Samba与AD集成认证-创新互联

For convenient manage account, Samba can integrate with AD.

临泽ssl适用于网站、小程序/APP、API接口等需要进行数据传输应用场景,ssl证书未来市场广阔!成为创新互联公司的ssl证书销售渠道,可以享受市场价格4-6折优惠!如果有意向欢迎电话联系或者加微信:13518219792(备注:SSL证书合作)期待与您的合作!

1.

environment: windows 2008 R2 domain, Centos, Please bind your ip and hostname.

2.

The necessary software for samba:

yum install samba samba-client samba-common samba-swat samba-winbind krb5-libs krb5-workstation

3.

Check your iptables,Selinux. grand samba in and out.

4.

Setting server time

Sync your AD server time with Centos

#crontab -e
0 7 *  *  * ntpdate ad2008domain

5.configure your kerberos, edit which is domain to yourself.

cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
DOMAIN.COM = {
   kdc = ad1.domain.com
   kdc = ad2.domain.com
   admin_server = ad1.domain.com
   default_domain = DOMAIN.COM
}
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}

Verify your configuration

#kinit domainadmin@DOMAIN.COM

6. Configure nsswitch.conf like this. The key location is passwd shadow group

/etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
#hosts: db files nisplus nis dns
hosts: files dns wins
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: db files
netmasks: files
networks: files dns
protocols: db files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus

7.Configrure PAM like this

cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session required /lib/security/$ISA/pam_winbind.so use_first_pass
session required /lib/security/pam_mkhomedir.so

8.configure samba

#--------------------------- GLOBAL PARAMETERS -----------------------------
#After changing this file ,Please run testparm for check these parameters.
[global]
;This controls what workgroup your server will appear to be in when queried by clients
  workgroup = DOMAIN
;This option specifies the kerberos realm to use. The realm is used as the ADS equivalent of the NT4 domain. It is usually set to the DNS name of the kerberos server
   realm = DOMAIN.COM
;Don't become a domain master
   preferred master = no
   server string = Linux Samba Server
;In this mode, Samba will act as a domain member in an ADS realm. To operate in this mode, the machine running Samba will need to have Kerberos installed and configured and Samba will need to be joined to the ADS realm using the net utility
;Note that this mode does NOT make Samba operate as a Active Directory Domain Controller.
   security = ADS
   encrypt passwords = yes
  passdb backend = tdbsam
   map untrusted to domain = Yes
;winbind setting
;allow enumeration of winbind users and groups
  winbind enum users = Yes
  winbind enum groups = Yes
  winbind use default domain = Yes
  winbind nested groups = Yes
# separate domain and username with '\', like DOMAIN\username
  winbind separator = +
# default it is \
;  winbind separator = \
;use uids from 10000 to 20000 for domain users
   idmap uid = 10000-20000
   idmap gid = 10000-20000
;give winbind users a real shell (only needed if they have telnet access)
#  template shell = /bin/bash
#  template homedir = /home/winnt/%D/%U
;disconnected time
   deadtime = 15
;Don't attempt to map UNIX permissions into Windows NT access control lists
   nt acl support = no
# --------------------------- Logging Options -----------------------------
;log level =10 is debug mode, log level =3 is normal mode.
;max log size = 1000kb,Samba periodically checks the size and if it is exceeded it;will rename the file, adding a .old extension
   log level = 10
   log file = /var/log/samba/%m
   max log size = 1000
# --------------------------- Printing Options -----------------------------
   load printers = yes
   printcap name = cups
   printing = cups
# --------------------------- Sharing Options -----------------------------
#[HPPrinter]
#        comment = HP Printer
#        path = /var/spool/samba
#        guest ok = Yes
#        printable = Yes
[homes]
    comment = Home Directories
    browseable = no
    path = /home/userone/data/%S
   writable = yes
    valid users = %S
#auto create user home folder
    root preexec = /home/userone/mkhomedir.sh %U
[public]
    path = /home/userone/public
    read only = no
    browsable = yes
   writeable = yes
#if login success then force using this role to  read and wirte file
    force user = userone
    force group = userone
    valid users = "@Domain Admins", "@Domain Users"
    create mask = 0777
    directory mask =0760
    force create mode = 0777
    force directory security mode = 0777
[resumes]
        comment = Resumes
        path = /home/userone/resumes
        valid users = domainadmin
        force user = userone
        force group = userone
        read only = No
        create mask = 0775
        force create mode = 0550
        force directory security mode = 0550

9.Check the samba configuration

#testparm

If there is no error, Please continue

10.Add domain

#net ads join -U domainadmin

verify method

#net ads info

#wbinfo -u

#getent passwd

11.Chang your Share folder permission, It's so important

chown userone:userone share folder

12.restart winbind samba

service smb restart
service winbind restart

13.Debug

We can't successful in the first time, So if happen any error, You can check it from /var/log/samba/*

另外有需要云服务器可以了解下创新互联scvps.cn,海内外云服务器15元起步,三天无理由+7*72小时售后在线,公司持有idc许可证,提供“云服务器、裸金属服务器、高防服务器、香港服务器、美国服务器、虚拟主机、免备案服务器”等云主机租用服务以及企业上云的综合解决方案,具有“安全稳定、简单易用、服务可用性高、性价比高”等特点与优势,专为企业上云打造定制,能够满足用户丰富、多元化的应用场景需求。


本文名称:Samba与AD集成认证-创新互联
分享URL:http://myzitong.com/article/ccjgej.html