Samba结合Windows AD

五.Samba结合Windows AD

       samba集成AD认证并限制空间

1、安装必须程序

yum install -y krb5-workstation
yum install -y pam_krb5

yum install -y krb5-devel

yum install -y krb5-libs

yum install -y samba

yum install -y quota

yum install -y gawk

关掉selinux

vi /etc/selinux/config

2、配置krb5.conf

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

[libdefaults]

ticket_lifetime = 24000

default_realm = LIXIN360.COM //默认域名

dns_lookup_realm = false

dns_lookup_kdc = false

[realms]

LIXIN360.COM = {

kdc = LIXIN360.COM:88 //服务IP或者域名

# admin_server = kerberos.example.com:749

default_domain = LIXIN360.COM

}

[domain_realm]

.lixin360.com = LIXIN360.COM

lixin360.com = LIXIN360.COM

[kdc]

profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]

pam = {

debug = false

ticket_lifetime = 36000

renew_lifetime = 36000

forwardable = true

krb4_convert = false

}

2. samba加入域

net rpc join -U [email protected]

报错:

Unknown parameter encountered: "display charset"

解决办法:

需要先配置smb.conf

3、测试kerberos

kinit [email protected]

kinit 命令将测试服务器间的通信,administrator为域内存在的用户, RAINBIRD.NET 是你的活动目录的域名,必须大写。

正确操作的提示:

[root@filesrv~]# kinit [email protected]   (域名必须大写)

Password for [email protected]: (正确输入密码后直接返回)

[root@filesrv~]# AA

可能遇到的几个常见错误:

域名错误(域名必须大写):

kinit(v5): Cannot find KDC for requested realm while getting initial credentials.

密码错误,验证失败:

kinit(v5): Preauthentication failed while getting initial credentials.

用户不存在:

kinit(v5): Client not found in Kerberos database while getting initial credentia                                                                                                                      

时间不一致:

kinit(v5): Clock skew too great while getting initial credentials

同步 :ntpdate 172.16.0.22(0.22 是时间服务器)

4、修改/etc/nsswitch.conf

passwd:     files winbind

shadow:     files winbind

group:      files winbind

5、配置smb.conf

vi /etc/samba/smb.conf

[global]

       workgroup = LIXIN360

       server string = Lixin File Server

;       netbios name = MYSERVER

;       interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24

;       hosts allow = 127. 192.168.12. 192.168.13.

       # logs split per machine

       log file = /var/log/samba/log.%m

       # max 50KB per log file, then rotate

       max log size = 50

       security = user

       passdb backend = tdbsam

;       security = domain

;       passdb backend = tdbsam

       realm = LIXIN360.COM

       password server = LIXIN360.COM

       security = ads

;       passdb backend = tdbsam

       idmap uid = 16777216-33554431

       idmap gid = 16777216-33554431

       template shell = /sbin/nologin

       template homedir = /home/%U

       winbind use default domain = true

       winbind offline logon = true

       winbind enum groups = yes

       winbind enum users = yes

       winbind separator = /

;       domain master = yes

;       domain logons = yes

       # the login script name depends on the machine name

;       logon script = %m.bat

       # the login script name depends on the unix user used

;       logon script = %u.bat

;       logon path = \\%L\Profiles\%u

       # disables profiles support by specifing an empty path

;       logon path =          

;       add user script = /usr/sbin/useradd "%u" -n -g users

;       add group script = /usr/sbin/groupadd "%g"

;       add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"

;       delete user script = /usr/sbin/userdel "%u"

;       delete user from group script = /usr/sbin/userdel "%u" "%g"

;       delete group script = /usr/sbin/groupdel "%g"

;       local master = no

;       os level = 33

;       preferred master = yes

;       wins support = yes

;       wins server = w.x.y.z

;       wins proxy = yes

;       dns proxy = yes

       load printers = yes

       cups options = raw

;       printcap name = /etc/printcap

       #obtain list of printers automatically on SystemV

;       printcap name = lpstat

;       printing = cups

;       map archive = no

;       map hidden = no

;       map read only = no

;       map system = no

;       store dos attributes = yes

[homes]

       comment = Home Directories

;        path = /home/%U

;        valid users = lixin360.com/%U

       root preexec = /shell/mkhome.sh %U %G

       browseable = no

       writable = yes

[printers]

       comment = All Printers

       path = /var/spool/samba

       browseable = no

       guest ok = no

       writable = no

       printable = yes

6、重启服务

重新启动服务

service smb restart

service winbind restart

设定服务开机自动启动

chkconfig smb on

chkconfig winbind on

7、测试是否成功加域

wbinfo -t

wbinfo -u

wbinfo -g

8、自动创建用户的脚本

touch /shell/mkhome.sh

chmod 700 /shell/mkhome.sh

vi /shell/mkhome.sh

#!/bin/bash

user=$1

group=$2

home=/home/$1


if [ ! -d $home ] ; then

mkdir -p $home

chown $user $home

chgrp $group $home

chmod 700 $home

edquota -p administrator -u $user

fi

9、设置磁盘配额

vi /etc/fstab

/dev/hdb1               /home               ext3    defaults,usrquota,grpquota

重新挂载

mount -o remount  /home

创建磁盘配额

quotacheck -cmug  /home

启用磁盘配额

quotaon -av

配额设置:

edquota -u administrator

Disk quotas for user administrator (uid 16777217):

 Filesystem                   blocks       soft       hard     inodes     soft     hard

 /dev/mapper/vg_lxszsmb-data          4    5120000    5120000          1  5120000  5120000

查看配额:

quota -u administrator

Disk quotas for user administrator (uid 16777217):

    Filesystem  blocks   quota   limit   grace   files   quota   limit   grace

/dev/mapper/vg_lxszsmb-data

                     4  5120000 5120000  (5G)            1  5120000 512000

10、自动映射

C:\WINDOWS\SYSVOL\sysvol\rainbird.net\scripts\share.cmd

share.cmd里面的内容是:

@echo off

if exist P: net use P: /del /y

net use P: \\172.16.0.21\%USERNAME%

gpupdate /force

11、quotaoff /home

关闭磁盘配额

setfacl -R -m group:finance:r-x 资金日报表

setfacl -R -m mask::rwx 资金日报表

setfacl -R -m oAther::--- 资金日报表

setfacl -R -m default:user::rwx 资金日报表

setfacl -R -m default:group::--- 资金日报表

setfacl -R -m default:other::r-- 资金日报表

问题

[2014/12/01 14:56:09.026040,  0] lib/access.c:338(allow_access)

 Denied connection from 172.16.16.242 (172.16.16.242)

查看 selinux      iptables 状态

你可能感兴趣的:(Windows,Linux运维常见服务搭建)