歡迎您光臨本站 註冊首頁

Samba+Windows 2003 AD+Kerberos+Postfix+Cysrus-SASL+Cyrus-Imap+SquirrelMail

←手機掃碼閱讀     火星人 @ 2014-03-04 , reply:0

Samba+Windows 2003 AD+Kerberos+Postfix+Cysrus-SASL+Cyrus-Imap+SquirrelMail

獻丑一下,這是昨天的安裝筆記。
電郵已經測試過可以發送/接收。
有不足之處還望各位前輩多多指教!
此次實驗還未盡完善,有時間把實驗做完後再把筆記貼上來。


Linux通過Samba(smbd,nmbd,winbind)+Kerberos,加入至Windows AD域後,與AD域連接並共享資料信息。

以上述實驗為基礎,安裝Postfix + Cyrus-SASL+Cyrus-IMAP+WebMail客戶端。Postfix通過Cyrus-SASL來進行認證。所有User信息及Password都存放於Windows 2003 AD上。

基於實驗一,所有Windows 2003 AD上的User都能通過 SSH & FTP、smbclient連接於Linux Server.

未完成實驗有:
    1)Openwebmail未能通過User認證收發電郵 ;
        2)在Windows 2003 AD的User屬性中Home 目錄設置於Linux Server上時出現錯誤,User由XP登入域後, Home目錄不能自動連接於Linux 的User目錄。

===================================================================================
原理:
Linux通過Samba(smbd,nmbd,winbind)+Kerberos加入至Windows AD域後,與AD域連接並共享資料信息。


Server Information :

Windows 2003 AD
Hostname:   winserver.centos.winserver.com
IP:    172.16.10.100 / 16
DNS: 172.16.100.100
GW:  172.16.100.100
Domain: centos
Password: centos


CentOS 5.3 Linux
Hostname: filesrv01.centos.winserver.com
Password: centos
IP: 172.16.10.200 / 16
DNS: 172.16.100.100
GW:  172.16.100.100
WebMail:  SquirrelMail 1.4.8-4.0.1.el5.centos.2

===================================================================================

chkconfig --level 0123456 sendmail off
chkconfig --level 0123456 smartd off
chkconfig --level 0123456 pcscd off
chkconfig --level 0123456 bluetooth off
chkconfig --level 0123456 iptables off
chkconfig --level 0123456 ip6tables off
chkconfig --level 0123456 vsftpd on
chkconfig --level 0123456 vncserver on

==================================================================
yum install gcc-* perl-* httpd-* php-* postfix-* cyrus-imapd-* cyrus-sasl-* samba-*


######  Setting for Cyrus-Imapd Service ######
# passwd cyrus
Changing password for user cyrus.
New UNIX password:  ---------->password
BAD PASSWORD: it is based on a dictionary word
Retype new UNIX password:  ---------->password
passwd: all authentication tokens updated successfully.
chkconfig --level 0123456 cyrus-imapd on
chkconfig --level 0123456 saslauthd on

==================================

vi /usr/lib/sasl2/smtpd.conf
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

==================================

vi /etc/imap.conf
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: cyrus
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN

==================================

vi /etc/cyrus.conf
#  imaps                cmd="imapd -s" listen="imaps" prefork=1
#  pop3s                cmd="pop3d -s" listen="pop3s" prefork=1


service cyrus-imapd start
service saslauthd start

# testsaslauthd -u jeffrey_leung -p shenzheng123456/
0: OK "Success."


===================================================================================

mkdir /bak_conf
cp /etc/krb5.conf /bak_conf/
cp /etc/samba/smb.conf /bak_conf/
cp /etc/postfix/main.cf /bak_conf/

===================================================================================

vi /etc/krb5.conf

default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log


default_realm = CENTOS.WINSERVER.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes


CENTOS.WINSERVER.COM = {
  kdc = 172.16.10.100:88
  admin_server = 172.16.10.100:749
  default_domain = CENTOS.WINSERVER.COM
}


.centos.winserver.com = CENTOS.WINSERVER.COM
centos.winserver.com = CENTOS.WINSERVER.COM


pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}

===================================================================================
vi /etc/samba/smb.conf


   workgroup = centos
   netbios name = filesrv01
   server string = Samba Server Version %v
   password server = 172.16.10.100
   realm = CENTOS.WINSERVER.COM
   security = ads
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   winbind separator = /
   template shell = /sbin/nologin
   winbind use default domain = true
   winbind offline logon = false
   client use spnego = no
   server signing = auto
;       interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
;       hosts allow = 127. 192.168.12. 192.168.13.
    log file = /var/log/samba/%m.log
    max log size = 50
    encrypt passwords = yes
    os level = 20
    preferred master = no
    dns proxy = no

    winbind enum users = yes
    winbind enum groups = yes
    template homedir= /home/%U




        comment = Home Directories
        path = /home/%U
        browseable = no
        writable = yes
        valid users = %U
;       valid users = MYDOMAIN\%S


===================================================================================

######### Add Linux Server to Windows 2003 AD #########

authconfig
    User Information
         [*] Cache Information
         [*] Use Winbind

    User Information
         [*] Use MD5 Passwords
         [*] Use Shadow Passwords
         [*] Use Kerberos
         [*] Use SMB Authentication
         [*] Use Winbind Authentication

       Realm: CENTOS.WINSERVER.COM
         KDC: 172.16.10.100:88,172.16.10.100
Admin Server: 172.16.10.100:749
              [] Use DNS to resolve hosts to realms
              [] use DNS to locate KDCs for realms

    Security Model:(*) ads
                   ()  domain
            Domain: centos
Domain Controllers: 172.16.10.100
         ADS Realm: CENTOS.WINSERVER.COM
    Template Shell: () /sbin/nologin
                    () /bin/sh
                    (*) /bin/bash
                    () /bin/tcsh
                    () /bin/ksh
[ Join Domain ]
       User:  Administrator
   Password:  centos
[ OK ]
[ OK ]

===================================================================================
less /etc/nsswitch.conf

passwd:     files winbind
shadow:     files winbind
group:      files winbind

===================================================================================

######### 測試加入至 Windows 2003 AD #########
# kinit administrator@CENTOS.WINSERVER.COM
Password for administrator@CENTOS.WINSERVER.COM:
#



######### 把 SMB Server 加入至 AD Domain Server  #########
# net ads join -U administrator@CENTOS.WINSERVER.COM
administrator@CENTOS.WINSERVER.COM's password:
Using short domain name -- CENTOS
Joined 'FILESRV01' to realm 'CENTOS.WINSERVER.COM'


######### Check Domain User Information  #########
# wbinfo --user-info=ja_li
ja_li:*:16777216:10000:Jack Li:/home/CENTOS/ja_li:/sbin/nologin
# wbinfo --user-info=cl_ye
cl_ye:*:16777217:10000:Crolson Ye:/home/CENTOS/cl_ye:/sbin/nologin


######### Check Domain Group Information  #########
# wbinfo --group-info=SZIT
szit:*:10001
# wbinfo --group-info=SZQC
szqc:*:10002
# wbinfo --group-info=SZHR
szhr:*:10003
# wbinfo --group-info=SZFinance
szfinance:*:10004

# wbinfo -g
domain computers
domain controllers
schema admins
enterprise admins
domain admins
domain users
domain guests
group policy creator owners
dnsupdateproxy
szit
szhr
szqc
szfinance

==================================

# net getdomainsid
SID for domain FILESRV01 is: S-1-5-21-579886517-2040302620-1869373772
SID for domain CENTOS is: S-1-5-21-2075900954-1661521954-1233162749


###### Testing Connaction from Samba to Localhost & AD Server ######

# smbclient -L localhost -U ja_li
Password:
Domain= OS= Server=

        Sharename       Type      Comment
        ---------       ----      -------
        IPC$            IPC       IPC Service (Samba Server Version 3.0.33-3.7.el5)
        ja_li         Disk      Home Directories
Domain= OS= Server=

        Server               Comment
        ---------            -------
        FILESRV01            Samba Server Version 3.0.33-3.7.el5
        WINSERVER

        Workgroup            Master
        ---------            -------
        CENTOS               WINSERVER


============================================

# smbclient -L winserver -U ja_li
Password:
Domain= OS= Server=

        Sharename       Type      Comment
        ---------         ----        -------
        IPC$              IPC        遠程 IPC
        NETLOGON        Disk       Logon server share
        ADMIN$           Disk       遠程管理
     SYSVOL          Disk       Logon server share
        C$                 Disk       默認共享
Domain= OS= Server=

        Server               Comment
        ---------            ------------
        FILESRV01         Samba Server Version 3.0.33-3.7.el5
        WINSERVER            

        Workgroup         Master
        ---------             ---------
        CENTOS              WINSERVER

==================================

###### Create Folder for Windows AD User ######

# mkdir /home/centos
# mkdir /home/centos/ja_li
# mkdir /home/centos/cl_ye
# ll /home/centos
total 12
drwxr-xr-x 2 root root 4096 Apr 29 11:29 cl_ye
drwxr-xr-x 2 root root 4096 Apr 29 11:29 ja_li

# chown cl_ye. cl_ye
# chown ja_li. ja_li

# ll
total 8
drwxr-xr-x 2 cl_ye domain users 4096 Apr 29 11:29 cl_ye
drwxr-xr-x 2 ja_li    domain users 4096 Apr 29 11:29 ja_li

# chmod 700 -R cl_ye
# chmod 700 -R ja_li
# ll
total 8
drwx------ 2 cl_ye domain users 4096 Apr 29 11:29 cl_ye
drwx------ 2 ja_li    domain users 4096 Apr 29 11:29 ja_li

===================================================================================

vi /etc/postfix/main.cf
#soft_bounce = no
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
#default_privs = nobody
myhostname = filesrv01.centos.winserver.com
mydomain = centos.winserver.com
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
        mail.$mydomain, www.$mydomain, ftp.$mydomain
#local_recipient_maps = unix:passwd.byname $alias_maps
#local_recipient_maps = proxy:unix:passwd.byname $alias_maps
#local_recipient_maps =
unknown_local_recipient_reject_code = 550
mynetworks_style = class
mynetworks = 172.16.0.0/16, 127.0.0.0/8
relay_domains = $mydestination
#relayhost = $mydomain
#relayhost =
#relayhost =
#relayhost = uucphost
#relayhost =
#relay_recipient_maps = hash:/etc/postfix/relay_recipients
#in_flow_delay = 1s
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
#recipient_delimiter = +
#home_mailbox = Mailbox
#home_mailbox = Maildir/
#mail_spool_directory = /var/mail
#mail_spool_directory = /var/spool/mail
#mailbox_command = /some/where/procmail
#mailbox_command = /some/where/procmail -a "$EXTENSION"
mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
mailbox_transport = cyrus
#fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp
#fallback_transport =
#luser_relay = $user@other.host
#luser_relay = $local@other.host
#luser_relay = admin+$local
#header_checks = regexp:/etc/postfix/header_checks
#fast_flush_domains = $relay_domains
#smtpd_banner = $myhostname ESMTP $mail_name
#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
#local_destination_concurrency_limit = 2
#default_destination_concurrency_limit = 20
debug_peer_level = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.3.3/samples
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = winserver.$mydomain
smtpd_sasl_security_options=noanonymous
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination, permit_mynetworks check_relay_domains
smtpd_delay_reject = yes
broken_sasl_auth_clients = yes

==================================================================

service postfix start
# telnet 172.16.10.200 25
Trying 172.16.10.200...
Connected to filesrv01.centos.winserver.com (172.16.10.200).
Escape character is '^]'.
220 filesrv01.centos.winserver.com ESMTP Postfix
ehlo filesrv01.centos.winserver.com
250-filesrv01.centos.winserver.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
^]
telnet> q
Connection closed.

==================================

# telnet 172.16.10.200 110
Trying 172.16.10.200...
Connected to filesrv01.centos.winserver.com (172.16.10.200).
Escape character is '^]'.
+OK filesrv01.centos.winserver.com Cyrus POP3 v2.3.7-Invoca-RPM-2.3.7-2.el5 server ready

<3135115115.1241002064@filesrv01.centos.winserver.com>
^]
telnet> q
Connection closed.

==================================

# telnet 172.16.10.200 143
Trying 172.16.10.200...
Connected to filesrv01.centos.winserver.com (172.16.10.200).
Escape character is '^]'.
* OK filesrv01.centos.winserver.com Cyrus IMAP4 v2.3.7-Invoca-RPM-2.3.7-2.el5 server

ready
^]
telnet> q
Connection closed.
《解決方案》

不錯,實戰筆記

不過,希望lz能補充些說明文字就更好了:mrgreen:
《解決方案》

:mrgreen:
《解決方案》

:wink: 學習了.
《解決方案》

學習中
《解決方案》

好,謝謝
《解決方案》

樓主有個問題問下:
我用的是sendmail,目前域用戶認證都是可以了,郵件伺服器上本地無郵件用戶。  在郵件客戶端用域帳號可以通過驗證,
但是有幾個地方搞不定:
1.新用戶的maildir  無法自動創建
2.人工創建並添加許可權后,郵件用戶還是無法使用。
Nov 26 13:06:33 mail dovecot: POP3(dong): Ambiguous mail location setting, don't know what to do with it: /var/spool/maildir/dong/ (try prefixing it with mbox: or maildir:)
Nov 26 13:06:33 mail dovecot: POP3(dong): Failed to create storage with data: /var/spool/maildir/dong/
Nov 26 13:06:33 mail dovecot: child 3263 (pop3) returned error 89

看下這個該如何處理呢?

[火星人 ] Samba+Windows 2003 AD+Kerberos+Postfix+Cysrus-SASL+Cyrus-Imap+SquirrelMail已經有756次圍觀

http://coctec.com/docs/service/show-post-19790.html