Set up samba on linux server
Linux must be configured in order to belong to a Windows domain. This is done by using the Samba file server which offers several interesting tools. The goal is not to create a Samba file server but only to use some tools which come with this server.
Samba server contains among others the following components:
- Winbind, a daemon which permits connectivity to Windows -NT environment.
- Ntlm_auth, a tool which uses winbind for evaluating NTLM (NT Lan Manager) requests. This tool allows verifying user credentials on the domain controller and returns either a success or an error message.
【准备工作】-- 检查samba是否安装,krb5.conf, nsswitch.conf 是否符合要求
Please have a look at your Linux box and check if Samba is already installed.
To avoid any trouble, please run "hostname" and "hostname -f" to make sure name resolutions are OK
. # 为防止一些不必要的麻烦,先确认 hostname 和 hostname -f 解析正常
[root@siptest ]# rpm -q samba
samba-3.0.28-0.el5.8
samba-3.0.28-0.el5.8
To ensure samba could support LDAP,KRB,ADS and WINBIND, run following commands to check samba build options
~#smbd -b | grep LDAP
~#smbd -b | grep KRB
~#smbd -b | grep ADS
~#smbd -b | grep WINBIND
~#smbd -b | grep KRB
~#smbd -b | grep ADS
~#smbd -b | grep WINBIND
pleaes make sure the time is identical to the DC's (the maximum offset time is 5 mins)
~#ntpdate 172.18.8.10
Key config. files for samba
[smb.conf]
[root@proxy samba]# cat smb.conf | sed '/ *#/d; / *;/d; /^ *$/d'
[global]
workgroup = 800BEST
password server = 172.18.8.10
realm = 800BEST.NET
security = ads
encrypt passwords = yes
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
[global]
workgroup = 800BEST
password server = 172.18.8.10
realm = 800BEST.NET
security = ads
encrypt passwords = yes
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
use kerberos keytab = yes
dns proxy = no
ldap ssl = no
preferred master = no
template shell = /bin/false
winbind use default domain = yes
winbind offline logon = false
server string = Samba Server Version %v
netbios name = proxy
passdb backend = tdbsam
load printers = yes
cups options = raw
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
dns proxy = no
ldap ssl = no
preferred master = no
template shell = /bin/false
winbind use default domain = yes
winbind offline logon = false
server string = Samba Server Version %v
netbios name = proxy
passdb backend = tdbsam
load printers = yes
cups options = raw
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
[
krb5.conf]
(Watch out for case sensitivity) //
注意大小写
[root@siptest ~]# cat /etc/krb5.conf |sed '/ *#/d; /^ *$/d'
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = 800BEST.NET
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = 800BEST.NET
dns_lookup_realm = false # 如果是true的话后面不用配置realms和KDC了
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
800BEST.NET = {
kdc = 172.18.8.10:88
admin_server = 172.18.8.10:749
default_domain = 800BEST.NET # 和 smb.conf 的 realm 值相同
}
800BEST = { # 这里的800BEST 指的是域的NETBIOS名字
kdc = 172.18.8.10
}
[domain_realm]
.800best.net = 800BEST.NET
800best.net = 800BEST.NET
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
800BEST.NET = {
kdc = 172.18.8.10:88
admin_server = 172.18.8.10:749
default_domain = 800BEST.NET # 和 smb.conf 的 realm 值相同
}
800BEST = { # 这里的800BEST 指的是域的NETBIOS名字
kdc = 172.18.8.10
}
[domain_realm]
.800best.net = 800BEST.NET
800best.net = 800BEST.NET
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
##############
注意:
krb5.conf realm的值 和smb.conf 中 realm 要保持相同,否则会出现
[2009/08/18 21:05:51, 0] utils/net_ads.c:ads_startup_int(286)
ads_connect: No logon servers
Failed to join domain: No logon servers
##############
[nsswitch.conf ]
[root@siptest ~]# cat /etc/nsswitch.conf |sed '/ *#/d; /^ *$/d'
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files winbind
rpc: files
services: files winbind
netgroup: files winbind
publickey: nisplus
automount: files winbind
aliases: files nisplus
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files winbind
rpc: files
services: files winbind
netgroup: files winbind
publickey: nisplus
automount: files winbind
aliases: files nisplus
[Steps -- how to join to domain]
1. 用Kinit检查kerberos 是否工作正常
kinit--- obtain and cache Kerberos ticket-granting ticket
kinit
administrator@800BEST.NET
#注意这里是大写
[root@siptest etc]# kinit
administrator@800BEST.NET
[root@siptest etc]#Password for administrator@800BEST.NET:
[root@siptest etc]#Password for administrator@800BEST.NET:
[root@siptest etc]#
it works well
2. 检查samba服务有没有正常工作
Verify if the Samba service is running by typing: ps -ef | grep nmbd
~#ps -ef | grep smbd
~#ps -ef | grep smbd
3. 加入域
Execute the following command line (you must be connected as root)
~#net join -U Administrator #这里net join是 net ads join
Administrator is the name of the domain controller admin. Enter your password when prompted. If everything works fine, the Linux server has been registered to the Windows domain.
Execute the following command line (you must be connected as root)
~#net join -U Administrator #这里net join是 net ads join
Administrator is the name of the domain controller admin. Enter your password when prompted. If everything works fine, the Linux server has been registered to the Windows domain.
注意 net ads join 和 net rpc join是不同, net ads join要用到berberos
[如果出现如下错误
root@proxy
software]# net join -U
administrator@800BEST.NET
[2009/08/14 21:31:24, 0] libads/kerberos.c:create_local_private_krb5_conf_for_domain(651)
create_local_private_krb5_conf_for_domain: failed to create directory /var/cache/samba/smb_krb5. Error was Permission denied
[2009/08/14 21:31:24, 0] libads/kerberos.c:create_local_private_krb5_conf_for_domain(651)
create_local_private_krb5_conf_for_domain: failed to create directory /var/cache/samba/smb_krb5. Error was Permission denied
需要手动创建/var/cache/samba/smb_krb5 目录]
4.
Verify now if the winbindd daemon is running:
~#ps -ef | grep winbindd
~#ps -ef | grep winbindd
check trust has been established between samba and AD:
~#wbinfo -t
checking the trust secret via RPC calls succeeded
~#wbinfo -t
checking the trust secret via RPC calls succeeded
5.
Try next if you can authenticate a user from the domain: ~#wbinfo -a user%password
e.g ~#wbinfo -a bl00250%Iloveyou~!@#$%
challenge/response password authentication succeeded
6.
Type the following line:
root@siptest# ntlm_auth --request-nt-key --domain=<your domain> --username= <your username>
root@siptest# ntlm_auth --request-nt-key --domain=<your domain> --username= <your username>
For me, the command would look like this:
[root@siptest]# ntlm_auth --request-nt-key --domain=800BEST --username=bl00250
[root@siptest]# ntlm_auth --request-nt-key --domain=800BEST --username=bl00250
[root@siptest ~]# ntlm_auth --request-nt-key --domain=800BEST --username=bl00250
password:
NT_STATUS_OK: Success (0x0)
password:
NT_STATUS_OK: Success (0x0)
WARNING!!!
When called by
radiusd - thus directly setting the challenge value - the
ntlm_auth program needs permission to access winbindd's
winbindd_privileged directory (somewhere under
/var). According to my experiences read access will suffice.
The
radiusd.conf file sets the uid and gid your
radiusd process will run as (by the
user and
group directives, respectively). The
ntlm_auth process will have the same identity. If your filesystem containing the
winbindd_privileged directory supports POSIX ACLs, you can safely grant
ntlm_auth the necessary permissions, in case your disribution's default setting were insufficient. If
radiusd runs as the user
radiusd for example, then you should use setfacl the following way:
setfacl -m u:radiusd:rx winbindd_privileged
Or something like that. See
[url]http://www.suse.de/~agruen/acl/linux-acls/online/[/url] or
man setfacl about POSIX ACLs!
Add share
edit /etc/samba/smb.conf and add lines like following
**************
[share]
comment = shared folder
path = /var/spool/share
browseable = yes
guest ok = no
writable = yes
valid users = 800BEST\bl00250
comment = shared folder
path = /var/spool/share
browseable = yes
guest ok = no
writable = yes
valid users = 800BEST\bl00250
************************
then
~#chown '800BEST\bl00250':'800BEST\domain users' /var/spool/share
[troubleshooting]
1. how to resolve "Failed to join domain: Type or value exists"
~# net join -U administrator
Administrator's password:
Using short domain name -- 800BEST
Failed to set servicePrincipalNames. Please ensure that
the DNS domain of this server matches the AD domain,
Or rejoin with using Domain Admin credentials.
Deleted account for 'ftpsvr' in realm '800BEST.NET'
Failed to join domain: Type or value exists
Administrator's password:
Using short domain name -- 800BEST
Failed to set servicePrincipalNames. Please ensure that
the DNS domain of this server matches the AD domain,
Or rejoin with using Domain Admin credentials.
Deleted account for 'ftpsvr' in realm '800BEST.NET'
Failed to join domain: Type or value exists
when wen join samba to AD by typing: net join -U administrator, we get following message. there are 2 reasons:
a. there is an existing computer account with same name in AD
b. hostname & hostname -f could not work well --- it seems to be a bug in samba 3.0 or checking hostname machanism in samba before adding to AD
for a, delete the existing computer account in AD and synchronize and vierify the account was deleted cleanly.
for b, check /etc/sysconfig/network, type right hostname and restart network. if it still not work, just type:
~# hostname <hostname>
then re-do
~# net join -U administrator
转载于:https://blog.51cto.com/brandon/116729