For convenient manage account, Samba can integrate with AD.
1.
environment: windows 2008 R2 domain, Centos, Please bind your ip and hostname.
2.
The necessary software for samba:
yum install samba samba-client samba-common samba-swat samba-winbind krb5-libs krb5-workstation
3.
Check your iptables,Selinux. grand samba in and out.
4.
Setting server time
Sync your AD server time with Centos
#crontab -e
0 7 * * * ntpdate ad2008domain
5.configure your kerberos, edit which is domain to yourself.
cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
DOMAIN.COM = {
kdc = ad1.domain.com
kdc = ad2.domain.com
admin_server = ad1.domain.com
default_domain = DOMAIN.COM
}
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Verify your configuration
#kinit domainadmin@DOMAIN.COM
6. Configure nsswitch.conf like this. The key location is passwd shadow group
/etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
#hosts: db files nisplus nis dns
hosts: files dns wins
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: db files
netmasks: files
networks: files dns
protocols: db files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus
7.Configrure PAM like this
cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session required /lib/security/$ISA/pam_winbind.so use_first_pass
session required /lib/security/pam_mkhomedir.so
8.configure samba
#--------------------------- GLOBAL PARAMETERS -----------------------------
#After changing this file ,Please run testparm for check these parameters.
[global]
;This controls what workgroup your server will appear to be in when queried by clients
workgroup = DOMAIN
;This option specifies the kerberos realm to use. The realm is used as the ADS equivalent of the NT4 domain. It is usually set to the DNS name of the kerberos server
realm = DOMAIN.COM
;Don't become a domain master
preferred master = no
server string = Linux Samba Server
;In this mode, Samba will act as a domain member in an ADS realm. To operate in this mode, the machine running Samba will need to have Kerberos installed and configured and Samba will need to be joined to the ADS realm using the net utility
;Note that this mode does NOT make Samba operate as a Active Directory Domain Controller.
security = ADS
encrypt passwords = yes
passdb backend = tdbsam
map untrusted to domain = Yes
;winbind setting
;allow enumeration of winbind users and groups
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
# separate domain and username with '\', like DOMAIN\username
winbind separator = +
# default it is \
; winbind separator = \
;use uids from 10000 to 20000 for domain users
idmap uid = 10000-20000
idmap gid = 10000-20000
;give winbind users a real shell (only needed if they have telnet access)
# template shell = /bin/bash
# template homedir = /home/winnt/%D/%U
;disconnected time
deadtime = 15
;Don't attempt to map UNIX permissions into Windows NT access control lists
nt acl support = no
# --------------------------- Logging Options -----------------------------
;log level =10 is debug mode, log level =3 is normal mode.
;max log size = 1000kb,Samba periodically checks the size and if it is exceeded it;will rename the file, adding a .old extension
log level = 10
log file = /var/log/samba/%m
max log size = 1000
# --------------------------- Printing Options -----------------------------
load printers = yes
printcap name = cups
printing = cups
# --------------------------- Sharing Options -----------------------------
#[HPPrinter]
# comment = HP Printer
# path = /var/spool/samba
# guest ok = Yes
# printable = Yes
[homes]
comment = Home Directories
browseable = no
path = /home/userone/data/%S
writable = yes
valid users = %S
#auto create user home folder
root preexec = /home/userone/mkhomedir.sh %U
[public]
path = /home/userone/public
read only = no
browsable = yes
writeable = yes
#if login success then force using this role to read and wirte file
force user = userone
force group = userone
valid users = "@Domain Admins", "@Domain Users"
create mask = 0777
directory mask =0760
force create mode = 0777
force directory security mode = 0777
[resumes]
comment = Resumes
path = /home/userone/resumes
valid users = domainadmin
force user = userone
force group = userone
read only = No
create mask = 0775
force create mode = 0550
force directory security mode = 0550
9.Check the samba configuration
#testparm
If there is no error, Please continue
10.Add domain
#net ads join -U domainadmin
verify method
#net ads info
#wbinfo -u
#getent passwd
11.Chang your Share folder permission, It's so important
chown userone:userone share folder
12.restart winbind samba
service smb restart
service winbind restart
13.Debug
We can't successful in the first time, So if happen any error, You can check it from /var/log/samba/*
亿速云「云服务器」,即开即用、新一代英特尔至强铂金CPU、三副本存储NVMe SSD云盘,价格低至29元/月。点击查看>>
免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。