samba服务器加入域控主机,成为域成员,当用户访问samba服务器上的共享文件时,直接到域控主机上进行认证。samba服务器上不需要像先前一样创建系统用户,创建samba用户及密码。
1、安装环境(host)
SAMBA服务器:RHEL6.4 IP:192.168.1.101 主机名:sambaserver.samba.com
域控主机WINSERVER2008 IP:192.168.1.100 主机名:winserver.samba.com 域名:SAMBA.COM
设置SElinux的运行级别为disabled,关闭防火墙,修改samba服务器主机名为域名形式,修改IP地址为同一网段,并且设置DNS为域控主机IP。
vi /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=netfolderserver.iamtest.com
vi /etc/hosts 127.0.0.1 sambaserver.samba.com sambaserver 192.168.1.101 sambaserver.samba.com sambaserver 192.168.1.100 winserver.samba.com winserver [[email protected]]# vi /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE=eth0 TYPE=Ethernet UUID=be9c85bd-3292-4b5a-96b9-9aed2bc61ce2 ONBOOT=yes NM_CONTROLLED=yes BOOTPROTO=none HWADDR=01:A1:53:94:55:A6 IPADDR=192.168.1.101 PREFIX=25 GATEWAY=192.168.1.1 DEFROUTE=yes IPV4_FAILURE_FATAL=yes IPV6INIT=no NAME="System eth0" DNS1=192.168.1.100
2、smb.conf配置
#======================= Global Settings =====================================
[global]
# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = SAMBA #####域名前半部分,不要加.com
netbios name = sambaserver
# server string is the equivalent of the NT Description field
server string = sambaServer.SAMBA ###这个名字可随意,不要跟其它服务器重名即可
realm = SAMBA.COM --------域名
auth methods = winbind
idmap config SAMBA : schema_mode = rfc2307
idmap config SAMBA : range = 30000-40000
idmap config SAMBA : default = yes
idmap config SAMBA : backend = rid
;idmap config SAMBA : backend = ad
idmap config * : backend = tdb
idmap config * : backend = rid
idmap config * : range = 10000-20000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind enum groups = yes
winbind enum users = yes
winbind separator = /
winbind use default domain = yes
template homedir = /home/share/%U
template shell = /bin/bash
# this tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
# Put a capping on the size of the log files (in Kb).
max log size = 50000
# Security mode. Most people will want user level security. See
# security_level.txt for details.
security = ads
encrypt passwords = yes
# Use password server option only with security = server
password server = 192.168.1.100 #域控主机IP
logon path = \\%L\Profiles\%U
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
wins server = 192.168.1.100 #域控主机IP
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
dns proxy = no
#============================ Share Definitions ==============================
[homes]
path = /home/share/%U
valid users = SAMBA.COM\%U, SAMBA\%U, %U
create mode = 0777
directory mode = 0777
comment = Home Directories
browseable = no
# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
#[printers]
# comment = All Printers
# path = /var/spool/samba
# browseable = no
# Set public = yes to allow user ‘guest account‘ to print
guest ok = no
writable = no
printable = yes
[MyFile]
comment = user
path = /home/share/%U
browseable = yes
guest ok = no
writable = yes
printable = no
public = no
3、krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = SAMBA.COM
dns_lookup_realm = false
dns_lookup_kdc =false
ticket_lifetime = 24h
forwardable = yes
proxiable = true
[realms]
SAMBA.COM = {
kdc = winserver.samba.com :88
admin_server = winserver.samba.com :749
default_domain = SAMBA.COM
}
#[kdc]
# profile = /var/kerberos/krb5kdc/kdc.conf
[domain_realm]
.iamtest.com = SAMBA.COM
iamtest.com = SAMBA.COM[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
4、resolve.conf
vi /etc/resolv.conf # Generated by NetworkManager domain samba.com search samba.com nameserver 192.168.1.100
5、nsswitch.conf
# /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry ‘[NOTFOUND=return]‘ means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Legal entries are: # # nisplus or nis+ Use NIS+ (NIS version 3) # nis or yp Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far # # To use db, put the "db" in front of "files" for entries you want to be # looked up first in the databases # # Example: #passwd: db files nisplus nis #shadow: db files nisplus nis #group: db files nisplus nis passwd: files winbind shadow: files winbind group: files winbind hosts: files dns wins #hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: db files netmasks: files networks: files dns protocols: db files #protocols: files winbind rpc: db files services: db files #services: files winbind netgroup: nisplus winbind #netgroup: files winbind publickey: nisplus automount: files nisplus #automount: files winbind aliases: files nisplus
6、samba服务器加入域控主机
6.1 启动samba程序 /usr/local/samba3/sbin/smbd -s /etc/samba/smb.conf -D -d 3
6.2 启动winbind: service winbind start 检查winbind运行状态:service winbind status
6.3 加入域控主机: net ads join -U administrator, 输入域控主机的域管理员账号密码,正常的话会提示加入域成功。
6.4 测试加入域: wbinfo -t 检查samba服务器和域控主机之间的信任关系; wbinfo -u 读取域控主机上所有用户的信息;wbinfo -g 读取域控主机上的用户组信息。
时间: 2024-08-14 18:49:56