SAMBA加入2008域

                                                                                                    
Brother-Xing  
2011/10/14
 
将SAMBA加入2008域
1.  需求描述
公司内现有部门不多,但员工数量非常的多.如果按照用户一个一个的去创建用户并用sm
bpasswd增加samba的登陆用户非常的麻烦.而且公司内已经存在一台windows  20
08 server域控制器(建立方法),并且包含所有员工的帐号信息.在此管理员想通过wind
ows  2008 server域控制器的帐号来作为samba的登陆帐号.
2.  实验环境
    Windows 2008 Server   Linux Samba's Server
IP地址    192.168.1.1/24   192.168.1.250/24
DNS   192.168.1.1   192.168.1.1
hostname   Bxcctj   Samba
域   Bxcctj.net   
 
3.  实验配置
(1)  需要安装的软件包
samba-3.5.4-68.el6.x86_64
samba-winbind-3.5.4-68.el6.x86_64
samba-client-3.5.4-68.el6.x86_64
samba-common-3.5.4-68.el6.x86_64
krb5-workstation-1.2.7-19
pam_krb5-1.70-1
krb5-devel-1.2.7-19
krb5-libs-1.2.7-19
(2) 编辑配置
1、krb5配置
#vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = BXCCTJ.NET # 大写域名
dns_lookup_realm = false
                                                                                                    
Brother-Xing  
2011/10/14
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
BXCCTJ.NET = { # 大写域名
kdc = 192.168.1.1:88 # 域伺服器IP
admin_server = 192.168.1.1:749 # 域伺服器IP
default_domain = bxcctj.net # 这里就不用大写了
}
[domain_realm]
.BXCCTJ.com = BXCCTJ.NET # 域验证范围
BXCCTJ.com = BXCCTJ.NET
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
 
连接AD server
   kinit administrator@BXCCTJ.NET
Kerberos 的 kinit 命令将测试服务器间的通信，后面的域名BXCCTJ.COM 是你的活动目录
的域名，必须大写，否则会收到错误信息：
     kinit(v5): Cannot find KDC for requested realm while geBXCCTJing initial credentials.
如果通信正常，你会提示输入口令，口令正确的话，就返回 bash 提示符，如果错误则报
告：
      kinit(v5): Preauthentication failed while geBXCCTJing initial credentials.
這一步代表了已经可以和AD server做沟通了，但并不代表Samba Server已经加入域了。
2、smb.conf配置
 #vi /etc/samba/smb.conf
#===================== Global SeBXCCTJings
=========================
[global]
workgroup = BXCCTJ # 一定要填自己的domain名称
 netbios name = SAMBA #你的linux 主机名
 idmap uid = 15000-20000
 idmap gid = 15000-20000
                                                                                                    
Brother-Xing  
2011/10/14
 winbind enum groups = yes
 winbind enum users = yes
 winbind separator = /
 template homedir = /home/%D/%U
 template shell = /bin/bash
# ----------------------- Domain Members Options ------------------------
 security = domain
; passdb backend = tdbsam
； realm = BXCCTJ.NET #这里我觉得还是注释起好点
 encrypt passwords = yes #这句是必须添加的，不然后面验证会提示不成功
 password server = 192.168.1.142
[homes]
 path = /home/%D/%U
 browseable = no
 writable = yes
 valid users =BXCCTJ/%U#这里记得把域名带上，否则你用ad帐号访问samba服务
器时输入正确的ad帐号和密码仍然不能访问共享目录
 create mode = 0777
 directory mode = 0777
3、配置nsswitch.conf
#vi /etc/nsswitch.conf
修改以下位置
passwd: files winbind
shadow: files
group: files winbind
4、启用samba和winbind服务
service smb reload #加这一句是用来解决有时候samba启动不了的问题
service smb start
service winbind start
5、加入AD域
[root@lamp ~]# net ads join BXCCTJ.NET –U administrator
Password:
Joined domain BXCCTJ
6、验证加入是否成功
[root@lamp ~]# net rpc testjoin
Join to 'BXCCTJ' is OK
[root@lamp ~]# wbinfo -t
checking the trust secret via RPC calls succeeded
[root@lamp ~]# wbinfo -u
BXCCTJ/administrator
BXCCTJ/guest
                                                                                                    
Brother-Xing  
2011/10/14
BXCCTJ/support_388945a0
BXCCTJ/krbtgt
[root@lamp ~]# wbinfo -g
BXCCTJ/domain computers
BXCCTJ/domain controllers
BXCCTJ/schema admins
BXCCTJ/enterprise admins
BXCCTJ/domain admins
BXCCTJ/domain users
BXCCTJ/domain guests
BXCCTJ/group policy creator owners
BXCCTJ/dnsupdateproxy
[root@SAMBA ~]# getent passwd
  
BXCCTJ/administrator:*:15000:15000:Administrator:/home/BXCCTJ/administrator
:/bin/bash
BXCCTJ/guest:*:15001:15001:Guest:/home/BXCCTJ/guest:/bin/bash
BXCCTJ/support_388945a0:*:15002:15000:SUPPORT_388945a0:/home/BXCCTJ/
support_388945a0:/bin/bash
BXCCTJ/krbtgt:*:15003:15000:krbtgt:/home/BXCCTJ/krbtgt:/bin/bash
[root@SAMBA ~]# getent group
BXCCTJ/domain computers:*:15002:
BXCCTJ/domain controllers:*:15003:
BXCCTJ/schema admins:*:15004:BXCCTJ/administrator
BXCCTJ/enterprise admins:*:15005:BXCCTJ/administrator
BXCCTJ/domain admins:*:15006:BXCCTJ/administrator
BXCCTJ/domain users:*:15000:
BXCCTJ/domain guests:*:15001:
BXCCTJ/group policy creator owners:*:15007:BXCCTJ/administrator
BXCCTJ/dnsupdateproxy:*:15008:
 
注意事项
1.  DNS 一定要指向域控
2.  如果没有域用户反复重启WINBIND这个服务

转载于:https://blog.51cto.com/brotherxing/752015