Samba与AD集成认证

#crontab -e
0 7 *  *  * ntpdate ad2008domain

cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
DOMAIN.COM = {
   kdc = ad1.domain.com
   kdc = ad2.domain.com
   admin_server = ad1.domain.com
   default_domain = DOMAIN.COM
}
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}

/etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
#hosts: db files nisplus nis dns
hosts: files dns wins
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: db files
netmasks: files
networks: files dns
protocols: db files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus

cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session required /lib/security/$ISA/pam_winbind.so use_first_pass
session required /lib/security/pam_mkhomedir.so

#--------------------------- GLOBAL PARAMETERS -----------------------------
#After changing this file ,Please run testparm for check these parameters.
[global]
;This controls what workgroup your server will appear to be in when queried by clients
   workgroup = DOMAIN
;This option specifies the kerberos realm to use. The realm is used as the ADS equivalent of the NT4 domain. It is usually set to the DNS name of the kerberos server
   realm = DOMAIN.COM
;Don't become a domain master
   preferred master = no
   server string = Linux Samba Server
;In this mode, Samba will act as a domain member in an ADS realm. To operate in this mode, the machine running Samba will need to have Kerberos installed and configured and Samba will need to be joined to the ADS realm using the net utility
;Note that this mode does NOT make Samba operate as a Active Directory Domain Controller.
   security = ADS
   encrypt passwords = yes
  passdb backend = tdbsam
   map untrusted to domain = Yes
;winbind setting
;allow enumeration of winbind users and groups
   winbind enum users = Yes
   winbind enum groups = Yes
   winbind use default domain = Yes
   winbind nested groups = Yes
# separate domain and username with '\', like DOMAIN\username
   winbind separator = +
# default it is \
;   winbind separator = \
;use uids from 10000 to 20000 for domain users
   idmap uid = 10000-20000
   idmap gid = 10000-20000
;give winbind users a real shell (only needed if they have telnet access)
#  template shell = /bin/bash
#  template homedir = /home/winnt/%D/%U
;disconnected time
   deadtime = 15
;Don't attempt to map UNIX permissions into Windows NT access control lists
   nt acl support = no
# --------------------------- Logging Options -----------------------------
;log level =10 is debug mode, log level =3 is normal mode.
;max log size = 1000kb,Samba periodically checks the size and if it is exceeded it;will rename the file, adding a .old extension
   log level = 10
   log file = /var/log/samba/%m
   max log size = 1000
# --------------------------- Printing Options -----------------------------
   load printers = yes
   printcap name = cups
   printing = cups
# --------------------------- Sharing Options -----------------------------
#[HPPrinter]
#        comment = HP Printer
#        path = /var/spool/samba
#        guest ok = Yes
#        printable = Yes
[homes]
    comment = Home Directories
    browseable = no
    path = /home/userone/data/%S
    writable = yes
    valid users = %S
#auto create user home folder
    root preexec = /home/userone/mkhomedir.sh %U
[public]
    path = /home/userone/public
    read only = no
    browsable = yes
    writeable = yes
#if login success then force using this role to  read and wirte file
    force user = userone
    force group = userone
    valid users = "@Domain Admins", "@Domain Users"
    create mask = 0777
    directory mask =0760
    force create mode = 0777
    force directory security mode = 0777
[resumes]
        comment = Resumes
        path = /home/userone/resumes
        valid users = domainadmin
        force user = userone
        force group = userone
        read only = No
        create mask = 0775
        force create mode = 0550
        force directory security mode = 0550