1.修改配置文件:/etc/nsswitch.conf,使winbind成为PASSWD及GROUP的认证信息源
passwd files winbind
shadow files winbind
file group files winbind
2.修改配置文件: /etc/samba/smb.conf
#======================= Global Settings =====================================
[global]
# ----------------------- Network Related Options -------------------------
#
# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
#
# server string is the equivalent of the NT Description field
#
# netbios name can be used to specify a server name not tied to the hostname
#
# Interfaces lets you configure Samba to use multiple interfaces
# If you have multiple network interfaces then you can list the ones
# you want to listen on (never omit localhost)
#
# Hosts Allow/Hosts Deny lets you restrict who can connect, and you can
# specifiy it as a per share option as well
#
workgroup = PEARL //域名
server string = Samba Server Version %v
#
# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
#
# server string is the equivalent of the NT Description field
#
# netbios name can be used to specify a server name not tied to the hostname
#
# Interfaces lets you configure Samba to use multiple interfaces
# If you have multiple network interfaces then you can list the ones
# you want to listen on (never omit localhost)
#
# Hosts Allow/Hosts Deny lets you restrict who can connect, and you can
# specifiy it as a per share option as well
#
workgroup = PEARL //域名
server string = Samba Server Version %v
; netbios name = MYSERVER
; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
; hosts allow = 127. 192.168.12. 192.168.13.
hosts allow = 127. 192.168. //允许访问共享的网络
; hosts allow = 127. 192.168.12. 192.168.13.
hosts allow = 127. 192.168. //允许访问共享的网络
# --------------------------- Logging Options -----------------------------
#
# Log File let you specify where to put logs and how to split them up.
#
# Max Log Size let you specify the max size log files should reach
#
# Log File let you specify where to put logs and how to split them up.
#
# Max Log Size let you specify the max size log files should reach
# logs split per machine
log file = /var/log/samba/%m.log
# max 50KB per log file, then rotate
max log size = 0 //不写入日志
log file = /var/log/samba/%m.log
# max 50KB per log file, then rotate
max log size = 0 //不写入日志
shell charset= cp936
display charset= cp936
dos charset= cp936
unix charset= cp936
client code page = 936 //CP936为字符编码,不加访问共享时中文显示为乱码
character set = 936
# ----------------------- Domain Members Options ------------------------
#
# Security must be set to domain or ads
#
# Use the realm option only with security = ads
# Specifies the Active Directory realm the host is part of
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
#
# Use password server option only with security = server or if you can't
# use the DNS to locate Domain Controllers
# The argument list may include:
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
# password server = *
#
# Security must be set to domain or ads
#
# Use the realm option only with security = ads
# Specifies the Active Directory realm the host is part of
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
#
# Use password server option only with security = server or if you can't
# use the DNS to locate Domain Controllers
# The argument list may include:
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
# password server = *
security = domain //使用域验证
; passdb backend = tdbsam
; realm = MY_REALM
password server = dc1.pearl.cn //验证服务器为域控制器
domain master = no //默认为YES
domain logons = no //默认为YES
domain logons = no //默认为YES
preferred master = no
#============================ Share Definitions ==============================
idmap uid = 16777216-33554431 //可以自定义范围(获得域用户后序号)
idmap gid = 16777216-33554431 //可以自定义范围(获得组后序号)
template shell = /bin/false //不允许域用户登陆
winbind use default domain = yes
winbind enum groups = yes //以下两行必须添加,不然加不了域
winbind enum users = yes
idmap gid = 16777216-33554431 //可以自定义范围(获得组后序号)
template shell = /bin/false //不允许域用户登陆
winbind use default domain = yes
winbind enum groups = yes //以下两行必须添加,不然加不了域
winbind enum users = yes
以上就差不多完成配置了,使用以下命令加域:
net rpc join -S dc.pearl.cn(域控) -U administrator(用户名)
Enter passwd:
Joined Pearl domain
然后重启SMB服务
使用以下命令查看获得到的域用户及组信息:
wbinfo -u
wbinfo -g
查看PDC用户或组转换为本地用户或组UID及GID情况:
getent passwd
getent group
以下内容可自行决定是否使用:
建立登录用户帐号主目录
samba的配置文件中指定了template homedir的路径,我们先要建立这个目录
#mkdir /home/TAIL
widnowsPDC帐号登录认证
我们已经通过winbind实现了自动同步windowsPDC帐号,下面我们将为每个用户帐号建立登录主目录。
配置PDC用户登录的pam认证
最好将原来的pam认证文件备份一下
#mkdir /home/backup
#cp /etc/pam.d/login /home/backup
#cp /etc/pam.d/system-auth
修改login文件
这个文件最后一句是
session optional pam_console.so
在这句后面加上
session required pam_mkhomedir.so skel=/etc/skel umask=0022
修改system-auth文件
vi /etc/pam.d/system-auth
1、找到以“auth”字符串开头并调用“pam_unix.so”的语句,如下:
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
在这一句最后加上字符串“use_first_pass”,如下:
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok use_first_pass
然后在这一句前面加上语句:
auth sufficient /lib/security/pam_winbind.so
如下:
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok use_first_pass
2、找到以“account”字符串开头并调用“pam_unix.so”的语句,如下:
account required /lib/security/$ISA/pam_unix.so
在这一句最后加上字符串“use_first_pass”,如下:
account required /lib/security/$ISA/pam_unix.so use_first_pass
然后在这一句前面加上语句:
account sufficient /lib/security/pam_winbind.so
如下:
account sufficient /lib/security/pam_winbind.so
account required /lib/security/$ISA/pam_unix.so use_first_pass
用PDC用户登录测试
在linux中某个终端以PDC用户登录,能够看到$提示符,说明配置完成。
这里的登录是必须的,因为在登录过程中,会生成PDC用户在/home目录同域名目录中的用户主目录,比如:
/home/TAIL/user1
这个目录存在,以及保留/etc/smb.conf文件中的[homes]段,同时决定了PDC用户在登录文件服务器时,是否可以登录自己的主目录。
保留/etc/smb.conf文件中的[homes]段,在用PDC用户帐号登录的时候,就能看到这个用户的主目录,如果对文件服务器的还有特殊特殊要求,可以继续配置samba相应属性的字段。
samba的配置文件中指定了template homedir的路径,我们先要建立这个目录
#mkdir /home/TAIL
widnowsPDC帐号登录认证
我们已经通过winbind实现了自动同步windowsPDC帐号,下面我们将为每个用户帐号建立登录主目录。
配置PDC用户登录的pam认证
最好将原来的pam认证文件备份一下
#mkdir /home/backup
#cp /etc/pam.d/login /home/backup
#cp /etc/pam.d/system-auth
修改login文件
这个文件最后一句是
session optional pam_console.so
在这句后面加上
session required pam_mkhomedir.so skel=/etc/skel umask=0022
修改system-auth文件
vi /etc/pam.d/system-auth
1、找到以“auth”字符串开头并调用“pam_unix.so”的语句,如下:
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
在这一句最后加上字符串“use_first_pass”,如下:
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok use_first_pass
然后在这一句前面加上语句:
auth sufficient /lib/security/pam_winbind.so
如下:
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok use_first_pass
2、找到以“account”字符串开头并调用“pam_unix.so”的语句,如下:
account required /lib/security/$ISA/pam_unix.so
在这一句最后加上字符串“use_first_pass”,如下:
account required /lib/security/$ISA/pam_unix.so use_first_pass
然后在这一句前面加上语句:
account sufficient /lib/security/pam_winbind.so
如下:
account sufficient /lib/security/pam_winbind.so
account required /lib/security/$ISA/pam_unix.so use_first_pass
用PDC用户登录测试
在linux中某个终端以PDC用户登录,能够看到$提示符,说明配置完成。
这里的登录是必须的,因为在登录过程中,会生成PDC用户在/home目录同域名目录中的用户主目录,比如:
/home/TAIL/user1
这个目录存在,以及保留/etc/smb.conf文件中的[homes]段,同时决定了PDC用户在登录文件服务器时,是否可以登录自己的主目录。
保留/etc/smb.conf文件中的[homes]段,在用PDC用户帐号登录的时候,就能看到这个用户的主目录,如果对文件服务器的还有特殊特殊要求,可以继续配置samba相应属性的字段。
转载于:https://blog.51cto.com/ryan0817/411374