温馨提示×

温馨提示×

您好,登录后才能下订单哦!

密码登录×
登录注册×
其他方式登录
点击 登录注册 即表示同意《亿速云用户服务条款》

Samba与AD集成认证

发布时间:2020-03-08 08:35:26 来源:网络 阅读:999 作者:wuyaoito 栏目:系统运维

For convenient manage account, Samba can integrate with AD.

1.

environment: windows 2008 R2 domain, Centos, Please bind your ip and hostname.

2.

The necessary software for samba:

yum install samba samba-client samba-common samba-swat samba-winbind krb5-libs krb5-workstation

3.

Check your iptables,Selinux. grand samba in and out.

4.

Setting server time

Sync your AD server time with Centos

#crontab -e
0 7 *  *  * ntpdate ad2008domain


5.configure your kerberos, edit which is domain to yourself.

cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
DOMAIN.COM = {
   kdc = ad1.domain.com
   kdc = ad2.domain.com
   admin_server = ad1.domain.com
   default_domain = DOMAIN.COM
}
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}

Verify your configuration

#kinit domainadmin@DOMAIN.COM

6. Configure nsswitch.conf like this. The key location is passwd shadow group

/etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
#hosts: db files nisplus nis dns
hosts: files dns wins
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: db files
netmasks: files
networks: files dns
protocols: db files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus

7.Configrure PAM like this

cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session required /lib/security/$ISA/pam_winbind.so use_first_pass
session required /lib/security/pam_mkhomedir.so

8.configure samba

#--------------------------- GLOBAL PARAMETERS -----------------------------
#After changing this file ,Please run testparm for check these parameters.
[global]
;This controls what workgroup your server will appear to be in when queried by clients
   workgroup = DOMAIN
;This option specifies the kerberos realm to use. The realm is used as the ADS equivalent of the NT4 domain. It is usually set to the DNS name of the kerberos server
   realm = DOMAIN.COM
;Don't become a domain master
   preferred master = no
   server string = Linux Samba Server
;In this mode, Samba will act as a domain member in an ADS realm. To operate in this mode, the machine running Samba will need to have Kerberos installed and configured and Samba will need to be joined to the ADS realm using the net utility
;Note that this mode does NOT make Samba operate as a Active Directory Domain Controller.
   security = ADS
   encrypt passwords = yes
  passdb backend = tdbsam
   map untrusted to domain = Yes
;winbind setting
;allow enumeration of winbind users and groups
   winbind enum users = Yes
   winbind enum groups = Yes
   winbind use default domain = Yes
   winbind nested groups = Yes
# separate domain and username with '\', like DOMAIN\username
   winbind separator = +
# default it is \
;   winbind separator = \
;use uids from 10000 to 20000 for domain users
   idmap uid = 10000-20000
   idmap gid = 10000-20000
;give winbind users a real shell (only needed if they have telnet access)
#  template shell = /bin/bash
#  template homedir = /home/winnt/%D/%U
;disconnected time
   deadtime = 15
;Don't attempt to map UNIX permissions into Windows NT access control lists
   nt acl support = no
# --------------------------- Logging Options -----------------------------
;log level =10 is debug mode, log level =3 is normal mode.
;max log size = 1000kb,Samba periodically checks the size and if it is exceeded it;will rename the file, adding a .old extension
   log level = 10
   log file = /var/log/samba/%m
   max log size = 1000
# --------------------------- Printing Options -----------------------------
   load printers = yes
   printcap name = cups
   printing = cups
# --------------------------- Sharing Options -----------------------------
#[HPPrinter]
#        comment = HP Printer
#        path = /var/spool/samba
#        guest ok = Yes
#        printable = Yes
[homes]
    comment = Home Directories
    browseable = no
    path = /home/userone/data/%S
    writable = yes
    valid users = %S
#auto create user home folder
    root preexec = /home/userone/mkhomedir.sh %U
[public]
    path = /home/userone/public
    read only = no
    browsable = yes
    writeable = yes
#if login success then force using this role to  read and wirte file
    force user = userone
    force group = userone
    valid users = "@Domain Admins", "@Domain Users"
    create mask = 0777
    directory mask =0760
    force create mode = 0777
    force directory security mode = 0777
[resumes]
        comment = Resumes
        path = /home/userone/resumes
        valid users = domainadmin
        force user = userone
        force group = userone
        read only = No
        create mask = 0775
        force create mode = 0550
        force directory security mode = 0550

9.Check the samba configuration

#testparm

If there is no error, Please continue

10.Add domain

#net ads join -U domainadmin

verify method

#net ads info

#wbinfo -u

#getent passwd

11.Chang your Share folder permission, It's so important

chown userone:userone share folder

12.restart winbind samba

service smb restart
service winbind restart

13.Debug

We can't successful in the first time, So if happen any error, You can check it from /var/log/samba/*

向AI问一下细节

免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。

AI