使用场景:
某公司使用了两个网络,一个是研发部网络(没有上网权限),一个是职能网络(有上网权限),但两个网是相互访问不了(通过思科ACL访问控制列表实现)。现在公司有一个需求,研发人员也会用到职能网络下载一些资料,但无法传输到研发部网络,于是就在研发部网络设置了一台共享服务器,职能网络也设置一台共享服务器,这两台共享服务器是网络是相通的,研发人员在下载的资料放在职能网络的共享服务器指定的共享文件夹,会秒级同步到研发网络共享服务器的指定的共享文件夹。
环境:
Samba共享服务器:CentOS 7.5
IP地址:192.168.201.45
Windows Server AD域控服务器: windows server 2008 R2
IP地址: 192.168.201.13
提示:
Windows Server AD域控服务器安装配置本教程不作详细说明,如需要了解如何安装配置Windows Server AD域控服务器请查看作者博客:
https://www.cnblogs.com/zoulongbin/p/6013609.html
Linux samba 安装配置并加入AD****域
注意:windows server AD域控地址 TEST.COM建议用大写,否则配置文件会提示错误,加域不区分大小写。
1、配置阿里yum源和epel源
curl -o /etc/yum.repos.d/CentOS-Base.repo [http://mirrors.aliyun.com/repo/Centos-7.repo](http://mirrors.aliyun.com/repo/Centos-7.repo)
curl -o /etc/yum.repos.d/epel.repo [http://mirrors.aliyun.com/repo/epel-7.repo](http://mirrors.aliyun.com/repo/epel-7.repo)
yum makecache
yum repolist
2、关闭防火墙和SEinux
###关闭防火墙
systemctl stop firewalld
systemctl disable firewalld
systemctl status firewalld
###关闭SElinux
sed -i "s/^SELINUX = .*/SELINUX = disabled/g" /etc/selinux/config
setenforce 0
getenforce
3、samba服务器时间同步AD域控服务器
yum install -y ntpdate
ntpdate 192.168.201.13
echo "ntpdate 192.168.201.13" >> /etc/rc.local
chmod +x /etc/rc.d/rc.local
date
4、修改本机DNS为域控服务器并且本地解析域控的DNS服务器
[root@test001 ~]# vim /etc/resolv.conf
nameserver 192.168.201.13
[root@test001 ~]# echo "192.168.201.13 server13.test.com" >> /etc/hosts
[root@test001 ~]# tail -1 /etc/hosts
192.168.201.13 server13.test.com
5、yum安装相关samba/krb5等软件
yum install -y krb5-libs krb5-deve krb5-workstation pam_krb5
yum install -y samba samba-client samba-winbind-clients samba-winbind samba-common samba4-libs
6、配置kerberos协议(用于计算机网络身份识别)
echo '
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = TEST.COM
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = yes
[realms]
TEST.COM = {
kdc = 192.168.201.13:88
admin_server = 192.168.201.13:749
default_domain = TEST.COM
}
[domain_realm]
.TEST.COM = TEST.COM
TEST.COM = TEST.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
' >/etc/krb5.conf
7、设置服务搜索顺序配置文件/etc/nsswithch.conf
echo "
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns
" >/etc/nsswitch.conf
8、启动samba winbind组件(让Linux系统通过 Winbind 程序来解析windows 域用户信息。)
systemctl restart winbind
systemctl enable winbind
systemctl status winbind
9、配置samba服务
[root@test001 ~]# mkdir -p /share/file01
[root@test001 ~]# chmod 777 /share/file01
echo "
[global]
# = = = = = = = = = = = ==GlobalSettings = = = = = = = = = = = = = = = = =
#-----------------------NetworkRelated Options -------------------------
workgroup =TEST
server string = Samba Server Version %v
netbios name = test001
# ----------------------- Domain Members Options ------------------------
security = ads
passdb backend = tdbsam
realm = TEST.COM
password server = 192.168.201.13
encrypt passwords = yes
idmap uid = 16777216-33554431
idmap gid = 18777216-33554431
template shell = /bin/bash
template homedir = /home/%U
winbind use default domain = true
winbind offline logon = false
winbind enum groups = yes
winbind enum users = yes
winbind separator = /
vfs_object = full_audit
full_audit:prefix = %u|%I|%m|%S
full_audit:success = mkdir rename unlink rmdir write chmod chown
full_audit:failure = none
full_audit:facility = LOCAL5
full_audit:priority = NOTICE
admin log = yes
log level = 2
syslog = 2
log file = /tmp/%m.log
[home]
path = /home/%D/%U
browsable = no
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
[file01]
path = /share/file01
browsable = yes
vfs object = full_audit
read list = TEST/adtest
write list = TEST/zou.hui
create mask = 0777
directory mask = 0777
" > /etc/samba/smb.conf
10、启动samba服务并开机自启动
systemctl restart smb
systemctl enabl smb
systemctl status smb
11、测试连接windows AD域控
[root@test001 ~]# kinit -V administrator@TEST.COM
Using default cache: /tmp/krb5cc_0
Using principal: administrator@TEST.COM
Password for administrator@TEST.COM:
Authenticated to Kerberos v5
[root@test001 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@TEST.COM
Valid starting Expires Service principal
01/20/2020 09:49:07 01/20/2020 19:49:07 krbtgt/TEST.COM@TEST.COM
renew until 01/27/2020 09:49:01
12、测试成功后加域
[root@test001 ~]# net ads join -U administrator@TEST.COM
Enter administrator@TEST.COM's password:
Using short domain name -- TEST
Joined 'TEST001' to dns domain 'test.com'
No DNS domain configured for test001\. Unable to perform DNS Update.
DNS update failed: NT_STATUS_INVALID_PARAMETER
13、测试是否加域成功
###测试是否加入域
wbinfo -t
###读取域用户组信息
wbinfo -g
###读取域用户信息
Wbinfo -u
###检查加入的域
Wbinfo -m
14、退域
net ads leave -U administrator@TEST.COM
网友评论