2015/10/21

Published 10月 21, 2015 by

Samba Domain Integration-Samba加入Windows 2008網域

Samba Domain Integration-Samba加入Windows 2008網域
所需檔案:
yum install samba
yum install krb5-server
yum install krb5-workstation
yum install samba-winbind

DC
IP: 192.168.3.48
Hostname:dc123
domainabc.example.com.tw

RHEL 6.5 X64
HOSTNAME:test1

設定步驟:
一、設定Hostname,
[root@test1 samba]# vi /etc/sysconfig/network
HOSTNAME=test1

二、Samba設定:
[root@test1 samba]# vi /etc/samba/smb.conf
[global]
   workgroup = DOM
   password server = dc123.abc.example.com.tw #密碼server指定ad server
   realm = abc.EXAMPLE.COM.TW #完整網域名稱
   security = ads #認證方式交給ad認證
   encrypt passwords = yes #編碼方式傳遞密碼
   idmap config * : range = 16777216-33554431 #修改UIDGID的範圍及目錄
   template shell = /bin/bash #指定AD帳號的SHELL
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = yes
   template homedir =  /home/%D/%U

        server string = EXAMPLE TEST Server #描述
        netbios name = test1 #Linux主機名稱

        # logs split per machine
        log file = /var/log/samba/%m.log #Log message
        # max 50KB per log file, then rotate
        max log size = 102400 #最大的檔案

[TMP]
        comment         = For tmp
        path            = /tmp
        browseable      = yes
        writable        = yes
        valid users     = @"DOM\FS99_test_rw"
        create mask     = 0644
        directory mask  = 0750

三、DNS/認證順序設定:
[root@test1 samba]# cat /etc/resolv.conf
search abc.example.com.tw example.com.tw
nameserver 192.168.3.48
nameserver 192.168.3.47
options timeout:1
options attempts:1 rotate

[root@test1 samba]# vi /etc/nsswitch.conf
passwd:     files winbind
shadow:     files winbind
group:      files winbind
hosts:      dns files

四、Kerberos認證設定:
[root@test1 samba]# vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = abc.example.com.tw
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
abc.example.com.tw = {
  kdc = dc123.abc.example.com.tw
  kdc = dc35.abc.example.com.tw
  admin_server = dc123.abc.example.com.tw
  default_domain=abc.example.com.tw
}

[domain_realm]
abc.example.com.tw = abc.example.com.tw
.abc.example.com.tw = abc.example.com.tw
DOM = abc.example.com.tw
.DOM = abc.example.com.tw

五、samba/winbind 服務啟動,並設定開機自動啟動該服務
# service smb start
# chkconfig smb on
# service winbind start
# chkconfig winbind on


六、測試連線
[root@test1 ~]# kinit sidney@abc.EXAMPLE.COM.TW
Password for sidney@abc.EXAMPLE.COM.TW:

PS.網域一定要大寫,小寫會出錯
七、Linux主機加入/退出網域
加入網域:
[root@test1 ~]# net ads join -U sidney@abc.example.com.tw
Enter sidney@abc.example.com.tw's password:
Using short domain name -- DOM
Joined 'TEST1' to dns domain 'abc.example.com.tw'

或用以下的方式加入網域:
net ads join -S abc.example.com.tw
net rpc join -S abc.example.com.tw
net ads join -U sidney@abc.example.com.tw
net rpc join -U sidney@abc.example.com.tw
net rpc join -U sidney

退出網域方式:
net ads leave -U sidney@abc.example.com.tw

八、設定NTP(同步時間和domain不能超過5分鐘)

[root@test1 ~]# cat /etc/ntp.conf 
server 192.168.6.86
server 192.168.6.87

九、Check:
確認連線
[root@test1 ~]# wbinfo -t
checking the trust secret for domain DOM via RPC calls succeeded

確認網域資訊
[root@test1 ~]# net ads info
LDAP server: 192.168.3.48
LDAP server name: dc123.abc.example.com.tw
Realm: abc.EXAMPLE.COM.TW
Bind Path: dc=HS,dc=EXAMPLE,dc=COM,dc=TW
LDAP port: 389
Server time: Thu, 15 Oct 2015 15:19:39 CST
KDC server: 192.168.3.48
Server time offset: 0

確認user資訊:
[root@test1 ~]# wbinfo -i sidney

確認domain user資訊:
[root@test1 ~]# wbinfo -i


十、文字介面設定:

#setup
設定授權:
選擇授權方式:Winbind & Kerberos

輸入網域資料
認證選擇ads認證
輸入帳密

做認證過程中的錯誤訊息:


十一、        錯誤記錄

[root@test1 samba]# cat /var/log/krb5kdc.log
krb5kdc: No such file or directory - while initializing database for realm abc.example.com.tw
krb5kdc: No such file or directory - while initializing database for realm abc.example.com.tw

[root@test1 samba]# kdb5_util create -s -r abc.example.com.tw
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'abc.example.com.tw',
master key name 'K/M@abc.example.com.tw'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
[root@test1 samba]# service krb5kdc restart
Stopping Kerberos 5 KDC:                                   [FAILED]
Starting Kerberos 5 KDC:                                   [  OK  ]

十二、        相關Reference:
http://doc.lang.idv.tw/?p=131

Read More

訂閱: 文章 (Atom)