1、检测是否已有samba服务在运行
ps ax | egrep "samba|smbd|nmbd|winbindd"
有的话停止服务
2、安装依赖包
apt-get install samba attr winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user
(假设配置的域名为:sendo.com)
3、配置/etc/samba/smb.conf
[global]
security = ads
realm = SENDO.COM
# If the system doesn't find the domain controller automatically, you may need the following line
# note that workgroup is the 'short' domain name
# 如果域名为FAN.COM 则workgroup = FAN, 选第一个单词,并且大写
workgroup = SENDO
#winbind separator = \ (会被转义,默认为\,如果要显式写分隔符,可以用\\ 或 + 等)
winbind refresh tickets = yes
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
idmap_ldb:use rfc2307 = yes
idmap backend = tdb
# 所有的id映射用1000-100000区间
idmap config * : range = 1000-100000
idmap config SENDO : backend = rid
# SENDO域则单独用200000-1999999区间,避免映射id时混乱
idmap config SENDO : range = 200000 - 1999999
#no的时候,会以DOMAIN + separator + username的形式验证,yes的时候,则直接以username的形式
winbind use default domain = yes
restrict anonymous = 2
[public]
comment = public
path=/home/SENDO/zycloud___public
public = yes
read only = no
browseable = yes
root preexec = /home/mkhome.sh zycloud___public false
[home]
path=/home/SENDO/%U
valid users = %U
browseable = yes
writable = yes
read only = no
root preexec = /home/mkhome.sh %U true
4、配置创建用户home目录的脚本
mkdir -p /home/SENDO
touch /home/mkhome.sh
chmod 700 /home/mkhome.sh
vim /home/mkhome.sh
# mkhome.sh脚本里输入
user=$1
home=/home/SENDO/$1
types=$2
if [ ! -d $home ]
then
mkdir -p $home
if $types;
then
chown $user $home
chmod 700 $home
else
chmod 777 -R $home
fi
fi
5、配置/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = SENDO.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
SENDO.COM = {
kdc = SENDO.COM:88
default_domain = SENDO.COM
}
[domain_realm]
.sendo.com = SENDO.COM
sendo.com = SENDO.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
6、samba加域
这里最好在/etc/network/interfaces里面配置一下dns,否则有可能和公网的域名冲突,会导致加域不成功
net rpc join -U administrator@SENDO.COM #(域名一定要大写)
image.png
如图所示则就是加域成功了。
7、配置/etc/nsswitch.conf
passwd: files winbind
group: files winbind
shadow: files winbind
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
8、重启服务测试是否成功
/etc/init.d/samba restart
/etc/init.d/winbind restart
wbinfo -u # 列出samba用户,看是否有把ad用户同步过来
image.png
9、配置PAM(This makes it possible to log onto a UNIX/Linux system using user and group accounts from a Windows NT4 (including a Samba domain) or an Active Directory domain)
- 修改/etc/pam.d/common-account
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so
account requisite pam_deny.so
account required pam_permit.so
- 修改/etc/pam.d/common-auth
auth sufficient pam_winbind.so
auth sufficient pam_unix.so nullok_secure use_first_pass
auth required pam_deny.so
- 修改/etc/pam.d/sudo
#%PAM-1.0
auth sufficient pam_winbind.so
auth sufficient pam_unix.so use_first_pass
auth required pam_deny.so
@include common-auth
@include common-account
@include common-session-noninteractive
10、重启服务
/etc/init.d/samba restart
/etc/init.d/winbind restart
参考文档:
https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto
https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectory
https://www.samba.org/samba/docs/old/Samba3-HOWTO/winbind.html
https://wiki.samba.org/index.php/Distribution-specific_Package_Installation
https://blog.csdn.net/quantumenergy/article/details/78090242
网友评论