Samba与AD集成认证-创新互联
For convenient manage account, Samba can integrate with AD.
临泽ssl适用于网站、小程序/APP、API接口等需要进行数据传输应用场景,ssl证书未来市场广阔!成为创新互联公司的ssl证书销售渠道,可以享受市场价格4-6折优惠!如果有意向欢迎电话联系或者加微信:13518219792(备注:SSL证书合作)期待与您的合作!1.
environment: windows 2008 R2 domain, Centos, Please bind your ip and hostname.
2.
The necessary software for samba:
yum install samba samba-client samba-common samba-swat samba-winbind krb5-libs krb5-workstation
3.
Check your iptables,Selinux. grand samba in and out.
4.
Setting server time
Sync your AD server time with Centos
#crontab -e 0 7 * * * ntpdate ad2008domain
5.configure your kerberos, edit which is domain to yourself.
cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOMAIN.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] DOMAIN.COM = { kdc = ad1.domain.com kdc = ad2.domain.com admin_server = ad1.domain.com default_domain = DOMAIN.COM } [domain_realm] .domain.com = DOMAIN.COM domain.com = DOMAIN.COM [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
Verify your configuration
#kinit domainadmin@DOMAIN.COM
6. Configure nsswitch.conf like this. The key location is passwd shadow group
/etc/nsswitch.conf passwd: files winbind shadow: files winbind group: files winbind #hosts: db files nisplus nis dns hosts: files dns wins # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: db files netmasks: files networks: files dns protocols: db files rpc: files services: files netgroup: files publickey: nisplus automount: files aliases: files nisplus
7.Configrure PAM like this
cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account sufficient /lib/security/$ISA/pam_winbind.so use_first_pass account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 type= password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_winbind.so use_first_pass password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session required /lib/security/$ISA/pam_winbind.so use_first_pass session required /lib/security/pam_mkhomedir.so
8.configure samba
#--------------------------- GLOBAL PARAMETERS ----------------------------- #After changing this file ,Please run testparm for check these parameters. [global] ;This controls what workgroup your server will appear to be in when queried by clients workgroup = DOMAIN ;This option specifies the kerberos realm to use. The realm is used as the ADS equivalent of the NT4 domain. It is usually set to the DNS name of the kerberos server realm = DOMAIN.COM ;Don't become a domain master preferred master = no server string = Linux Samba Server ;In this mode, Samba will act as a domain member in an ADS realm. To operate in this mode, the machine running Samba will need to have Kerberos installed and configured and Samba will need to be joined to the ADS realm using the net utility ;Note that this mode does NOT make Samba operate as a Active Directory Domain Controller. security = ADS encrypt passwords = yes passdb backend = tdbsam map untrusted to domain = Yes ;winbind setting ;allow enumeration of winbind users and groups winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nested groups = Yes # separate domain and username with '\', like DOMAIN\username winbind separator = + # default it is \ ; winbind separator = \ ;use uids from 10000 to 20000 for domain users idmap uid = 10000-20000 idmap gid = 10000-20000 ;give winbind users a real shell (only needed if they have telnet access) # template shell = /bin/bash # template homedir = /home/winnt/%D/%U ;disconnected time deadtime = 15 ;Don't attempt to map UNIX permissions into Windows NT access control lists nt acl support = no # --------------------------- Logging Options ----------------------------- ;log level =10 is debug mode, log level =3 is normal mode. ;max log size = 1000kb,Samba periodically checks the size and if it is exceeded it;will rename the file, adding a .old extension log level = 10 log file = /var/log/samba/%m max log size = 1000 # --------------------------- Printing Options ----------------------------- load printers = yes printcap name = cups printing = cups # --------------------------- Sharing Options ----------------------------- #[HPPrinter] # comment = HP Printer # path = /var/spool/samba # guest ok = Yes # printable = Yes [homes] comment = Home Directories browseable = no path = /home/userone/data/%S writable = yes valid users = %S #auto create user home folder root preexec = /home/userone/mkhomedir.sh %U [public] path = /home/userone/public read only = no browsable = yes writeable = yes #if login success then force using this role to read and wirte file force user = userone force group = userone valid users = "@Domain Admins", "@Domain Users" create mask = 0777 directory mask =0760 force create mode = 0777 force directory security mode = 0777 [resumes] comment = Resumes path = /home/userone/resumes valid users = domainadmin force user = userone force group = userone read only = No create mask = 0775 force create mode = 0550 force directory security mode = 0550
9.Check the samba configuration
#testparm
If there is no error, Please continue
10.Add domain
#net ads join -U domainadmin
verify method
#net ads info
#wbinfo -u
#getent passwd
11.Chang your Share folder permission, It's so important
chown userone:userone share folder
12.restart winbind samba
service smb restart
service winbind restart
13.Debug
We can't successful in the first time, So if happen any error, You can check it from /var/log/samba/*
另外有需要云服务器可以了解下创新互联scvps.cn,海内外云服务器15元起步,三天无理由+7*72小时售后在线,公司持有idc许可证,提供“云服务器、裸金属服务器、高防服务器、香港服务器、美国服务器、虚拟主机、免备案服务器”等云主机租用服务以及企业上云的综合解决方案,具有“安全稳定、简单易用、服务可用性高、性价比高”等特点与优势,专为企业上云打造定制,能够满足用户丰富、多元化的应用场景需求。
本文名称:Samba与AD集成认证-创新互联
分享URL:http://myzitong.com/article/ccjgej.html