Ставим пакеты:
yum install krb5-workstation realmd sssd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools -y
Настраиваем конфиг /etc/krb5.conf:
includedir /var/lib/sss/pubconf/krb5.include.d/</code>
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = DOMAIN.LOCAL
dns_lookup_kdc = true
dns_lookup_realm = true
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
[realms]
DOMAIN.LOCAL = {
kdc = dc01.domain.local
kdc = dc02.domain.local
default_domain = domain.local
admin_server = dc01.domain.local
admin_server = dc02.domain.local
kpasswd_server = dc01.domain.local
kpasswd_server = dc02.domain.local
}
[domain_realm]
.DOMAIN.LOCAL = DOMAIN.LOCAL
DOMAIN.local = DOMAIN.LOCAL
Обратите внимание – домен надо ОБЯЗАТЕЛЬНО писать большими буквами.
В конфиге самбы также указываем домен /etc/samba/smb.conf:
[global] workgroup = domain password server = dc01.domain.local dc02.domain.local realm = DOMAIN.LOCAL security = ads idmap config * : range = 16777216-33554431 template shell = /sbin/nologin kerberos method = secrets only winbind use default domain = false winbind offline logon = false
Вводим машину в домен:
net ads join -U Administrator@DOMAIN.LOCAL
Затем генерим keytab-файл, для аутентификации без ввода пароля и сохраняем:
#ktutil ktutil: addent -password -p dns_updater@DOMAIN.LOCAL -k 1 -e rc4-hmac Password for dns_updater@DOMAIN.LOCAL:. ktutil: write_kt /usr/local/scripts/cfg/dns_updater.keytab ktutil: quit
И получаем билет:
kinit -k -t /usr/local/scripts/cfg/dns_updater.keytab dns_updater@DOMAIN.LOCAL
Обсуждение закрыто.