准備一台Windows域控制器, 在Samba服務器上安裝Webmin圖形化管理工具, samba, krb5-user, winbind.
修改/etc/krb5.conf.
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = HZVOBILE.LOCAL dns_lookup_kdc = false [realms] HZVOBILE.LOCAL = { default_domain = hzvobile.local kdc = vobile-dc1.hzvobile.local:88 admin_server = vobile-dc1.hzvobile.local:749 } [domain_realm] .hzvobile.local = HZVOBILE.LOCAL hzvobile.local = HZVOBILE.LOCAL
修改/etc/samba/smb.conf, 用testparm -s來檢查smb.conf文件的合規性.
[global] winbind use default domain = yes pam password change = yes ; winbind trusted domains only = yes ##這行決定getent passwd是否能獲得域帳號 map to guest = bad user workgroup = HZVOBILE passdb backend = tdbsam log file = /var/log/samba/log.%m idmap config * : range = 16777216-33554431 ##如果不指定用戶的UID, 上傳文件后通過ll命令會發現所上傳的用戶和組都是root; 指定之后, 就顯示用戶user和domain user組 obey pam restrictions = yes os level = 20 panic action = /usr/share/samba/panic-action %d realm = HZVOBILE.LOCAL ; password server = vobile-dc1.hzvobile.local passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . server string = %h server (Samba, Ubuntu) dns proxy = no passwd program = /usr/bin/passwd %u usershare allow guests = yes unix password sync = yes security = ads syslog = 0 max log size = 1000 server role = standalone server winbind offline logon = false winbind enum groups = yes winbind enum users = yes
修改/etc/nsswitch.conf, 添加winbind驗證方式.
passwd: compat winbind group: compat winbind shadow: compat winbind
使用net ads join -U administrator命令將Samba服務器加入域.
重啟后用wbinfo -t和-u或-g檢查連通性, 正常情況下你可以看到活動目錄中的所有賬號和組.
checking the trust secret for domain HZVOBILE via RPC calls succeeded
此時你應該可以通過getent passwd查看到所有域帳號.
創建文件夾, 並將文件夾權限777(此處類似Windows權限控制, NTFS與Share權限共同作用於一個用戶對文件的最終權限)
[chen_chen] valid users = hzvobile\chen_chen path = /mnt/hd2/chen_chen writeable = yes [it] path = /mnt/hd2/it writeable = yes valid users = @hzvobile\it
客戶端訪問: smbclient //ip/folder -W workgroup -U chen.
2015-10-8更新:
我在Debian 8.2上安裝了Samba 4.1.17, 發現wbinfo可以獲取域帳號和組, 但是getent卻不行, 經Google后找到解決方案
apt-get install libnss-winbind
2015-10-15更新:
域控設置的變更到winbind有一個刷新時間, 如果想縮短這個時間, 可以在smb.conf中加入以下設置:
[global] ... idmap cache time = 1 idmap negative cache time = 1 winbind cache time = 1
2015-10-15更新磁盤配額:
首先, Linux的磁盤配額是對於整個分區生效的, 然后可以針對User或者Group進行限制, 下面對幾種"矛盾"的情況作出分析:
1. 同時設置了User1和PGroup1的配額 (User1屬於PGroup1), 則User1的配額生效.
2. 同時設置了PGroup2和SGroup2的配額 (User2同時屬於PGroup2和SGroup2), 以User2的身份上傳數據時, 哪個組是User2的Primary Group, 則哪個組的配額生效.
2.1 在Windows活動目錄中, 所有域帳號的Primary Group都是Domain Users, 一開始我希望通過usermod命令修改用戶的Primary Group, 然后系統提示我: XXX用戶不存在於/etc/passwd. 想想也是這樣! Google后發現對於Winbind+ Active Directory的方式, 需要在Windows中修改用戶的Primary Group, 具體方式是開啟ADUC的高級功能, 然后在"隸屬於"中"設置主要組". 注意: 如果組類型是本地域組, 則"設置主要組"按鈕為灰色.
參考資料:
http://winda.blog.51cto.com/55153/261293/
http://rainbird.blog.51cto.com/211214/197509
http://blog.yam.com/gavint/article/4530697
http://ubuntuforums.org/showthread.php?t=2206822