samba服务器加入域控主机,成为域成员,当用户访问samba服务器上的共享文件时,直接到域控主机上进行认证。samba服务器上不需要像先前一样创建系统用户,创建samba用户及密码。
1、安装环境(host)
SAMBA服务器:RHEL6.4 IP:192.168.1.101 主机名:sambaserver.samba.com
域控主机WINSERVER2008 IP:192.168.1.100 主机名:winserver.samba.com 域名:SAMBA.COM
设置SElinux的运行级别为disabled,关闭防火墙,修改samba服务器主机名为域名形式,修改IP地址为同一网段,并且设置DNS为域控主机IP。
vi /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=netfolderserver.iamtest.com
vi /etc/hosts 127.0.0.1 sambaserver.samba.com sambaserver 192.168.1.101 sambaserver.samba.com sambaserver 192.168.1.100 winserver.samba.com winserver [root@sambaserver]# vi /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE=eth0 TYPE=Ethernet UUID=be9c85bd-3292-4b5a-96b9-9aed2bc61ce2 ONBOOT=yes NM_CONTROLLED=yes BOOTPROTO=none HWADDR=01:A1:53:94:55:A6 IPADDR=192.168.1.101 PREFIX=25 GATEWAY=192.168.1.1 DEFROUTE=yes IPV4_FAILURE_FATAL=yes IPV6INIT=no NAME="System eth0" DNS1=192.168.1.100
2、smb.conf配置
#======================= Global Settings ===================================== [global] # workgroup = NT-Domain-Name or Workgroup-Name workgroup = SAMBA #####域名前半部分,不要加.com netbios name = sambaserver # server string is the equivalent of the NT Description field server string = sambaServer.SAMBA ###这个名字可随意,不要跟其它服务器重名即可 realm = SAMBA.COM --------域名 auth methods = winbind idmap config SAMBA : schema_mode = rfc2307 idmap config SAMBA : range = 30000-40000 idmap config SAMBA : default = yes idmap config SAMBA : backend = rid ;idmap config SAMBA : backend = ad idmap config * : backend = tdb idmap config * : backend = rid idmap config * : range = 10000-20000 winbind nss info = rfc2307 winbind trusted domains only = no winbind enum groups = yes winbind enum users = yes winbind separator = / winbind use default domain = yes template homedir = /home/share/%U template shell = /bin/bash # this tells Samba to use a separate log file for each machine # that connects log file = /var/log/samba/log.%m # Put a capping on the size of the log files (in Kb). max log size = 50000 # Security mode. Most people will want user level security. See # security_level.txt for details. security = ads encrypt passwords = yes # Use password server option only with security = server password server = 192.168.1.100 #域控主机IP logon path = \%LProfiles%U # WINS Server - Tells the NMBD components of Samba to be a WINS Client # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both wins server = 192.168.1.100 #域控主机IP # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names # via DNS nslookups. The built-in default for versions 1.9.17 is yes, # this has been changed in version 1.9.18 to no. dns proxy = no #============================ Share Definitions ============================== [homes] path = /home/share/%U valid users = SAMBA.COM%U, SAMBA%U, %U create mode = 0777 directory mode = 0777 comment = Home Directories browseable = no # NOTE: If you have a BSD-style print system there is no need to # specifically define each individual printer #[printers] # comment = All Printers # path = /var/spool/samba # browseable = no # Set public = yes to allow user 'guest account' to print guest ok = no writable = no printable = yes [MyFile] comment = user path = /home/share/%U browseable = yes guest ok = no writable = yes printable = no public = no
3、krb5.conf
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = SAMBA.COM dns_lookup_realm = false dns_lookup_kdc =false ticket_lifetime = 24h forwardable = yes proxiable = true [realms] SAMBA.COM = { kdc = winserver.samba.com :88 admin_server = winserver.samba.com :749 default_domain = SAMBA.COM } #[kdc] # profile = /var/kerberos/krb5kdc/kdc.conf [domain_realm] .iamtest.com = SAMBA.COM iamtest.com = SAMBA.COM[appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
4、resolve.conf
vi /etc/resolv.conf
# Generated by NetworkManager domain samba.com search samba.com nameserver 192.168.1.100
5、nsswitch.conf
# /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Legal entries are: # # nisplus or nis+ Use NIS+ (NIS version 3) # nis or yp Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far # # To use db, put the "db" in front of "files" for entries you want to be # looked up first in the databases # # Example: #passwd: db files nisplus nis #shadow: db files nisplus nis #group: db files nisplus nis passwd: files winbind shadow: files winbind group: files winbind hosts: files dns wins #hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: db files netmasks: files networks: files dns protocols: db files #protocols: files winbind rpc: db files services: db files #services: files winbind netgroup: nisplus winbind #netgroup: files winbind publickey: nisplus automount: files nisplus #automount: files winbind aliases: files nisplus
6、samba服务器加入域控主机
6.1 启动samba程序 /usr/local/samba3/sbin/smbd -s /etc/samba/smb.conf -D -d 3
6.2 启动winbind: service winbind start 检查winbind运行状态:service winbind status
6.3 加入域控主机: net ads join -U administrator, 输入域控主机的域管理员账号密码,正常的话会提示加入域成功。
6.4 测试加入域: wbinfo -t 检查samba服务器和域控主机之间的信任关系; wbinfo -u 读取域控主机上所有用户的信息;wbinfo -g 读取域控主机上的用户组信息。