Samba结合Windows AD
五.Samba结合Windows AD
samba集成AD认证并限制空间
1、安装必须程序
yum install -y krb5-workstation
yum install -y pam_krb5
yum install -y krb5-devel
yum install -y krb5-libs
yum install -y samba
yum install -y quota
yum install -y gawk
关掉selinux
vi /etc/selinux/config
2、配置krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = xxx.COM //默认域名
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
XXX.COM = {
kdc = xxxx.COM:88 //服务IP或者域名
# admin_server = kerberos.example.com:749
default_domain = xxxx.COM
}
[domain_realm]
.xxx.com = xxx.COM
xxx.com = xxx.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
2. samba加入域
net rpc join -U administrator@xxx.COM
报错:
Unknown parameter encountered: "display charset"
解决办法:
需要先配置smb.conf
3、测试kerberos
kinit administrator@RAINBIRD.NET
kinit 命令将测试服务器间的通信,administrator为域内存在的用户, RAINBIRD.NET 是你的活动目录的域名,必须大写。
正确操作的提示:
[root@filesrv~]# kinit administrator@xxx.COM (域名必须大写)
Password for administrator@RAINBIRD.NET: (正确输入密码后直接返回)
[root@filesrv~]# AA
可能遇到的几个常见错误:
域名错误(域名必须大写):
kinit(v5): Cannot find KDC for requested realm while getting initial credentials.
密码错误,验证失败:
kinit(v5): Preauthentication failed while getting initial credentials.
用户不存在:
kinit(v5): Client not found in Kerberos database while getting initial credentia
时间不一致:
kinit(v5): Clock skew too great while getting initial credentials
同步 :ntpdate 172.16.0.22(0.22 是时间服务器)
4、修改/etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
5、配置smb.conf
vi /etc/samba/smb.conf
[global]
workgroup = XXX.COM
server string = xxx File Server
; netbios name = MYSERVER
; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
; hosts allow = 127. 192.168.12. 192.168.13.
# logs split per machine
log file = /var/log/samba/log.%m
# max 50KB per log file, then rotate
max log size = 50
security = user
passdb backend = tdbsam
; security = domain
; passdb backend = tdbsam
realm = xxx.COM
password server = XXX.COM
security = ads
; passdb backend = tdbsam
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /sbin/nologin
template homedir = /home/%U
winbind use default domain = true
winbind offline logon = true
winbind enum groups = yes
winbind enum users = yes
winbind separator = /
; domain master = yes
; domain logons = yes
# the login script name depends on the machine name
; logon script = %m.bat
# the login script name depends on the unix user used
; logon script = %u.bat
; logon path = \\%L\Profiles\%u
# disables profiles support by specifing an empty path
; logon path =
; add user script = /usr/sbin/useradd "%u" -n -g users
; add group script = /usr/sbin/groupadd "%g"
; add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
; delete user script = /usr/sbin/userdel "%u"
; delete user from group script = /usr/sbin/userdel "%u" "%g"
; delete group script = /usr/sbin/groupdel "%g"
; local master = no
; os level = 33
; preferred master = yes
; wins support = yes
; wins server = w.x.y.z
; wins proxy = yes
; dns proxy = yes
load printers = yes
cups options = raw
; printcap name = /etc/printcap
#obtain list of printers automatically on SystemV
; printcap name = lpstat
; printing = cups
; map archive = no
; map hidden = no
; map read only = no
; map system = no
; store dos attributes = yes
[homes]
comment = Home Directories
; path = /home/%U
; valid users = xxx.com/%U
root preexec = /shell/mkhome.sh %U %G
browseable = no
writable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
6、重启服务
重新启动服务
service smb restart
service winbind restart
设定服务开机自动启动
chkconfig smb on
chkconfig winbind on
7、测试是否成功加域
wbinfo -t
wbinfo -u
wbinfo -g
8、自动创建用户的脚本
touch /shell/mkhome.sh
chmod 700 /shell/mkhome.sh
vi /shell/mkhome.sh
#!/bin/bash
user=$1
group=$2
home=/home/$1
if [ ! -d $home ] ; then
mkdir -p $home
chown $user $home
chgrp $group $home
chmod 700 $home
edquota -p administrator -u $user
fi
9、设置磁盘配额
vi /etc/fstab
/dev/hdb1 /home ext3 defaults,usrquota,grpquota
重新挂载
mount -o remount /home
创建磁盘配额
quotacheck -cmug /home
启用磁盘配额
quotaon -av
配额设置:
edquota -u administrator
Disk quotas for user administrator (uid 16777217):
Filesystem blocks soft hard inodes soft hard
/dev/mapper/vg_lxszsmb-data 4 5120000 5120000 1 5120000 5120000
查看配额:
quota -u administrator
Disk quotas for user administrator (uid 16777217):
Filesystem blocks quota limit grace files quota limit grace
/dev/mapper/vg_lxszsmb-data
4 5120000 5120000 (5G) 1 5120000 512000
10、自动映射
C:\WINDOWS\SYSVOL\sysvol\rainbird.net\scripts\share.cmd
share.cmd里面的内容是:
@echo off
if exist P: net use P: /del /y
net use P: \\172.16.0.21\%USERNAME%
gpupdate /force
11、quotaoff /home
关闭磁盘配额
setfacl -R -m group:finance:r-x it-dept
setfacl -R -m mask::rwx it-dept
setfacl -R -m oAther::--- it-dept
setfacl -R -m default:user::rwx it-dept
setfacl -R -m default:group::--- it-dept
setfacl -R -m default:other::r--it-dept
问题
[2014/12/01 14:56:09.026040, 0] lib/access.c:338(allow_access)
Denied connection from 172.16.16.242 (172.16.16.242)
查看 selinux iptables 状态
Samba结合Windows AD相关推荐
- Centos 7加入Windows AD域及搭建基于Windows AD域(即ldap)认证的samba共享
在我的windows server系列的文章中已经搭建好了windows AD域,现在要求Centos 7服务器加入AD域并实现基于AD认证的samba共享. 物理环境: Windows Server ...
- 使用 Samba Winbind将CentOS 8/RHEL 8加入到 Windows AD的步骤
如何使用 Samba Winbind 将 RHEL 8 系统加入 Active Directory 服务器. 如何针对 Windows 2003 R2 / 2008 / 2008 R2 / 2012 ...
- Openldap 整合windows AD认证
Openldap 整合windows AD认证 https://blog.51cto.com/907832555/2124930?tt_from=weixin&utm_source=weixi ...
- java编写Linux文件共享,ubuntu下用samba实现windows与linux文件共享
ubuntu下用samba实现windows与linux文件共享 首先要安装samba sudo apt-get install samba sudo apt-get install smbfs 1. ...
- Windows AD域功能介绍、Windows AD域方案介绍
Windows AD域功能介绍.Windows AD域方案介绍 功能一.AD域管理 https://www.manageengine.cn/products/ad-manager/ 1.AD域管理 通 ...
- 通过AD域验证登录Linux系统(Linux安装sssd加入Windows AD域)
背景 有一台Centos 7 的Linux服务器,需要每个IT管理员都可以登录并进行维护,为了方便账户管理,统一认证,要求Linux服务器登录实现Windows AD域验证. 环境说明 AD域:Win ...
- 网站识别Windows AD 域账号,并自动登录
KDC (windows 2008): 10.0.2.12 (也就是域服务器) Workstation (windows 10): 10.0.2.100(也就是公司域内电脑) Webserver (C ...
- Ubuntu通过samba winbind集成AD账号
Ubuntu通过samba winbind集成AD账号: 安装软件: apt-get install samba krb5-config krb5-user winbind libpam-winbin ...
- Apache Ranger and AWS EMR Automated Installation Series (3): Windows AD + EMR-Native Ranger
文章目录 1. Solution Overview 1.1 Solution Architecture 1.2 Authentication in Detail 1.3 Authorization i ...
最新文章
- java如何画周期sanjiao信号_如何声明一个可变长度的std_logic_vector信号
- objective-c对NSArray的学习
- mysql 缓存怎么设置_mysql中缓存如何设置
- 自定义 ArrayList
- Spring-AOP @AspectJ进阶之增强织入的顺序
- SAP ABAP Development Tool 提高开发效率的十个小技巧
- 用java连接Excel和SQLite3,实现从excel文件读取数据并将其存入SQLite3数据库中
- kde菜单图标显示不全_大小仅 1M!在电脑菜单栏上自定义日历,规划时间更方便...
- python学习过程中随手写的测试脚本-testloop.py
- 【转】D365 FO第三方访问https证书问题
- JVM 自定义的类加载器的实现和使用
- c++读取文件夹下特定文件
- 《游戏设计师修炼之道:数据驱动的游戏设计》一1.4 来自政府和产业的挑战...
- 清晰的史密斯圆图 wiki上的
- 2021-2022-1 线性代数知识点总结
- STM32F4 ETH-Lwip以太网通信
- c语言查表程序,C语言查表法问题
- 树状数组再进阶(区间修改+区间查询)
- 关于编写公司软件测试规范操作手册计划书
- 2018上交软科计算机科学排名,2018年上海软科世界一流学科排名出炉!