_1.4    updates        1.1 M
 krb5-workstation              x86_64     1.9-9.el6_1.2       updates        452 k
Installing for dependencies:
 libtalloc                     x86_64     2.0.1-1.1.el6       base            19 k
 libtdb                        x86_64     1.2.1-3.el6         base            28 k
 samba-common                  x86_64     3.5.6-86.el6_1.4    updates         13 M
 krb5-libs                     x86_64     1.9-9.el6_1.2       updates        706 k

Transaction Summary
===================================================================================
Install       7 Package(s)
Upgrade       0 Package(s)
～～～～～～～～～～～～～～省略～～～～～～～～～～～～～～

2. /etc/samba/smb.confを設定

# vi /etc/samba/smb.conf

既存の設定をコメントアウトし、以下の設定を追加
[global]
   workgroup = YS-NETWORK    # Active Directoryドメインを指定
   password server = 192.168.0.1    # Active Directoryサーバを指定
   realm = YS-NETWORK.INFO    # Active Directoryドメインを指定
   security = ads
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   template homedir = /home/%U    # Active Directoryユーザのhomeディレクトリを自動作成
   template shell = /bin/bash
   winbind use default domain = true    # ユーザ名の指定にドメインを省く為に設定
   winbind offline logon = true
   winbind enum users = Yes
   winbind enum groups = Yes
   obey pam restrictions = yes

3. /etc/resolv.confを設定

# vi /etc/resolv.conf

nameserver 192.168.0.1
search ys-network.info

4. /etc/krb5.confを設定

# vi /etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
# default_realm = EXAMPLE.COM    #コメントアウト
 default_realm = YS-NETWORK.INFO
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
# EXAMPLE.COM = {    #コメントアウト
YS-NETWORK.INFO = {
#  kdc = kerberos.example.com    #コメントアウト
kdc = ad.ys-network.info
#  admin_server = kerberos.example.com    #コメントアウト
admin_server = ad.ys-network.info
 }

[domain_realm]
# .example.com = EXAMPLE.COM    #コメントアウト
.ys-network.info = YS-NETWORK.INFO
# example.com = EXAMPLE.COM    #コメントアウト
ys-network.info = YS-NETWORK.INFO

5. /etc/pam.d/system-auth-acの設定を変更

# vi /etc/pam.d/system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_winbind.so cached_login use_first_pass    #追加
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow    #太字部分を追記
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login    #追加
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_winbind.so cached_login use_authtok    #追加
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so skel=/etc/skel umask=0022    #追加
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

6. /etc/pam.d/password-auth-acの設定を変更

# vi /etc/pam.d/password-auth-ac

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_winbind.so cached_login use_first_pass    #追加
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow    #太字部分を追記
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login    #追加
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_winbind.so cached_login use_authtok    #追加
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so skel=/etc/skel umask=0022    #追加
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

7. /etc/nsswitch.confの設定を変更

# vi /etc/nsswitch.conf

passwd:     files winbind    #太字部分を追記
shadow:     files winbind    #太字部分を追記
group:      files winbind    #太字部分を追記

8. /etc/hostsの設定を変更

# vi /etc/hosts

127.0.0.1   HOGE.ys-network.info HOGE localhost localhost.localdomain localhost4 localhost4.localdomain4

9. Linuxサーバ(クライアント)でActive Directoryドメインに参加

Active Directoryサーバに対してKerberos認証します。
# kinit administrator@YS-NETWORK.INFO
Password for administrator@YS-NETWORK.INFO:Active DirectoryのAdministratorパスワードを入力
#
問題なければプロンプトが表示されます


Active Directoryドメインに参加します
# net ads join -U administrator
Enter administrator's password:Active DirectoryのAdministratorパスワードを入力
Using short domain name -- YS-NETWORK
Joined 'HOGE' to realm 'ys-network.info'

10. Winbindサービスを起動

# /etc/rc.d/init.d/winbind start
Winbind サービスを起動中:                                  [  OK  ]

以上で、設定が完了です。

11. SSH接続してみる

# ssh -l administrator hoge
administrator@hoge's password:Active DirectoryのAdministratorパスワードを入力
Creating directory '/home/administrator'.
[administrator@HOGE ~]$ 

======================================================================
設定環境
OS：CentOS6 x64
Active Directory：Windows Server2008 R2

samba-winbind-3.5.6-86.el6_1.4.x86_64
samba-winbind-clients-3.5.6-86.el6_1.4.x86_64
krb5-workstation-1.9-9.el6_1.2.x86_64
pam-1.1.1-4.el6_0.1.x86_64
pam_passwdqc-1.0.5-6.el6.x86_64