{"id":1519,"date":"2014-03-04T17:10:25","date_gmt":"2014-03-04T15:10:25","guid":{"rendered":"http:\/\/stephane.weblog.starend.org\/?p=1519"},"modified":"2014-03-04T17:10:25","modified_gmt":"2014-03-04T15:10:25","slug":"station-linux-et-serveur-windows","status":"publish","type":"post","link":"http:\/\/stephane.weblog.starend.org\/?p=1519","title":{"rendered":"Station Linux et serveur Windows"},"content":{"rendered":"<p style=\"text-align: justify;\">Nous allons r\u00e9aliser ici la premi\u00e8re \u00e9tape pour int\u00e9grer des stations <em>Linux<\/em> dans un domaine <em>Microsoft Active Directory<\/em> de <a title=\"Pr\u00e9sentation des niveaux fonctionnels des services de domaine Active Directory\" href=\"http:\/\/technet.microsoft.com\/fr-fr\/library\/understanding-active-directory-functional-levels%28v=ws.10%29.aspx\" target=\"_blank\">niveau fonctionnel 2003<\/a>. L&rsquo;int\u00e9gration dans un domaine AD de niveau 2008 et plus sera abord\u00e9 une prochaine fois.<\/p>\n<p style=\"text-align: justify;\">Conditions de d\u00e9part de l&rsquo;exp\u00e9rience :<\/p>\n<ul>\n<li>Station : Ubuntu Linux 13.10, installation de base 64bits sans paquet suppl\u00e9mentaire.<\/li>\n<li>Serveur : Microsoft Windows 2003 R2, domaine Active Directory activ\u00e9, niveau de fonctionnalit\u00e9 2003.<\/li>\n<li>Domaine : MONRESEAU.NET<\/li>\n<\/ul>\n<p style=\"text-align: justify;\">La documentation ci-dessous s&rsquo;appuie beaucoup sur l&rsquo;article &lsquo;<a title=\"Ubuntu 12.04 Active Directory Authentication\" href=\"http:\/\/koo.fi\/blog\/2013\/01\/06\/ubuntu-12-04-active-directory-authentication\/\" target=\"_blank\">koo.fi blog &#8211; Ubuntu 12.04 Active Directory Authentication<\/a>&lsquo;.<\/p>\n<p style=\"text-align: justify;\">Plan :<\/p>\n<ol>\n<li>Station &#8211; Installer et configurer Kerberos<\/li>\n<li>Station &#8211; Installer et configurer Samba<\/li>\n<li>Station &#8211; Cr\u00e9ation du fichier Keytab<\/li>\n<li>Station &#8211; R\u00e9g\u00e9n\u00e9ration automatique du ticket Kerberos<\/li>\n<li>Station &#8211; Installer et configurer LDAP<\/li>\n<li>Serveur &#8211; Configurer les comptes utilisateurs AD<\/li>\n<li>Station &#8211; Configurer NSS<\/li>\n<li>Station &#8211; Configurer PAM<\/li>\n<li>Fin<\/li>\n<li>Liens<\/li>\n<li>Annexes<\/li>\n<\/ol>\n<p>Sur la station, toutes les commandes sont lanc\u00e9es en tant que <em>root<\/em> ou, mieux, via <em>sudo<\/em>.<\/p>\n<p><!--more--><\/p>\n<h2 style=\"text-align: justify;\">1. Station &#8211; Installer et configurer Kerberos<\/h2>\n<p style=\"text-align: justify;\">La station a pour nom de machine <code>STATION01<\/code>.<\/p>\n<p style=\"text-align: justify;\">Le r\u00e9seau et les d\u00e9p\u00f4ts de paquets doivent \u00eatre fonctionnels.<\/p>\n<p style=\"text-align: justify;\">Ajouter les paquets n\u00e9cessaires \u00e0 <a title=\"Kerberos (protocole)\" href=\"http:\/\/fr.wikipedia.org\/wiki\/Kerberos_%28protocole%29\" target=\"_blank\">Kerberos<\/a> :<br \/>\n<code>aptitude install libpam-krb5 krb5-user kstart ntp<\/code><\/p>\n<p style=\"text-align: justify;\">Le domaine AD est d\u00e9finit en <code>MONRESEAU.NET<\/code>. Le domaine DNS associ\u00e9 est <code>mondomain.net<\/code>. L&rsquo;UID des utilisateurs dans l&rsquo;AD est d\u00e9finit \u00e0 partir de <em>5000<\/em>, ils ne seront pas reconnus avec une valeur inf\u00e9rieure. Il y a deux controleurs de domaine AD : <code>dc1.monreseau.net<\/code> et <code>dc2.monreseau.net<\/code>.<\/p>\n<p style=\"text-align: justify;\">Modifier le fichier <code>\/etc\/krb5.conf<\/code> :<\/p>\n<pre>[appdefaults]\n  pam = {\n    realm = MONRESEAU.NET\n    ticket_lifetime = 1d\n    renew_lifetime = 1d\n    forwardable = true\n    proxiable = false\n    retain_after_close = false\n    minimum_uid = 5000\n    try_first_pass = true\n    ignore_root = true\n  }\n[libdefaults]\n  default_realm = MONRESEAU.NET\n  default_keytab_name = FILE:\/etc\/krb5.keytab\n  krb4_config = \/etc\/krb.conf\n  krb4_realms = \/etc\/krb.realms\n  kdc_timesync = 1\n  ccache_type = 4\n  forwardable = true\n  proxiable = false\n  v4_instance_resolve = false\n  v4_name_convert = {\n    host = {\n      rcmd = host\n      ftp = ftp\n    }\n    plain = {\n      something = something-else\n    }\n  }\n  fcc-mit-ticketflags = true\n[realms]\n  MONRESEAU.NET\u00c2\u00a0= {\n    kdc = dc1\n    kdc = dc2\n    admin_server = dc1\n    default_domain = monreseau.net\n    auth_to_local = DEFAULT\n  }\n[domain_realm]\n  .monreseau.net = MONRESEAU.NET\n  monreeau.net = MONRESEAU.NET\n[login]\n  krb4_convert = true\n  krb4_get_tickets = false<\/pre>\n<p style=\"text-align: justify;\">On demande un ticket Kerberos \u00e0 un controleur de domaine AD. Le ticket est demand\u00e9 pour un compte qui a le droit d&rsquo;ajouter une nouvelle station dans le domaine AD, typiquement un administrateur. Ce droit va servir pour la configuration de Samba.<br \/>\nUtiliser la commande :<br \/>\n<code>kinit administrateur@MONRESEAU.NET<\/code><\/p>\n<p style=\"text-align: justify;\">On peut v\u00e9rifier \u00e0 tout moment que l&rsquo;on a bien un ticket valide avec :<br \/>\n<code>klist<\/code><\/p>\n<h2 style=\"text-align: justify;\">2. Station &#8211; Installer et configurer Samba<\/h2>\n<p style=\"text-align: justify;\">Ajouter les paquets n\u00e9cessaires \u00e0 <a title=\"Samba\" href=\"http:\/\/www.samba.org\/\" target=\"_blank\">Samba<\/a> :<br \/>\n<code>aptitude install smbclient<br \/>\n<\/code><\/p>\n<p style=\"text-align: justify;\">Modifier le fichier de configuration <code>\/etc\/samba\/smb.conf<\/code> :<\/p>\n<pre>[global]\n  workgroup = MONRESEAU\n  netbios name = STATION01\n  realm = MONRESEAU.NET\n  server string = %h\n  dns proxy = no\n  log file = \/var\/log\/samba\/log.%m\n  max log size = 1000\n  syslog = 0\n  panic action = \/usr\/share\/samba\/panic-action %d\n  security = ADS\n  kerberos method = system keytab\n  encrypt passwords = true\n  passdb backend = tdbsam\n  obey pam restrictions = yes\n  unix password sync = yes\n  passwd program = \/usr\/bin\/passwd %u\n  passwd chat = *Entersnews*spassword:* %nn *Retypesnews*spassword:* %nn *passwordsupdatedssuccessfully* .\n  pam password change = yes\n  map to guest = bad user\n  usershare allow guests = yes\n[printers]\n  comment = All Printers\n  browseable = no\n  path = \/var\/spool\/samba\n  printable = yes\n  guest ok = no\n  read only = yes\n  create mask = 0700\n[print$]\n  comment = Printer Drivers\n  path = \/var\/lib\/samba\/printers\n  browseable = yes\n  read only = yes\n  guest ok = no<\/pre>\n<p style=\"text-align: justify;\">Joindre la station au domaine AD avec la commande :<br \/>\n<code>net ads join -k<\/code><\/p>\n<p style=\"text-align: justify;\">Il se peut qu&rsquo;il y ai une erreur \u00ab\u00a0<em>DNS update failed<\/em>\u00ab\u00a0. Ce n&rsquo;est pas grave, l&rsquo;ajout au domaine AD marche quand m\u00eame.<\/p>\n<p style=\"text-align: justify;\">Voir la documentation de <em>Samba<\/em> concernant <a title=\"Kerberos method\" href=\"http:\/\/www.samba.org\/samba\/docs\/man\/manpages-3\/smb.conf.5.html#KERBEROSMETHOD\" target=\"_blank\">kerberos method<\/a>.<\/p>\n<h2 style=\"text-align: justify;\">3. Station &#8211; Cr\u00e9ation du fichier Keytab<\/h2>\n<p style=\"text-align: justify;\">Nous avons dit \u00e0 Kerberos d&rsquo;utiliser le fichier \/etc\/krb5.keytab mais celui-ci n&rsquo;existe pas, il faut le cr\u00e9er. Lancer la commande :<br \/>\n<code>net ads keytab create<\/code><\/p>\n<p style=\"text-align: justify;\">On peut v\u00e9rifier que tout se passe bien jusqu&rsquo;ici :<br \/>\n<code>kinit -V -k \"STATION01$\"<\/code><\/p>\n<p style=\"text-align: justify;\">Le fichier de Keytab contient une cl\u00e9 qu&rsquo;il va falloir prot\u00e9ger :<br \/>\n<code>chown root.root \/etc\/krb5.keytab<br \/>\nchmod 600 \/etc\/krb5.keytab<\/code><\/p>\n<h2 style=\"text-align: justify;\">4. Station &#8211; R\u00e9g\u00e9n\u00e9ration automatique du ticket Kerberos<\/h2>\n<p style=\"text-align: justify;\">Le ticket Kerberos de la machine n&rsquo;a qu&rsquo;une validit\u00e9 de 24 heures, il doit \u00eatre r\u00e9g\u00e9g\u00e9r\u00e9 r\u00e9guli\u00e8rement. On choisit de le r\u00e9g\u00e9n\u00e9rer toutes les heures via <a title=\"Cron\" href=\"http:\/\/fr.wikipedia.org\/wiki\/Cron\" target=\"_blank\">cron<\/a>.<\/p>\n<p style=\"text-align: justify;\">Ajouter \u00e0 <code>\/etc\/crontab<\/code> :<\/p>\n<pre>2\u00c2\u00a0 *\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 * * *\u00c2\u00a0\u00c2\u00a0 root\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 kinit -k \"STATION01$\" -c \/tmp\/krb5cc_host ; chmod 644 \/tmp\/krb5cc_host<\/pre>\n<p style=\"text-align: justify;\"><strong><span style=\"color: #ff0000;\">Revoir la protection de \/tmp\/krb5cc_host &#8230;<\/span><\/strong><\/p>\n<p style=\"text-align: justify;\">Pour r\u00e9g\u00e9nerer le ticket de l&rsquo;utilsiateur, on ajout un petit script \u00e0 l&rsquo;ouverture de session.<br \/>\nCr\u00e9er le fichier <code>\/usr\/share\/upstart\/sessions\/krenew.conf<\/code> avec :<\/p>\n<pre>description \"User TGT KRB5\"\nauthor \"Stephane DENDIEVEL\"\n\nstart on starting xsession-init\n\nrespawn\n\nexec krenew -K 60<\/pre>\n<h2 style=\"text-align: justify;\">5. Station &#8211; Installer et configurer LDAP<\/h2>\n<p style=\"text-align: justify;\">Ajouter les paquets n\u00e9cessaires \u00e0 <a title=\"OpenLDAP\" href=\"http:\/\/www.openldap.org\/\" target=\"_blank\">OpenLDAP<\/a> :<br \/>\n<code>aptitude install ldap-utils libsasl2-modules-gssapi-mit<br \/>\n<\/code><\/p>\n<p style=\"text-align: justify;\">Modifier le fichier <code>\/etc\/ldap.conf<\/code> :<\/p>\n<pre>use_sasl on\nsasl_auth_id STATION01$\nkrb5_ccname FILE:\/tmp\/krb5cc_host\nbase dc=monreseau,dc=net\nuri ldap:\/\/dc1.monreseau.net ldap:\/\/dc2.monreseau.net\nldap_version 3\nsizelimit 10000\ntimelimit 10\nbind_timelimit 5\nnetwork_timeout 3\ntls_checkpeer no\nreferrals no\nbind_policy soft\nscope sub\nnss_base_passwd\tdc=monreseau,dc=net?sub\nnss_base_shadow\tdc=monreseau,dc=net?sub\nnss_base_group\tdc=monreseau,dc=net?sub\nnss_map_objectclass posixAccount User\nnss_map_objectclass shadowAccount User\nnss_map_objectclass posixGroup Group\nnss_map_attribute uid uid\nnss_map_attribute uidNumber uidNumber\nnss_map_attribute gidNumber gidNumber\nnss_map_attribute loginShell loginShell\nnss_map_attribute gecos name\nnss_map_attribute userPassword msSFU30Password\nnss_map_attribute homeDirectory unixHomeDirectory\nnss_map_attribute shadowLastChange pwdLastSet\nnss_map_attribute uniqueMember msSFU30PosixMember\nnss_map_attribute cn cn\npam_login_attribute msSFU30Name\npam_filter objectclass=User\npam_password ad\nnss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,dirmngr,dnsmasq,festival,games,gdm,gnats,hplip,irc,kdm,kernoops,libuuid,lightdm,list,lp,mail,man,messagebus,news,ntp,proxy,pulse,root,rtkit,saned,speech-dispatcher,sync,sys,syslog,usbmux,uucp,whoopsie,www-data<\/pre>\n<p style=\"text-align: justify;\">Copier <code>\/etc\/ldap.conf<\/code> vers <code>\/etc\/ldap\/ldap.conf<\/code> .<\/p>\n<p style=\"text-align: justify;\">La configuration peut \u00eatre v\u00e9rifi\u00e9e simplement\u00c2\u00a0avec la commande :<br \/>\n<code>ldapsearch<\/code><\/p>\n<h2 style=\"text-align: justify;\">6. Serveur &#8211; Configurer les comptes utilisateurs AD<\/h2>\n<p style=\"text-align: justify;\">Dans une console <em>ADUC<\/em>, activer l&rsquo;affichage \u00e9tendu. On peut passer aussi par l&rsquo;<em>ADSIedit<\/em>. enfin, on peut scripter par <em>Powershell<\/em>.<\/p>\n<p style=\"text-align: justify;\">Pour chaque utilisateur, ajouter les propri\u00e9t\u00e9s :<\/p>\n<ul>\n<li><code>uid = username<\/code><br \/>\nC&rsquo;est le nom que doit saisir l&rsquo;utilisateur pour s&rsquo;identifier. Typiquement \u00e9gual \u00e0 <code>sAMAccountName<\/code>.<\/li>\n<li><code>uidNumber = 10001<\/code><br \/>\nDoit \u00eatre unique et non existant par d\u00e9faut sur les stations <em>Linux<\/em>.<\/li>\n<li><code>gidNumber = 100<\/code><br \/>\nSoit l&rsquo;\u00e9quivalent du groupe <code>users<\/code> sous <em>Linux<\/em>.<\/li>\n<li><code>HomeUnixDirectory = \/home\/username<\/code><br \/>\nL\u00e0 ou sera cr\u00e9\u00e9 et utilis\u00e9 le r\u00e9pertoire de l&rsquo;utilisateur.<\/li>\n<li><code>loginShell = \/bin\/bash<\/code><br \/>\nLe shell par d\u00e9faut de l&rsquo;utilisateur.<\/li>\n<\/ul>\n<p style=\"text-align: justify;\">Il n&rsquo;est pas n\u00e9cessaire d&rsquo;installer des outils pour <a title=\"Gestion des identit\u00e9s pour UNIX\" href=\"http:\/\/technet.microsoft.com\/fr-fr\/library\/cc773240%28v=ws.10%29.aspx#BKMK_UNIXIdentity\" target=\"_blank\">g\u00e9rer les comptes UNIX dans Windows 2003 R2<\/a> dans notre cas.<\/p>\n<h2 style=\"text-align: justify;\">7. Station &#8211; Configurer NSS<\/h2>\n<p style=\"text-align: justify;\">Ajouter les paquets n\u00e9cessaires \u00e0 <a title=\"NSS\" href=\"http:\/\/fr.wikipedia.org\/wiki\/Name_Service_Switch\" target=\"_blank\">NSS<\/a> :<br \/>\n<code>aptitude install libnss-ldap libpam-ldap libnss-myhostname<br \/>\n<\/code><\/p>\n<p>Modifier le fichier <code>\/etc\/nsswitch.conf<\/code> :<\/p>\n<pre>passwd:         compat ldap\ngroup:\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 compat ldap\nshadow:\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 compat ldap\n\nhosts:\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 files mdns4_minimal [NOTFOUND=return] dns mdns4\nnetworks:\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 files\n\nprotocols:\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 db files\nservices:\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 db files\nethers:\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 db files\nrpc:\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 db files\nnetgroup:\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 nis<\/pre>\n<h2 style=\"text-align: justify;\">8. Station &#8211; Configurer PAM<\/h2>\n<p style=\"text-align: justify;\">Ajouter les paquets supl\u00e9mentaires \u00e0 <a title=\"PAM\" href=\"http:\/\/fr.wikipedia.org\/wiki\/Pluggable_Authentication_Modules\" target=\"_blank\">PAM<\/a> :<br \/>\n<code>aptitude install libpam-ccreds<br \/>\n<\/code><\/p>\n<p>Modifier le fichier <code>\/etc\/pam.d\/common-auth<\/code> :<\/p>\n<pre>auth\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0[success=3 default=ignore]\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0pam_krb5.so minimum_uid=5000\nauth\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0[success=2 default=ignore]\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0pam_unix.so nullok_secure try_first_pass\nauth\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0[success=1 default=ignore]\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0pam_ldap.so use_first_pass\nauth\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0requisite\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0pam_deny.so\nauth\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0required\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0pam_permit.so\nauth\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0optional\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0pam_cap.so<\/pre>\n<p>Modifier le fichier <code>\/etc\/pam.d\/common-account<\/code> :<\/p>\n<pre>account\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0[success=2 new_authtok_reqd=done default=ignore]\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0pam_unix.so \naccount\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0[success=1 default=ignore]\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0pam_ldap.so \naccount\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0requisite\u00c2\u00a0\u00c2\u00a0 pam_deny.so\naccount\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0required\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0pam_permit.so\naccount\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0required\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0pam_krb5.so minimum_uid=5000<\/pre>\n<p>Modifier le fichier <code>\/etc\/pam.d\/common-password<\/code> :<\/p>\n<pre>password\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0[success=3 default=ignore]\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0pam_krb5.so minimum_uid=5000\npassword\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0[success=2 default=ignore]\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0pam_unix.so obscure use_authtok try_first_pass sha512\npassword\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0[success=1 user_unknown=ignore default=die]\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0pam_ldap.so use_authtok try_first_pass\npassword\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0requisite\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0pam_deny.so\npassword\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0required\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0pam_permit.so\npassword\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0optional\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0pam_gnome_keyring.so<\/pre>\n<p>Modifier le fichier <code>\/etc\/pam.d\/common-session<\/code> :<\/p>\n<pre>session\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0[default=1]\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0pam_permit.so\nsession\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0requisite\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0pam_deny.so\nsession\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0required\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0pam_permit.so\nsession    optional\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0pam_umask.so\nsession\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0optional\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0pam_krb5.so minimum_uid=5000\nsession\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0required\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0pam_unix.so \nsession    required\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0pam_mkhomedir.so skel=\/etc\/skel\/ umask=0077\nsession\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0optional\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0pam_ldap.so \nsession\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0optional\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0pam_systemd.so \nsession\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0optional\u00c2\u00a0\u00c2\u00a0 \u00c2\u00a0pam_ck_connector.so nox11<\/pre>\n<h2 style=\"text-align: justify;\">9. Fin<\/h2>\n<p style=\"text-align: justify;\">Un petit red\u00e9marrage et la connexion en tant qu&rsquo;utilisateur de l&rsquo;AD devrait fonctionner.<br \/>\nAu besoin, on peut v\u00e9rifier aussi en console (taper [Ctrl]-[Alt]-[F1] ) ou via <em>SSH<\/em>.<\/p>\n<p style=\"text-align: justify;\">On peut v\u00e9rifier ce qui remonte de l&rsquo;AD sur une station avec les commandes :<br \/>\n<code>getent passwd<br \/>\ngetent shadow<br \/>\ngetent group<\/code><\/p>\n<p style=\"text-align: justify;\">Il y a surement des choses \u00e0 am\u00e9liorer, mais on a une bonne base de travail.<\/p>\n<p style=\"text-align: justify;\">Pour le gestionnaire de connexion, j&rsquo;ai recherch\u00e9 lequel permettait de saisir un identifiant (de l&rsquo;AD) tout en restant assez sexy. Je me suis arr\u00eat\u00e9 sur <em>KDM<\/em>.<\/p>\n<p style=\"text-align: justify;\"><em>Thunderbird<\/em> plante au bout de quelques secondes de fonctionnement. C&rsquo;est semble-t-il un probl\u00e8me sp\u00e9cifique avec les comptes utilisateurs sur <em>LDAP<\/em>, c\u00e0d non locaux. Installer <code>nscd<\/code> pour r\u00e9soudre ce probl\u00e8me.<\/p>\n<p style=\"text-align: justify;\">Avec <em>Gnome<\/em><em><\/em>, <em>cinnamon<\/em> et <em>Unity<\/em> la d\u00e9connexion et le changement d&rsquo;utilisateur posent parfois probl\u00e8me. Ce probl\u00e8me n&rsquo;apparait pas sous\u00c2\u00a0<em>afterstep<\/em>,\u00c2\u00a0<em>blackbox<\/em>, <em>e<\/em>nlightenment, <em>fluxbox<\/em>, <em>flwm<\/em>, <em>icewm<\/em>, <em>KDE<\/em>, <em>LXDE<\/em>, <em>twm<\/em>, <em>tinywm<\/em>,\u00c2\u00a0<em>vtwm<\/em>, <em>windowmaker<\/em> ou <em>XFCE<\/em>. Cela semble li\u00e9 \u00e0 <em>GTK<\/em>&#8230;<\/p>\n<h2 style=\"text-align: justify;\">10. Liens<\/h2>\n<ul>\n<li><a title=\"Kerberos\" href=\"https:\/\/help.ubuntu.com\/community\/Kerberos\" target=\"_blank\">https:\/\/help.ubuntu.com\/community\/Kerberos<\/a><\/li>\n<li><a title=\"Kerberos et LDAP\" href=\"http:\/\/guide.ubuntu-fr.org\/server\/kerberos-ldap.html\" target=\"_blank\">http:\/\/guide.ubuntu-fr.org\/server\/kerberos-ldap.html<\/a><\/li>\n<li><a title=\"Ubuntu 12.04 Active Directory Authentication\" href=\"http:\/\/koo.fi\/blog\/2013\/01\/06\/ubuntu-12-04-active-directory-authentication\/\" target=\"_blank\">http:\/\/koo.fi\/blog\/2013\/01\/06\/ubuntu-12-04-active-directory-authentication\/<\/a><\/li>\n<li><a title=\"Pr\u00e9sentation des niveaux fonctionnels des services de domaine Active Directory\" href=\"http:\/\/technet.microsoft.com\/fr-fr\/library\/understanding-active-directory-functional-levels%28v=ws.10%29.aspx\" target=\"_blank\">http:\/\/technet.microsoft.com\/fr-fr\/library\/understanding-active-directory-functional-levels%28v=ws.10%29.aspx<\/a><\/li>\n<li><a title=\"Kerberos (protocole)\" href=\"http:\/\/fr.wikipedia.org\/wiki\/Kerberos_%28protocole%29\" target=\"_blank\">http:\/\/fr.wikipedia.org\/wiki\/Kerberos_%28protocole%29<\/a><\/li>\n<li><a title=\"Samba\" href=\"http:\/\/www.samba.org\/\" target=\"_blank\">http:\/\/www.samba.org\/<\/a><\/li>\n<li><a title=\"Kerberos method\" href=\"http:\/\/www.samba.org\/samba\/docs\/man\/manpages-3\/smb.conf.5.html#KERBEROSMETHOD\" target=\"_blank\">http:\/\/www.samba.org\/samba\/docs\/man\/manpages-3\/smb.conf.5.html#KERBEROSMETHOD<\/a><\/li>\n<li><a title=\"Cron\" href=\"http:\/\/fr.wikipedia.org\/wiki\/Cron\" target=\"_blank\">http:\/\/fr.wikipedia.org\/wiki\/Cron<\/a><\/li>\n<li><a title=\"OpenLDAP\" href=\"http:\/\/www.openldap.org\/\" target=\"_blank\">http:\/\/www.openldap.org\/<\/a><\/li>\n<li><a title=\"NSS\" href=\"http:\/\/fr.wikipedia.org\/wiki\/Name_Service_Switch\" target=\"_blank\">http:\/\/fr.wikipedia.org\/wiki\/Name_Service_Switch<\/a><\/li>\n<li><a title=\"PAM\" href=\"http:\/\/fr.wikipedia.org\/wiki\/Pluggable_Authentication_Modules\" target=\"_blank\">http:\/\/fr.wikipedia.org\/wiki\/Pluggable_Authentication_Modules<\/a><\/li>\n<li><a title=\"Gestion des identit\u00e9s pour UNIX\" href=\"http:\/\/technet.microsoft.com\/fr-fr\/library\/cc773240%28v=ws.10%29.aspx#BKMK_UNIXIdentity\" target=\"_blank\">http:\/\/technet.microsoft.com\/fr-fr\/library\/cc773240%28v=ws.10%29.aspx#BKMK_UNIXIdentity<\/a><\/li>\n<\/ul>\n<h2>11. Annexes<\/h2>\n<p style=\"text-align: justify;\">Voici un script <code>install.sh<\/code> de d\u00e9ploiement rapide \u00e0 lancer avec le compte d&rsquo;installation de la station Linux fraichement install\u00e9e :<\/p>\n<pre>#!\/bin\/bash\n# ----------------------------------------------------------------------------\n#  Script de pr\u00e9paration des stations Ubuntu Linux.\n   SCRIPTVERSION='20140304'\n# ----------------------------------------------------------------------------\nSCRIPTNAME=\"install.sh\"\n[ -f $SCRIPTNAME ] &amp;&amp; chmod a+x $SCRIPTNAME\n\n# Reconnexion en tant que root.\necho \"Connect\u00e9 en tant que $USER.\"\n[ \"$(id -u)\" != 0 ] &amp;&amp; echo \"sudo .\/$SCRIPTNAME\" &amp;&amp; sudo bash -c .\/$SCRIPTNAME &amp;&amp; return 0\nsleep 1\n[ \"$(id -u)\" != 0 ] &amp;&amp; exit 0\necho \"($SCRIPTVERSION)\"\n\n# Variables.\nHOSTNAME=\"\"       # D\u00e9finit plus tard.   Nom de la machine.\nADMNAME=\"\"        # D\u00e9finit plus tard.   Nom du compte administrateur de l'AD.\nADMPASS=\"\"        # D\u00e9finit plus tard.   Mot de passe du compte admin de l'AD.\nADSERV1=\"dc1\"                          # Premier controleur de domaine AD.\nADSERV2=\"dc2\"                          # Deuxi\u00e8me controleur de domaine AD.\nADDN=\"dc=monreseau,dc=net\"             # DN LDAP dans l'AD.\nADDOM=\"MONRESEAU.NET\"                  # Domaine AD.\nADWKG=$(echo $ADDOM | cut -d '.' -f 1) # D\u00e9termine le workgroup. Ne pas modifier.\nADDNS=$(echo $ADDOM | tr '[:upper:]' '[:lower:]') # D\u00e9termine le domaine DNS. Ne pas modifier.\nADMINUID=\"5000\"                        # Valeur minimum de UID accept\u00e9 pour les comptes AD.\nDNSSERV1=\"192.168.0.10\"                # Adresse IP du premier serveur DNS.\nDNSSERV2=\"192.168.0.11\"                # Adresse IP du deuxi\u00e8me serveur DNS.\nDNSSEARCH=\"monreseau.net\"              # Domaine de recherche DNS par d\u00e9faut.\nIPADDR=\"\"         # d\u00e9finit plus tard.   Adresse IP de la machine.\nIPBASEADDR=\"192.168.\"                  # Base de l'adresse IP.\nIPMASK=\"16\"                            # Masque de r\u00e9seau, forme num\u00e9rique.\nIPLMASK=\"255.255.0.0\"                  # Masque de r\u00e9seau, forme longue.\nIPGATE=\"\"         # d\u00e9finit plus tard.   Adresse IP de la passerelle par d\u00e9faut du r\u00e9seau.\nIFACE=$(cat \/proc\/net\/dev | cut -d ':' -f 1 | grep -v '|' | grep -v lo | sed 's\/ \/\/g' | head -1) # Prend la premi\u00e8re interface d\u00e9finit dans le noyau. Ne pas modifier.\nUBUNTU=\"saucy\"                         # Version de la distri Ubuntu utilis\u00e9e.\n\n# Remplissage par l'admin des valeurs de base de cette station.\necho \"-------------------------------------------------------------------------------\"\nread -p \"Nom de machine : \" HOSTNAMEtmp\nHOSTNAME=$(echo -n $HOSTNAMEtmp | tr '[:lower:]' '[:upper:]' | tr -dc \"A-Z0-9-\")\nread -p \"Adresse IP     : $IPBASEADDR\" IPADDRtmp\nIPADDR=$(echo -n \"$IPBASEADDR$IPADDRtmp\" | tr -dc \"0-9.\")\necho \" \"\necho       \"Domaine ActiveDirectory : $ADDOM\"\nread -p    \"Code administrateur AD  : \" ADMNAME\nread -s -p \"MdP administrateur AD   : \" ADMPASS\necho \" \"\n\n# Mise en place du nom de machine.\necho \"-------------------------------------------------------------------------------\"\necho \"Mise en place du nom de machine : $HOSTNAME\"\nhostname $HOSTNAME\necho -n \"$HOSTNAME\" &gt; \/etc\/hostname\ncat &gt; \/etc\/hosts &lt;&lt; EOF\n127.0.0.1\tlocalhost\n127.0.1.1\t$HOSTNAME\n::1     ip6-localhost ip6-loopback\nfe00::0 ip6-localnet\nff00::0 ip6-mcastprefix\nff02::1 ip6-allnodes\nff02::2 ip6-allrouters\nEOF\necho \" \"\n\n# Mise en place du r\u00e9seau.\necho \"-------------------------------------------------------------------------------\"\necho \"D\u00e9sactivation du NetworkManager.\"\ncat &gt; \/etc\/NetworkManager\/NetworkManager.conf &lt;&lt; EOF\n[main]\nplugins=ifupdown,keyfile,ofono\ndns=dnsmasq\n\n[ifupdown]\nmanaged=true\nEOF\nsleep 2\nnmcli nm enable false\n\necho \"Mise en place de l'adresse IP sur $IFACE : $IPADDR\/$IPMASK\"\nifconfig $IFACE $IPADDR\/$IPMASK\nsleep 5\nIPGATE=\"$(echo $IPADDR | cut -d '.' -f 1).0.0.1\"\n[ \"$IPMASK\" == 16 ] &amp;&amp; IPGATE=\"$(echo $IPADDR | cut -d '.' -f 1-2).0.1\"\n[ \"$IPMASK\" == 24 ] &amp;&amp; IPGATE=\"$(echo $IPADDR | cut -d '.' -f 1-3).1\"\necho \"Mise en place de la route par d\u00e9faut : $IPGATE\"\nroute del default 2&gt;&amp;-\nroute add default gw $IPGATE\n\necho \" \"\necho \"Test de la connectivit\u00e9 r\u00e9seau en cours...\"\nping -c 1 -W 1 $IPGATE &gt;&amp;- 2&gt;&amp;-\n[ \"$(arp -an | grep $IPGATE | grep incomplete)\" != \"\" ] &amp;&amp; echo \"ERREUR de r\u00e9seau !!!\" &amp;&amp; sleep 5 &amp;&amp; exit 0\necho \"R\u00e9seau OK.\"\n\necho \" \"\necho \"Ecriture de la configuration.\"\ncat &gt; \/etc\/network\/interfaces &lt;&lt; EOF\nauto lo\niface lo inet loopback\nauto $IFACE\niface $IFACE inet static\n  address $IPADDR\n  netmask $IPLMASK\n  gateway $IPGATE\nEOF\necho \" \"\n\n# Mise en place du DNS.\necho \"-------------------------------------------------------------------------------\"\necho \"Mise en place du DNS.\"\necho \"Serveur DNS1 : $DNSSERV1\"\necho \"nameserver $DNSSERV1\" &gt; \/etc\/resolv.conf\necho -n \"  dns-nameservers $DNSSERV1\" &gt;&gt; \/etc\/network\/interfaces\nif [ \"$DNSSERV2\" != \"\" ]\nthen\n  echo \"Serveur DNS2 : $DNSSERV2\"\n  echo \"nameserver $DNSSERV2\" &gt;&gt; \/etc\/resolv.conf\n  echo -n \" $DNSSERV2\" &gt;&gt; \/etc\/network\/interfaces\nfi\necho \"Domaine de recherche par d\u00e9faut : $DNSSEARCH\"\necho \"search $DNSSEARCH\" &gt;&gt; \/etc\/resolv.conf\necho \" \" &gt;&gt; \/etc\/network\/interfaces\necho \"  dns-search $DNSSEARCH\" &gt;&gt; \/etc\/network\/interfaces\n&gt; \/etc\/resolvconf\/resolv.conf.d\/base\n&gt; \/etc\/resolvconf\/resolv.conf.d\/head\n\necho \" \"\necho \"Test de la r\u00e9solution de nom en cours...\"\n[ \"$(host $ADSERV1 | grep address)\" == \"\" ] &amp;&amp; echo \"ERREUR de r\u00e9solution de noms !!!\" &amp;&amp; sleep 5 &amp;&amp; exit 0\necho \"DNS OK.\"\necho \" \"\n\n# Mise \u00e0 l'heure.\necho \"-------------------------------------------------------------------------------\"\necho \"Mise \u00e0 l'heure...\"\n[ -f \/etc\/init.d\/ntp ] &amp;&amp; \/etc\/init.d\/ntp stop\nntpdate ntp\ndate\necho \" \"\n\n# Mise en place des d\u00e9p\u00f4ts.\necho \"-------------------------------------------------------------------------------\"\necho \"Mise en place des d\u00e9p\u00f4ts.\"\necho \"deb http:\/\/fr.archive.ubuntu.com\/ubuntu\/ $UBUNTU main restricted universe multiverse\" &gt; \/etc\/apt\/sources.list\necho \"deb http:\/\/fr.archive.ubuntu.com\/ubuntu\/ $UBUNTU-updates main restricted universe multiverse\" &gt;&gt; \/etc\/apt\/sources.list\necho \"deb http:\/\/security.ubuntu.com\/ubuntu $UBUNTU-security main restricted universe multiverse\" &gt;&gt; \/etc\/apt\/sources.list\n[ -f \/etc\/apt\/apt.conf ] &amp;&amp; rm \/etc\/apt\/apt.conf\n\nexport DEBIAN_FRONTEND=noninteractive\n\necho \" \"\necho \"Mise \u00e0 jour de la liste des paquets...\"\napt-get -qq update\n\necho \" \"\necho \"Mise \u00e0 jour du syst\u00e8me...\"\napt-get -y -qq dist-upgrade\napt-get -y -qq dist-upgrade\ndpkg --configure -a\n[ \"$?\" != \"0\" ] &amp;&amp; echo \"ERREUR de mise \u00e0 jour des paquets !!!\" &amp;&amp; sleep 5 &amp;&amp; exit 0\n\necho \" \"\necho \"Mise en place de paquets par d\u00e9faut...\"\napt-get -y -qq install aptitude ntp smbclient libpam-krb5 krb5-user ldap-utils libsasl2-modules-gssapi-mit libnss-ldap \n libpam-ldap cifs-utils kstart libnss-myhostname libpam-ccreds nscd\n\necho \" \"\necho \"Nettoyage des paquets...\"\napt-get -y -qq autoremove\ndpkg --configure -a\ndpkg --configure -a\ndpkg --configure -a\n[ \"$?\" != \"0\" ] &amp;&amp; echo \"ERREUR de configuration des paquets !!!\" &amp;&amp; sleep 5 &amp;&amp; exit 0\n\napt-get clean\nexport DEBIAN_FRONTEND=\necho \" \"\n\n# Mise en place du d\u00e9mon NTP.\necho \"-------------------------------------------------------------------------------\"\necho \"Mise en place de la configuration NTP.\"\n\ncat &gt; \/etc\/ntp.conf &lt;&lt; EOF\ndriftfile \/var\/lib\/ntp\/ntp.drift\nstatistics loopstats peerstats clockstats\nfilegen loopstats file loopstats type day enable\nfilegen peerstats file peerstats type day enable\nfilegen clockstats file clockstats type day enable\nserver 0.ubuntu.pool.ntp.org\nserver 1.ubuntu.pool.ntp.org\nserver 2.ubuntu.pool.ntp.org\nserver 3.ubuntu.pool.ntp.org\nrestrict -4 default kod notrap nomodify nopeer noquery\nrestrict -6 default kod notrap nomodify nopeer noquery\nrestrict 127.0.0.1\nrestrict ::1\nEOF\n\nservice ntp restart\ndate\necho \" \"\n\n# Mise en place du d\u00e9mon KRB.\necho \"-------------------------------------------------------------------------------\"\necho \"Mise en place de la configuration KRB.\"\n\ncat &gt; \/etc\/krb5.conf &lt;&lt; EOF\n[appdefaults]\n\tpam = {\n\t\trealm = $ADDOM\n\t\tticket_lifetime = 1d\n\t\trenew_lifetime = 1d\n\t\tforwardable = true\n\t\tproxiable = false\n\t\tretain_after_close = false\n\t\tminimum_uid = $ADMINUID\n\t\ttry_first_pass = true\n\t\tignore_root = true\n\t}\n[libdefaults]\n\tdefault_realm = $ADDOM\n\tdefault_keytab_name = FILE:\/etc\/krb5.keytab\n\tkrb4_config = \/etc\/krb.conf\n\tkrb4_realms = \/etc\/krb.realms\n\tkdc_timesync = 1\n\tccache_type = 4\n\tforwardable = true\n\tproxiable = false\n#\tdefault_tgs_enctypes = des3-hmac-sha1\n#\tdefault_tkt_enctypes = des3-hmac-sha1\n#\tpermitted_enctypes = des3-hmac-sha1\n\tv4_instance_resolve = false\n\tv4_name_convert = {\n\t\thost = {\n\t\t\trcmd = host\n\t\t\tftp = ftp\n\t\t}\n\t\tplain = {\n\t\t\tsomething = something-else\n\t\t}\n\t}\n\tfcc-mit-ticketflags = true\n[realms]\n\t$ADDOM = {\n\t\tkdc = $ADSERV1\nEOF\n\nif [ \"$ADSERV2\" != \"\" ]\nthen\n  cat &gt;&gt; \/etc\/krb5.conf &lt;&lt; EOF\n\t\tkdc = $ADSERV2\nEOF\nfi\n\ncat &gt;&gt; \/etc\/krb5.conf &lt;&lt; EOF\n\t\tadmin_server = $ADSERV1\n\t\tdefault_domain = $ADDNS\n\t\tauth_to_local = DEFAULT\n\t}\n[domain_realm]\n\t.$ADDNS = $ADDOM\n\t$ADDNS = $ADDOM\n[login]\n\tkrb4_convert = true\n\tkrb4_get_tickets = false\nEOF\n\nsleep 2\necho \"V\u00e9rification de la configuration Kerberos.\"\nkinit $ADMNAME@$ADDOM &lt;&lt; EOF\n$ADMPASS\nEOF\n\n[ \"$(klist | grep krbtgt)\" == \"\" ] &amp;&amp; echo \"ERREUR impossible de r\u00e9cup\u00e9rer un ticket Kerberos de l'AD !!!\" &amp;&amp; sleep 5 &amp;&amp; exit 0\nsleep 2\necho \"Kerberos OK.\"\necho \" \"\n\n# Mise en place du d\u00e9mon SAMBA.\necho \"-------------------------------------------------------------------------------\"\necho \"Mise en place de la configuration SAMBA.\"\n\ncat &gt; \/etc\/samba\/smb.conf &lt;&lt; EOF\n[global]\n   workgroup = $ADWKG\n   netbios name = $HOSTNAME\n   realm = $ADDOM\n   server string = %h\n   dns proxy = no\n   log file = \/var\/log\/samba\/log.%m\n   max log size = 1000\n   syslog = 0\n   panic action = \/usr\/share\/samba\/panic-action %d\n   security = ADS\n   kerberos method = system keytab\n   encrypt passwords = true\n   passdb backend = tdbsam\n   obey pam restrictions = yes\n   unix password sync = yes\n   passwd program = \/usr\/bin\/passwd %u\n   passwd chat = *Entersnews*spassword:* %nn *Retypesnews*spassword:* %nn *passwordsupdatedssuccessfully* .\n   pam password change = yes\n   map to guest = bad user\n   usershare allow guests = yes\n[printers]\n   comment = All Printers\n   browseable = no\n   path = \/var\/spool\/samba\n   printable = yes\n   guest ok = no\n   read only = yes\n   create mask = 0700\n[print$]\n   comment = Printer Drivers\n   path = \/var\/lib\/samba\/printers\n   browseable = yes\n   read only = yes\n   guest ok = no\nEOF\n\necho \"Cr\u00e9ation du compte AD de la machine.\"\nnet ads join -k\nsleep 2\n\necho \"Cr\u00e9ation du fichier keytab.\"\nnet ads keytab create\n[ ! -f \/etc\/krb5.keytab ] &amp;&amp; echo \"ERREUR impossible de g\u00e9n\u00e9rer le fichier keytab !!!\" &amp;&amp; sleep 5 &amp;&amp; exit 0\necho \"Fichier keytab OK.\"\nsleep 2\n\necho \"V\u00e9rification de la connexion \u00e0 l'AD.\"\nkinit -V -k \"$HOSTNAME$\"\n[ \"$?\" != \"0\" ] &amp;&amp; echo \"ERREUR de connexion !!!\" &amp;&amp; sleep 5 &amp;&amp; exit 0\necho \"Connexion AD OK.\"\necho \" \"\n\n# Mise en place de la r\u00e9g\u00e9n\u00e9ration p\u00e9riodique de tickets.\necho \"-------------------------------------------------------------------------------\"\necho \"Mise en place de la configuration CRON.\"\n\ncat &gt; \/etc\/crontab &lt;&lt; EOF\nSHELL=\/bin\/sh\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n# m h dom mon dow user\tcommand\n17 *\t* * *\troot    cd \/ &amp;&amp; run-parts --report \/etc\/cron.hourly\n25 11\t* * *\troot\ttest -x \/usr\/sbin\/anacron || ( cd \/ &amp;&amp; run-parts --report \/etc\/cron.daily )\n47 11\t* * 7\troot\ttest -x \/usr\/sbin\/anacron || ( cd \/ &amp;&amp; run-parts --report \/etc\/cron.weekly )\n52 11\t1 * *\troot\ttest -x \/usr\/sbin\/anacron || ( cd \/ &amp;&amp; run-parts --report \/etc\/cron.monthly )\n# Cnx AD MONRESEAU\n2  *    * * *   root    kinit -k \"$HOSTNAME$\" -c \/tmp\/krb5cc_host ; chmod 644 \/tmp\/krb5cc_host\nEOF\n\nservice cron restart\n\necho \"Mise \u00e0 jour du fichier rc.local .\"\ncat &gt; \/etc\/rc.local &lt;&lt; EOF\n#!\/bin\/sh -e\nkinit -k \"$HOSTNAME$\" -c \/tmp\/krb5cc_host\nchmod 644 \/tmp\/krb5cc_host\n# Ne pas enlever !!!\nexit 0\nEOF\n\necho \"Mise \u00e0 jour du renouvellement de ticket utilisateur.\"\ncat &gt; \/usr\/share\/upstart\/sessions\/krenew.conf &lt;&lt; EOF\ndescription \"User TGT KRB5\"\nauthor \"sden\"\n\nstart on starting xsession-init\n\nrespawn\n\nexec krenew -K 60\nEOF\n\necho \" \"\n\n# Mise en place de la configuration LDAP.\necho \"-------------------------------------------------------------------------------\"\necho \"Mise en place de la configuration LDAP.\"\n\ncat &gt; \/etc\/ldap.conf &lt;&lt; EOF\nuse_sasl on\nsasl_auth_id $HOSTNAME$\nkrb5_ccname FILE:\/tmp\/krb5cc_host\nbase $ADDN\nuri ldap:\/\/$ADSERV1.$DNSSEARCH ldap:\/\/$ADSERV2.$DNSSEARCH\nldap_version 3\n#port 389\nsizelimit 10000\n#timelimit 30\ntimelimit 10\n#bind_timelimit 30\nbind_timelimit 5\nnetwork_timeout 3\ntls_checkpeer no\nreferrals no\nbind_policy soft\n#idle_timelimit 3600\n#pam_filter objectclass=account\n#pam_login_attribute uid\n#pam_lookup_policy yes\n#pam_check_host_attr yes\n#pam_check_service_attr yes\n#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com\n#pam_member_attribute uniquemember\n#pam_min_uid 0\n#pam_max_uid 0\n#pam_login_attribute userPrincipalName\n#pam_template_login_attribute uid\n#pam_template_login nobody\n#pam_password_prohibit_message Please visit http:\/\/internal to change your password.\nscope sub\nnss_base_passwd\t$ADDN?sub\nnss_base_shadow\t$ADDN?sub\nnss_base_group\t$ADDN?sub\n#nss_base_hosts\t\tou=Hosts,dc=padl,dc=com?one\n#nss_base_services\tou=Services,dc=padl,dc=com?one\n#nss_base_networks\tou=Networks,dc=padl,dc=com?one\n#nss_base_protocols\tou=Protocols,dc=padl,dc=com?one\n#nss_base_rpc\t\tou=Rpc,dc=padl,dc=com?one\n#nss_base_ethers\tou=Ethers,dc=padl,dc=com?one\n#nss_base_netmasks\tou=Networks,dc=padl,dc=com?ne\n#nss_base_bootparams\tou=Ethers,dc=padl,dc=com?one\n#nss_base_aliases\tou=Aliases,dc=padl,dc=com?one\n#nss_base_netgroup\tou=Netgroup,dc=padl,dc=com?one\nnss_map_objectclass posixAccount User\nnss_map_objectclass shadowAccount User\nnss_map_objectclass posixGroup Group\nnss_map_attribute uid uid\nnss_map_attribute uidNumber uidNumber\nnss_map_attribute gidNumber gidNumber\nnss_map_attribute loginShell loginShell\nnss_map_attribute gecos name\nnss_map_attribute userPassword msSFU30Password\nnss_map_attribute homeDirectory unixHomeDirectory\nnss_map_attribute shadowLastChange pwdLastSet\nnss_map_attribute uniqueMember msSFU30PosixMember\nnss_map_attribute cn cn\npam_login_attribute msSFU30Name\npam_filter objectclass=User\npam_password ad\n#ssl on\n#sslpath \/etc\/ssl\/certs\n#ssl start_tls\n#tls_cacertfile \/etc\/ssl\/ca.cert\n#tls_cacertdir \/etc\/ssl\/certs\n#tls_randfile \/var\/run\/egd-pool\n#tls_ciphers TLSv1\n#tls_cert\n#tls_key\n#sasl_secprops maxssf=0\n#pam_sasl_mech DIGEST-MD5\nnss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,dirmngr,dnsmasq,festival,games,gdm,gnats,hplip,irc,kdm,kernoops,libuuid,lightdm,list,lp,mail,man,messagebus,news,ntp,proxy,pulse,root,rtkit,saned,speech-dispatcher,sync,sys,syslog,usbmux,uucp,whoopsie,www-data\nEOF\n\ncat \/etc\/ldap.conf &gt; \/etc\/ldap\/ldap.conf\n\necho \"Test de la connexion au serveur LDAP...\"\n# Laisser le sudo.\n[ \"$(sudo ldapsearch 2&gt;&amp;- | wc -l)\" -lt 100 ] &amp;&amp; echo \"ERREUR de connexion !!!\" &amp;&amp; sleep 5 &amp;&amp; exit 0\necho \"LDAP OK\"\necho \" \"\n\n# Mise en place de la configuration NSswitch.\necho \"-------------------------------------------------------------------------------\"\necho \"Mise en place de la configuration NSswitch.\"\n\ncat &gt; \/etc\/nsswitch.conf &lt;&lt; EOF\npasswd:         compat ldap\ngroup:          compat ldap\nshadow:         compat ldap\n\nhosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4\nnetworks:       files\n\nprotocols:      db files\nservices:       db files\nethers:         db files\nrpc:            db files\nnetgroup:       nis\nEOF\n\necho \" \"\n\n# Mise en place de la configuration PAM.\necho \"-------------------------------------------------------------------------------\"\necho \"Mise en place de la configuration de PAM.\"\n\ncat &gt; \/etc\/pam.d\/common-auth &lt;&lt; EOF\nauth\t[success=3 default=ignore]\tpam_krb5.so minimum_uid=$ADMINUID\nauth\t[success=2 default=ignore]\tpam_unix.so nullok_secure try_first_pass\nauth\t[success=1 default=ignore]\tpam_ldap.so use_first_pass\nauth\trequisite\tpam_deny.so\nauth\trequired\tpam_permit.so\nauth\toptional\tpam_cap.so\nEOF\n\ncat &gt; \/etc\/pam.d\/common-account &lt;&lt; EOF\naccount\t[success=2 new_authtok_reqd=done default=ignore]\tpam_unix.so \naccount\t[success=1 default=ignore]\tpam_ldap.so \naccount\trequisite\tpam_deny.so\naccount\trequired\tpam_permit.so\naccount\trequired\tpam_krb5.so minimum_uid=$ADMINUID\nEOF\n\ncat &gt; \/etc\/pam.d\/common-password &lt;&lt; EOF\npassword\t[success=3 default=ignore]\tpam_krb5.so minimum_uid=$ADMINUID\npassword\t[success=2 default=ignore]\tpam_unix.so obscure use_authtok try_first_pass sha512\npassword\t[success=1 user_unknown=ignore default=die]\tpam_ldap.so use_authtok try_first_pass\npassword\trequisite\tpam_deny.so\npassword\trequired\tpam_permit.so\npassword\toptional\tpam_gnome_keyring.so\nEOF\n\ncat &gt; \/etc\/pam.d\/common-session &lt;&lt; EOF\nsession\t[default=1]\tpam_permit.so\nsession\trequisite\tpam_deny.so\nsession\trequired\tpam_permit.so\nsession optional\tpam_umask.so\nsession\toptional\tpam_krb5.so minimum_uid=$ADMINUID\nsession\trequired\tpam_unix.so \nsession required\tpam_mkhomedir.so skel=\/etc\/skel\/ umask=0077\nsession\toptional\tpam_ldap.so \nsession\toptional\tpam_systemd.so \nsession\toptional\tpam_ck_connector.so nox11\nEOF\n\necho \" \"\n\necho \"-------------------------------------------------------------------------------\"\necho \"R\u00e9activation du NetworkManager.\"\nnmcli nm enable true\necho \" \"\n\necho \"-------------------------------------------------------------------------------\"\necho \"Script d'installation termin\u00e9 normalement.\"\n# Nettoyage\nADMNAME=\"\"\nADMPASS=\"\"<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Nous allons r\u00e9aliser ici la premi\u00e8re \u00e9tape pour int\u00e9grer des stations Linux dans un domaine Microsoft Active Directory de niveau fonctionnel 2003. L&rsquo;int\u00e9gration dans un domaine AD de niveau 2008 et plus sera abord\u00e9 une prochaine fois. Conditions de d\u00e9part de l&rsquo;exp\u00e9rience : Station : Ubuntu Linux 13.10, installation de base 64bits sans paquet suppl\u00e9mentaire. &hellip; <a href=\"http:\/\/stephane.weblog.starend.org\/?p=1519\" class=\"more-link\">Continuer la lecture de <span class=\"screen-reader-text\">Station Linux et serveur Windows<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[42,10,49,11,26,32],"tags":[56,57,224,279,293,341],"_links":{"self":[{"href":"http:\/\/stephane.weblog.starend.org\/index.php?rest_route=\/wp\/v2\/posts\/1519"}],"collection":[{"href":"http:\/\/stephane.weblog.starend.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/stephane.weblog.starend.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/stephane.weblog.starend.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/stephane.weblog.starend.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1519"}],"version-history":[{"count":0,"href":"http:\/\/stephane.weblog.starend.org\/index.php?rest_route=\/wp\/v2\/posts\/1519\/revisions"}],"wp:attachment":[{"href":"http:\/\/stephane.weblog.starend.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1519"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/stephane.weblog.starend.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1519"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/stephane.weblog.starend.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1519"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}