五.Samba结合Windows AD
samba集成AD认证并限制空间
1、安装必须程序
yum install -y krb5-workstation
yum install -y pam_krb5
yum install -y krb5-devel
yum install -y krb5-libs
yum install -y samba
yum install -y quota
yum install -y gawk
关掉selinux
vi /etc/selinux/config
2、配置krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = LIXIN360.COM //默认域名
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
LIXIN360.COM = {
kdc = LIXIN360.COM:88 //服务IP或者域名
# admin_server = kerberos.example.com:749
default_domain = LIXIN360.COM
}
[domain_realm]
.lixin360.com = LIXIN360.COM
lixin360.com = LIXIN360.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
2. samba加入域
net rpc join -U [email protected]
报错:
Unknown parameter encountered: "display charset"
解决办法:
需要先配置smb.conf
3、测试kerberos
kinit [email protected]
kinit 命令将测试服务器间的通信,administrator为域内存在的用户, RAINBIRD.NET 是你的活动目录的域名,必须大写。
正确操作的提示:
[root@filesrv~]# kinit [email protected] (域名必须大写)
Password for [email protected]: (正确输入密码后直接返回)
[root@filesrv~]# AA
可能遇到的几个常见错误:
域名错误(域名必须大写):
kinit(v5): Cannot find KDC for requested realm while getting initial credentials.
密码错误,验证失败:
kinit(v5): Preauthentication failed while getting initial credentials.
用户不存在:
kinit(v5): Client not found in Kerberos database while getting initial credentia
时间不一致:
kinit(v5): Clock skew too great while getting initial credentials
同步 :ntpdate 172.16.0.22(0.22 是时间服务器)
4、修改/etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
5、配置smb.conf
vi /etc/samba/smb.conf
[global]
workgroup = LIXIN360
server string = Lixin File Server
; netbios name = MYSERVER
; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
; hosts allow = 127. 192.168.12. 192.168.13.
# logs split per machine
log file = /var/log/samba/log.%m
# max 50KB per log file, then rotate
max log size = 50
security = user
passdb backend = tdbsam
; security = domain
; passdb backend = tdbsam
realm = LIXIN360.COM
password server = LIXIN360.COM
security = ads
; passdb backend = tdbsam
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /sbin/nologin
template homedir = /home/%U
winbind use default domain = true
winbind offline logon = true
winbind enum groups = yes
winbind enum users = yes
winbind separator = /
; domain master = yes
; domain logons = yes
# the login script name depends on the machine name
; logon script = %m.bat
# the login script name depends on the unix user used
; logon script = %u.bat
; logon path = \\%L\Profiles\%u
# disables profiles support by specifing an empty path
; logon path =
; add user script = /usr/sbin/useradd "%u" -n -g users
; add group script = /usr/sbin/groupadd "%g"
; add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
; delete user script = /usr/sbin/userdel "%u"
; delete user from group script = /usr/sbin/userdel "%u" "%g"
; delete group script = /usr/sbin/groupdel "%g"
; local master = no
; os level = 33
; preferred master = yes
; wins support = yes
; wins server = w.x.y.z
; wins proxy = yes
; dns proxy = yes
load printers = yes
cups options = raw
; printcap name = /etc/printcap
#obtain list of printers automatically on SystemV
; printcap name = lpstat
; printing = cups
; map archive = no
; map hidden = no
; map read only = no
; map system = no
; store dos attributes = yes
[homes]
comment = Home Directories
; path = /home/%U
; valid users = lixin360.com/%U
root preexec = /shell/mkhome.sh %U %G
browseable = no
writable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
6、重启服务
重新启动服务
service smb restart
service winbind restart
设定服务开机自动启动
chkconfig smb on
chkconfig winbind on
7、测试是否成功加域
wbinfo -t
wbinfo -u
wbinfo -g
8、自动创建用户的脚本
touch /shell/mkhome.sh
chmod 700 /shell/mkhome.sh
vi /shell/mkhome.sh
#!/bin/bash
user=$1
group=$2
home=/home/$1
if [ ! -d $home ] ; then
mkdir -p $home
chown $user $home
chgrp $group $home
chmod 700 $home
edquota -p administrator -u $user
fi
9、设置磁盘配额
vi /etc/fstab
/dev/hdb1 /home ext3 defaults,usrquota,grpquota
重新挂载
mount -o remount /home
创建磁盘配额
quotacheck -cmug /home
启用磁盘配额
quotaon -av
配额设置:
edquota -u administrator
Disk quotas for user administrator (uid 16777217):
Filesystem blocks soft hard inodes soft hard
/dev/mapper/vg_lxszsmb-data 4 5120000 5120000 1 5120000 5120000
查看配额:
quota -u administrator
Disk quotas for user administrator (uid 16777217):
Filesystem blocks quota limit grace files quota limit grace
/dev/mapper/vg_lxszsmb-data
4 5120000 5120000 (5G) 1 5120000 512000
10、自动映射
C:\WINDOWS\SYSVOL\sysvol\rainbird.net\scripts\share.cmd
share.cmd里面的内容是:
@echo off
if exist P: net use P: /del /y
net use P: \\172.16.0.21\%USERNAME%
gpupdate /force
11、quotaoff /home
关闭磁盘配额
setfacl -R -m group:finance:r-x 资金日报表
setfacl -R -m mask::rwx 资金日报表
setfacl -R -m oAther::--- 资金日报表
setfacl -R -m default:user::rwx 资金日报表
setfacl -R -m default:group::--- 资金日报表
setfacl -R -m default:other::r-- 资金日报表
问题
[2014/12/01 14:56:09.026040, 0] lib/access.c:338(allow_access)
Denied connection from 172.16.16.242 (172.16.16.242)
查看 selinux iptables 状态