linux samba join to AD Test
时间:2007-01-11 来源:jianasonic
linux samba join to AD Test
测试环境:
1,2003 SERVER 一台 已经安装了域服务 为:kefang.com IP:192.168.3.35
2,linux 2.6.9-42.EL 一台 安装了
samba-3.0.10-1、
samba-common-3.0.10、
nss_ldap-226-13
nss_db-2.2-29
pam_passwdqc-0.7.5-2
pam_krb5-2.1.8-1
pam_ccreds-1-3
krb5-libs-1.3.4-27
krb5-workstation-1.3.4-27
修改vi /etc/resolv.conf 设置为:nameserver 192.168.3.35 或者vi /etc/hosts 添加192.168.3.35 KEFANG.COM KEFANG.COM
192.168.3.35 kefang.com kefang
#ping Kefang.com #测试
1,修改krb.conf 文件
#vi /etc/krb.conf
KEFANG.COM #AD 域 必须大写
KEFANG.COM CNET-DIRECT.KEFANG.COM #cnet-direct 是samba服务器的机器名
2、修改krb5.conf文件
#vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime=24000
default_realm = KEFANG.COM #realm 名称 大写
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
KEFANG.COM = { #区域声明
kdc = KEFANG.COM #KDC服务器
admin_server = KEFANG.COM #大写
default_domain = KEFANG.COM #大写
}
[domain_realm]
.KEFANG.COM = KEFANG.COM #大写
KEFANG.COM = KEFANG.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
3、修改samba
#vi /etc/samba/smb.conf #修改sbm.conf
[global]
# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = Kefang #工作组写域的
netbios name = dcs #NETBIOS不能有空格
realm = KEFANG.COM #大写
preferred master = no
# server string is the equivalent of the NT Description field
server string = Samba Server
# Security mode. Most people will want user level security. See
# security_level.txt for details.
security = ads #验证方式 ads
# Use password server option only with security = server
password server = KEFANG.COM #密码服务器
encrypt passwords = yes
log level =3
log file = /var/log/samba/%U
max log size = 50
#winbind separator = +
printcap name = cpus
printing = cpus
#idmap uid = 10000-20000
#idmap gid = 10000-20000
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
wins server = KEFANG.COM #AD SERVER iP
# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one WINS Server on the network. The default is NO.
wins proxy = no
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
dns proxy = no #NO
#============================ Share Definitions ==============================
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template homedir=/home/%D/%U
template shell = /bin/bash
template prinmary group =@"Domain Users"
winbind use default domain = yes #YES
#winbind separator = +
groups
winbind enum users =yes
winbind enum groups =yes
[dcs]
comment = TEST
valid users = @dcs
path=/mnt/
guest ok =no
writable =yes
public=no
create mask = 0750
[guset]
comment = dcs
valid users = @"Domain Users"
path=/home/
guest ok =no
writable =yes
public=no
4, 更改以上文件save后;开始加入域
#testparm #测试sbm.conf 文件
#/etc.init.d/samba start #启动samba
#ntpdate Kefang.com #于AD服务器时间同步
#net ads join –U administrator #以域管理员身份加入域
Using short domain name -- KEFANG
Joined 'DCS' to realm 'KEFANG.COM' #出现此提示说明加入成功,可以在AD服务器上看到此机器
#smbpasswd –w not24get #储存LDAP服务器账户密码在/etc/sambasecrets.tdb 里
5更改密码验证方式
#vi /etc/nsswitch.conf
# looked up first in the databases
#
# Example:
#passwd: db files ldap nis
#shadow: db files ldap nis
#group: db files ldap nis
passwd: files winbind ldap
shadow: files winbind ldap
group: files winbind ldap
#hosts: db files ldap nis dns
hosts: files dns wins
# Example - obey only what ldap tells us...
#services: ldap [NOTFOUND=return] files
#networks: ldap [NOTFOUND=return] files
#protocols: ldap [NOTFOUND=return] files
#rpc: ldap [NOTFOUND=return] files
#ethers: ldap [NOTFOUND=return] files
bootparams: files
ethers: db files
netmasks: files
networks: files dns
protocols: db files winbind ldap
rpc: db files
services: db files winbind ldap
netgroup: files winbind ldap
publickey: files
automount: files winbind ldap
aliases: files
#winbindd #使其生效
#/etc/init.d/samba restart #重启samba
#wbinfo –u #测试能够得到AD域的账号
#wbinfo –g #测试能够得到AD域的组
#getent passwd #测试得到AD的用户密码文件输出
权限设置
第一步:在AD中建立DCS组,用户user1 ,user2,user3把3用户加入到dcs组中。
第二步:在linux服务器这边建立dcs组,用户user1,user2,user3 用户都属于dcs组。
第三步:权限在linux这边控制,设定用户和组的读写权限;
附录1:
samba configuration file example
#Global parameters
client code page = 437
max open files = 1014
comment = "Samba %v server"
share modes = yes
getwd cache = yes
browseable = yes
load printers = no
local master = no
debug pid = yes
dead time = 30
#debug leber = 10
kernel oplocks = no
log file = /usr/local/samba/var/log.%m
socket options = TCP_NODELAY SO_KEEPALIVE SO_SNDBUF=32768 SO_RCVBUF=32768
include = /usr/local/samba/lib/smb.conf.global.%h
include = /usr/local/samba/lib/smb.conf.shares.%h
____________/usr/local/samba/lib/smb.conf.global.cd10____________________________________
workgroup = kefang
security = server
password server = kefang.com
netbios name = cd10
wins server = kefang.com
encrypt passwords = yes
server string = "ClearCase VOB/View Server %h (%L), Samba"
interfaces = "200.61.25.10/255.255.255.0"
________/usr/local/samba/lib/smb.conf.shares.cd10_________________________
[multisite]
comment = Multisite VOB store
path = /a1000/multisite
oplocks = no
guest ok = no
create mask = 0775
directory mask = 0775
case sensitive = no
preserve case = Yes
map archive = no
writeable = yes
相关阅读 更多 +
