Posted on 2015/12/01 19:41
Filed Under 리눅스기술문서/서버관련 조회수: view 10272


RHEL6.x 와 Windows 2012 R2 Active Directory 연동하기

정통적으로 Linux Client 를 Windows AD 에 Join 시키기 위해서는 Winbind 와 Likewise를 주로
이용한다.

본 문서에서 사용한 패키지는 winbind 코어를 가지고 제작한 Likewise Open Package 인 pbis-open
패키지를 이용한다.  




우선 Linux Client 서버에 AD Domain 정보를 인식 가능하게 한다.

# vi /etc/hosts

192.168.201.50  RNTADS01 rntier272.ad

# vi /etc/resolv.conf
nameserver 192.168.201.50

# nslookup rntier272.ad
Server:   192.168.201.50
Address:  192.168.201.50#53

Name: rntier272.ad
Address: 192.168.201.50

likewise 패키지를 다운 받고, 설치를 한다.
본 문서에서 사용하는 likewise 패키지는 PowerBroker Open 프로젝트에서 제작한
pbis 패키지이다.

http://www.powerbrokeropen.org/

# wget http://download.beyondtrust.com/PBISO/8.3/pbis-open-8.3.0.3287.linux.x86_64.rpm.sh
# chmod 755 pbis-open-8.3.0.3287.linux.x86_64.rpm.sh
# ./pbis-open-8.3.0.3287.linux.x86_64.rpm.sh
--------------------------------------------------------------------------------
Creating directory pbis-open-8.3.0.3287.linux.x86_64.rpm
Verifying archive integrity... All good.
Uncompressing pbis-open-8.3.0.3287.linux.x86_64.rpm............
Would you like to install package for legacy links? (i.e.  /opt/likewise/bin/lw-find-user-by-name -> /opt/pbis/bin/find-user-by-name) (yes/no) yes
Would you like to install now? (yes/no) yes

.
.
준비 중...               ########################################### [100%]
   1:pbis-open-gui          ########################################### [100%]
경고: /root/pbis-open-8.3.0.3287.linux.x86_64.rpm/./packages/pbis-open-legacy-8.3.0-3287.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID c9ceecef: NOKEY
준비 중...               ########################################### [100%]
   1:pbis-open-legacy       ########################################### [100%]
Installing Packages was successful

New libraries and configurations have been installed for PAM and NSS.
Please reboot so that all processes pick up the new versions.

As root, run domainjoin-gui or domainjoin-cli to join a domain so you can log on
with Active Directory credentials. Example:
domainjoin-cli join MYDOMAIN.COM MyJoinAccount
-------------------------------------------------------------------------------

패키지 설치가 완료되면 관련 패키지가 아래에 설치된다.

/opt/likewise
/opt/pbis

이제 AD Domain 에 join 한다.

AD Domain Join 은 cli 방식과 gui 방식을 이용할 수 있다.
command line 방식
# domainjoin-cli join <domain_name> <domain_administrator_user>
gui 방식
# domainjoin-gui

# domainjoin-cli join rntier272.ad administrator
oining to AD Domain:   rntier272.ad
With Computer DNS Name: RNTSMP01.rntier272.ad

administrator@RNTIER272.AD's password: <패스워드 입력>

Warning: System restart required
Your system has been configured to authenticate to Active Directory for the first time.  It is
recommended that you restart your system to ensure that all applications recognize the new settings.

SUCCESS


리부팅 한다.

Windows Active Directory 서버로 접속하여 관리도구>Active Directory 사용자 및 컴퓨터>Computer OU 로
가서 Linux Client 가 Join 되었는지 확인 한다.



# su - rntier272\\alang
-sh-4.1$ pwd
/home/local/RNTIER272/alang
-sh-4.1$ id
uid=2077230164(RNTIER272\alang) gid=2077229569(RNTIER272\domain^users) groups=2077229569(RNTIER272\domain^users),2077230163(RNTIER272\gridcenter),2077230171(RNTIER272\gc_default_ug)
-sh-4.1$

기본 홈 디렉토리가 /home/local/<domain>/<user_name>  으로 지정된다.
이 부분을 /home/<user_name> 으로 변경하는 방법이다.

# /opt/likewise/bin/lwregshell
> cd HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory
HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory> ls

[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory\]
[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory\] >
set_value LoginShellTemplate /bin/bash
[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory\] >
set_value HomeDirTemplate %H/%U

HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory\] >
quit

혹은 ..

# /opt/likewise/bin/lwconfig LoginShellTemplate /bin/bash
# /opt/likewise/bin/lwconfig HomeDirTemplate %H/%U

이제 변경된 설정을 적용한다.

# /opt/likewise/bin/lw-ad-cache --enum-users
# /opt/likewise/bin/lw-ad-cache --delete-all
The cache has been emptied successfully.

# su - rntier272\\alang


이밖의 관리 명령

/opt/pbis/bin/config --dump
/opt/pbis/bin/get-status
/opt/pbis/bin/find-objects --user USERNAME

/etc/pbis/pbis-krb5-ad.conf

Writer profile
author image
-아랑 -
2015/12/01 19:41 2015/12/01 19:41

트랙백 주소 : 이 글에는 트랙백을 보낼 수 없습니다

About

by 서진우
Twitter :@muchunalang

Counter

• Total
: 4283869
• Today
: 68
• Yesterday
: 1591