Samba做活动目录(AD)中的成员服务器
准备工作:
操作系统:Red Hat Enterprise Linux 5.2    Windows server 2003 Enterprise
Samba的版本(请从互联网下载最新的rpm包):
samba-3.0.33-3.14.el5.i386.rpm
samba-client-3.0.33-3.14.el5.i386.rpm
samba-common-3.0.33-3.14.el5.i386.rpm
samba-swat-3.0.33-3.14.el5.i386.rpm
注意事项:Samba服务器的时间同AD的时间的差不能超过5分钟。<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

#date 月日时分年
#hwclock  -w
例如:
#date  042208062010
表示将系统的时间修改为2010422日早上86分。
#hwclock  -w
表示将系统时间写入硬件时钟。
Windows服务器是域控制器,FQDN为:server.test.com.cn,域名为:test.com.cn
IP192.168.10.44DNS192.168.10.44
Samba服务器的的名字:rhel5(使用hostname命令查看),IP192.168.10.22
DNS192.168.10.44
修改/etc/hosts文件,修改成如下:
# Do not remove the following lineor various programs
#that require network functionality  will fail.
192.168.10.22        rhel5.test.com.cn  rhel5

::1            localhost6.localdomain6  localhost6
修改/etc/sysconfig/network文件,修改成如下:
NETWORKING=yes
NETWOKING_IPV6=no
HOSTNAME=rhel5

GATEWAY=192.168.10.1
1、修改完毕后,重新启动Samba服务器。
配置文件如下:
Samba服务的主配置文件/etc/samba/smb.conf修改如下:
workgroup = TEST
realm = TEST.COM.CN
server string = Samba Server Version %v
security = ADS
encrypt passwords = yes
password server = server.test.com.cn
netbios name = rhel5
domain master = no
preferred master = no
domain logons = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
pemplate homedir = /home/%D/%U
winbind use default domain = yes
winbind separator = %
 同时注释掉如下两行:
security = user
passdb backend = tdbsam
2、安装kerberos软件包
krb5-workstation-1.6.1-25.el5.rpm
krb5-devel-1.6.1-25.el5.rpm
krb5-libs-1.6.1-25.el5.rpm
pam_krb5-2.2.14-1.rpm
krb5-auth-dialog-0.7-1.rpm
修改/etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 

[libdefaults]
 default_realm = TEST.COM.CN
 dns_lookup_realm = false
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes

 

[realms]
 TEST.COM.CN= {
  kdc = server.test.com.cn
  admin_server = server.test.com.cn
  default_domain = test.com.cn
 }

 

[domain_realm]
 .test.com.cn= TEST.COM.CN
 test.com.cn = TEST.COM.CN

 

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}
3、修改Samba服务器上的DNS客户端,即/etc/resolv.conf文件
search  test.com.cn
nameserver  192.168.10.44
4、编辑修改/etc/nsswitch.conf配置文件
passwd:     files    winbind
shadow:     files    winbind
group:      files    winbind
5、首先要停止Samba服务和winbind服务:
#service   smb      stop
#service   winbind   stop
6、把Samba服务器加入到活动目录中:
#net  ads   join   -U  Administrator
7、启动Samba服务和winbind服务
#service  smb  start
#service  winbind  start
8、验证winbind服务能否正常工作
#wbinfo   -u
#wbinfo   -g
9、让活动目录的用户可以在Samba服务器服务器所在的Linux主机上登录,需要修改/etc/pamd.d/login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    include      system-auth
session    required     pam_loginuid.so
session    optional     pam_console.so
session    required     pam_mkhomedir.so skel=/etc/skel umask=0066

# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    optional     pam_keyinit.so force revoke
注意:smb.conf文件中活动目录账号设置的主目录是/home/%D/%U,而这里的%D指的就是TEST,这个目录需要创建。
#mkdir  /home/TEST
10、修改/etc/pam.d/system-auth文件,修改成如下(注意:修改该文件时请备份该文件,如果修改错误,root账户将不能登录系统):
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so

 

account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
account required /lib/security/$ISA/pam_permit.so

 

password requisite /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
password required /lib/security/$ISA/pam_deny.so

 

session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session required /lib/security/$ISA/pam_winbind.so use_first_pass
11、在windows域控制器下创建一个账户allen,在Linux系统下使用windows域控制器上的账户登录Samba服务器:
Red  Hat  Enterprise Linux Server release 5.2 (Tikanga)
Kernel 2.6.18-92el5xen on an i686
rhel5 loginallen
password
Creating directory ‘/home/TEST/allen’.
Creating directory ‘/home/TEST/allen/.mozilla’.
Creating directory ‘/home/TEST/allen/.mozilla/extensions’.
Creating directory ‘/home/TEST/allen/.mozilla/plugins’.
[allen@rhel5 ~]$