Brother-Xing
2011/10/14
将SAMBA加入2008域
1. 需求描述
公司内现有部门不多,但员工数量非常的多.如果按照用户一个一个的去创建用户并用sm
bpasswd增加samba的登陆用户非常的麻烦.而且公司内已经存在一台windows 20
08 server域控制器(建立方法),并且包含所有员工的帐号信息.在此管理员想通过wind
ows 2008 server域控制器的帐号来作为samba的登陆帐号.
2. 实验环境
Windows 2008 Server Linux Samba's Server
IP地址 192.168.1.1/24 192.168.1.250/24
DNS 192.168.1.1 192.168.1.1
hostname Bxcctj Samba
域 Bxcctj.net
3. 实验配置
(1) 需要安装的软件包
samba-3.5.4-68.el6.x86_64
samba-winbind-3.5.4-68.el6.x86_64
samba-client-3.5.4-68.el6.x86_64
samba-common-3.5.4-68.el6.x86_64
krb5-workstation-1.2.7-19
pam_krb5-1.70-1
krb5-devel-1.2.7-19
krb5-libs-1.2.7-19
(2) 编辑配置
1、krb5配置
#vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = BXCCTJ.NET # 大写域名
dns_lookup_realm = false
Brother-Xing
2011/10/14
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
BXCCTJ.NET = { # 大写域名
kdc = 192.168.1.1:88 # 域伺服器IP
admin_server = 192.168.1.1:749 # 域伺服器IP
default_domain = bxcctj.net # 这里就不用大写了
}
[domain_realm]
.BXCCTJ.com = BXCCTJ.NET # 域验证范围
BXCCTJ.com = BXCCTJ.NET
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
连接AD server
kinit administrator@BXCCTJ.NET
Kerberos 的 kinit 命令将测试服务器间的通信,后面的域名BXCCTJ.COM 是你的活动目录
的域名,必须大写,否则会收到错误信息:
kinit(v5): Cannot find KDC for requested realm while geBXCCTJing initial credentials.
如果通信正常,你会提示输入口令,口令正确的话,就返回 bash 提示符,如果错误则报
告:
kinit(v5): Preauthentication failed while geBXCCTJing initial credentials.
這一步代表了已经可以和AD server做沟通了,但并不代表Samba Server已经加入域了。
2、smb.conf配置
#vi /etc/samba/smb.conf
#===================== Global SeBXCCTJings
=========================
[global]
workgroup = BXCCTJ # 一定要填自己的domain名称
netbios name = SAMBA #你的linux 主机名
idmap uid = 15000-20000
idmap gid = 15000-20000
Brother-Xing
2011/10/14
winbind enum groups = yes
winbind enum users = yes
winbind separator = /
template homedir = /home/%D/%U
template shell = /bin/bash
# ----------------------- Domain Members Options ------------------------
security = domain
; passdb backend = tdbsam
; realm = BXCCTJ.NET #这里我觉得还是注释起好点
encrypt passwords = yes #这句是必须添加的,不然后面验证会提示不成功
password server = 192.168.1.142
[homes]
path = /home/%D/%U
browseable = no
writable = yes
valid users =BXCCTJ/%U#这里记得把域名带上,否则你用ad帐号访问samba服务
器时输入正确的ad帐号和密码仍然不能访问共享目录
create mode = 0777
directory mode = 0777
3、配置nsswitch.conf
#vi /etc/nsswitch.conf
修改以下位置
passwd: files winbind
shadow: files
group: files winbind
4、启用samba和winbind服务
service smb reload #加这一句是用来解决有时候samba启动不了的问题
service smb start
service winbind start
5、加入AD域
[root@lamp ~]# net ads join BXCCTJ.NET –U administrator
Password:
Joined domain BXCCTJ
6、验证加入是否成功
[root@lamp ~]# net rpc testjoin
Join to 'BXCCTJ' is OK
[root@lamp ~]# wbinfo -t
checking the trust secret via RPC calls succeeded
[root@lamp ~]# wbinfo -u
BXCCTJ/administrator
BXCCTJ/guest
Brother-Xing
2011/10/14
BXCCTJ/support_388945a0
BXCCTJ/krbtgt
[root@lamp ~]# wbinfo -g
BXCCTJ/domain computers
BXCCTJ/domain controllers
BXCCTJ/schema admins
BXCCTJ/enterprise admins
BXCCTJ/domain admins
BXCCTJ/domain users
BXCCTJ/domain guests
BXCCTJ/group policy creator owners
BXCCTJ/dnsupdateproxy
[root@SAMBA ~]# getent passwd
BXCCTJ/administrator:*:15000:15000:Administrator:/home/BXCCTJ/administrator
:/bin/bash
BXCCTJ/guest:*:15001:15001:Guest:/home/BXCCTJ/guest:/bin/bash
BXCCTJ/support_388945a0:*:15002:15000:SUPPORT_388945a0:/home/BXCCTJ/
support_388945a0:/bin/bash
BXCCTJ/krbtgt:*:15003:15000:krbtgt:/home/BXCCTJ/krbtgt:/bin/bash
[root@SAMBA ~]# getent group
BXCCTJ/domain computers:*:15002:
BXCCTJ/domain controllers:*:15003:
BXCCTJ/schema admins:*:15004:BXCCTJ/administrator
BXCCTJ/enterprise admins:*:15005:BXCCTJ/administrator
BXCCTJ/domain admins:*:15006:BXCCTJ/administrator
BXCCTJ/domain users:*:15000:
BXCCTJ/domain guests:*:15001:
BXCCTJ/group policy creator owners:*:15007:BXCCTJ/administrator
BXCCTJ/dnsupdateproxy:*:15008:
注意事项
1. DNS 一定要指向域控
2. 如果没有域用户反复重启WINBIND这个服务
转载于:https://blog.51cto.com/brotherxing/752015