测试平台 RedHat AS 4 +W2K3 Server 运行平台Vmware Workstation 6.5下
Samba-3.0-25b-0.4E.6 (RedHat AS 4自带,需在添加删除程序中 安装Windows文件服务器)
一、 预备工作
MS AD 中添加用户administrator(有管理员权限)
MS DNS 做好必要的解析
zg.comß----à 192.168.0.27
假设环境如下:
Domain: zg.com
AD hostname :DC
Network:192.168.0.0/24
Dns:192.168.0.27
OS:RedHat AS 4
Hostname:Linux
Ip:192.168.0.54
OS :MS W2K3 Server
Hostname:dc.zg.com
Ip:192.168.0.27
AD Administrator:administrator
Password : 123+QWE
二、配置Kerberos
/etc/krb5.conf, 属于包krb5-libs-1.2.7-19
#cp -a /etc/krb5.conf /etc/krb5.conf.orig
#vi /etc/krb5.conf
# more /etc/krb5.conf.orig (默认 krb5.conf 如下)
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24h
default_realm = ZG.COM
dns_lookup_realm = false
dns_lookup_kdc = false
forwardable = yes
[realms]
ZG.COM = {
kdc = 192.168.0.27:88
admin_server = 192.168.0.27:749
default_domain = zg.com
}
[domain_realm]
.ZG.COM = ZG.COM
ZG.COM = ZG.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
初始化用户 admin和密码
#kinit administrator@ZG.COM kinit 属于包krb5-workstation-1.2.7-19
#
Samba 和 MS AD 的系统时间相差不大于5分钟, 否则会出现下面的错误
kinit(v5): Clock skew too great while getting initial credentials
三、配置Samba
用vi编辑器(或者用文件浏览器至smb.conf用gedit打开编辑) 编辑 Samba 配置文件 smb.conf
# cd /etc/samba
# cp -a smb.conf smb.conf.orig
# vi /etc/samba/smb.conf
workgroup = ZG
改为(MS AD服务器的短名) ------>;
; hosts allow = 192.168.1. 192.168.2. 127.
改为 ------> hosts allow= 192.168.0.
security = user
改为使用AD来认证用户------>;
security = ADS
; password server = <NT-Server-Name>;
在这条下面添加如下2行------------>;
realm = ZG.COM
password server = 192.168.0.27
; encrypt passwords = yes
改为(去掉注释符) ---------------->;
encrypt passwords = yes上面只是实现登入 AD , 其它的共享项目, 可以按需自己加入
. 查看Samba的配置情况
# testparm (testparm 属于包 samba-common-3.0.0-14.3E)
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
# Global parameters
[global]
workgroup = ZG
realm = ZG.COM
server string = samba
security = ADS
password server = zg.com
log file = /var/log/samba/%m.log
max log size = 50
dns proxy = No
hosts allow = 192.168.0.
idmap uid = 10000-20000
idmap uid =10000-20000
username map = /etc/samba/smbusers
windbind separator = /
template shell users = yes
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
guest ok = yes
[homes]
comment = Home Directories
read only = No
writeable = yes
browseable = No
valid users = %S
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
. 添加系统用户及Samba用户 administrator , 该用户administrator应有管理MS AD 的权限
# useradd -d /dev/null -s /bin/false administrator
# passwd administrator
. 添加Samba用户
# smbpasswd -a administrator (密码为123)
# pdbedit -L (查看一下添加的用户)
四. 配置NSS
Nss为Name Service Switch,控制帐号的验证。编辑/etc/nsswitch.conf,如下
passwd: files winbind
group: files winbind
配置完成,启动winbind服务,
#winbindd
五.加入域
重启samba和winbind服务
#service samba start
#service winbind start
.加入AD
#net ads join -S DC.ZG.COM -U administrator
administrator's password:
输入密码后显示:
Using short domain name --ZG
Joined 'IVU-LXY' to realm 'ZG.COM
然后用 wbinfo -u 和wbinfo -g