Samba Domain Integration-Samba加入Windows 2008網域
所需檔案:
yum install samba
yum install krb5-server
yum install krb5-workstation
yum install samba-winbind
yum install krb5-server
yum install krb5-workstation
yum install samba-winbind
DC
IP: 192.168.3.48
Hostname:dc123
domain:abc.example.com.tw
RHEL 6.5 X64
HOSTNAME:test1
設定步驟:
一、設定Hostname,
[root@test1 samba]# vi /etc/sysconfig/network
HOSTNAME=test1
二、Samba設定:
[root@test1 samba]# vi /etc/samba/smb.conf
[global]
workgroup = DOM
password server = dc123.abc.example.com.tw #密碼server指定ad server
realm = abc.EXAMPLE.COM.TW #完整網域名稱
security = ads #認證方式交給ad認證
encrypt passwords = yes #編碼方式傳遞密碼
idmap config * : range = 16777216-33554431 #修改UID與GID的範圍及目錄
template shell = /bin/bash #指定AD帳號的SHELL
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
template homedir = /home/%D/%U
server string = EXAMPLE TEST Server #描述
netbios name = test1 #Linux主機名稱
# logs split per machine
log file = /var/log/samba/%m.log #Log message
# max 50KB per log file, then rotate
max log size = 102400 #最大的檔案
[TMP]
comment = For tmp
path = /tmp
browseable = yes
writable = yes
valid users = @"DOM\FS99_test_rw"
create mask = 0644
directory mask = 0750
三、DNS/認證順序設定:
[root@test1 samba]# cat /etc/resolv.conf
search abc.example.com.tw example.com.tw
nameserver 192.168.3.48
nameserver 192.168.3.47
options timeout:1
options attempts:1 rotate
[root@test1 samba]# vi /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: dns files
四、Kerberos認證設定:
[root@test1 samba]# vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = abc.example.com.tw
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
abc.example.com.tw = {
kdc = dc123.abc.example.com.tw
kdc = dc35.abc.example.com.tw
admin_server = dc123.abc.example.com.tw
default_domain=abc.example.com.tw
}
[domain_realm]
abc.example.com.tw = abc.example.com.tw
.abc.example.com.tw = abc.example.com.tw
DOM = abc.example.com.tw
.DOM = abc.example.com.tw
五、將samba/winbind 服務啟動,並設定開機自動啟動該服務
# service smb start
# chkconfig smb on
# chkconfig smb on
# service winbind start
# chkconfig winbind on
# chkconfig winbind on
六、測試連線
[root@test1 ~]# kinit sidney@abc.EXAMPLE.COM.TW
Password for sidney@abc.EXAMPLE.COM.TW:
PS.網域一定要大寫,小寫會出錯
七、將Linux主機加入/退出網域
加入網域:
[root@test1 ~]# net ads join -U sidney@abc.example.com.tw
Enter sidney@abc.example.com.tw's password:
Using short domain name -- DOM
Joined 'TEST1' to dns domain 'abc.example.com.tw'
或用以下的方式加入網域:
net ads join -S abc.example.com.tw
net rpc join -S abc.example.com.tw
net ads join -U sidney@abc.example.com.tw
net rpc join -U sidney@abc.example.com.tw
net rpc join -U sidney
退出網域方式:
net ads leave -U sidney@abc.example.com.tw
八、設定NTP(同步時間和domain不能超過5分鐘)
[root@test1 ~]# cat /etc/ntp.conf
server 192.168.6.86
server 192.168.6.87
九、Check:
確認連線
[root@test1 ~]# wbinfo -t
checking the trust secret for domain DOM via RPC calls succeeded
確認網域資訊
[root@test1 ~]# net ads info
LDAP server: 192.168.3.48
LDAP server name: dc123.abc.example.com.tw
Realm: abc.EXAMPLE.COM.TW
Bind Path: dc=HS,dc=EXAMPLE,dc=COM,dc=TW
LDAP port: 389
Server time: Thu, 15 Oct 2015 15:19:39 CST
KDC server: 192.168.3.48
Server time offset: 0
確認user資訊:
[root@test1 ~]# wbinfo -i sidney
確認domain user資訊:
[root@test1 ~]# wbinfo -i
十、文字介面設定:
#setup
設定授權:
選擇授權方式:Winbind & Kerberos
輸入網域資料
認證選擇ads認證
輸入帳密
做認證過程中的錯誤訊息:
十一、 錯誤記錄
[root@test1 samba]# cat /var/log/krb5kdc.log
krb5kdc: No such file or directory - while initializing database for realm abc.example.com.tw
krb5kdc: No such file or directory - while initializing database for realm abc.example.com.tw
[root@test1 samba]# kdb5_util create -s -r abc.example.com.tw
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'abc.example.com.tw',
master key name 'K/M@abc.example.com.tw'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
[root@test1 samba]# service krb5kdc restart
Stopping Kerberos 5 KDC: [FAILED]
Starting Kerberos 5 KDC: [ OK ]
十二、 相關Reference: