环境: Windows AD: script.com, 域控:pdc.script.com ,域控的IP: 10.86.9.6 . 域管理员: lala_admin
NIS : nis_script.com NIS服务器IP:10.86.10.6
一: 安装软件,配置krb5kdc以绑定AD, 配置SMB,设置将要共享的文件夹,以及使用AD验证.
1.yum install samba
2.yum install krb5-server*
3.vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
# default_realm = EXAMPLE.COM
default_realm = SCRIPT.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
SCRIPT.COM = {
kdc = 10.86.9.6
admin_server = 10.86.9.6
}
[domain_realm]
.script.com = SCRIPT.COM
script.com = SCRIPT.COM
4. vi /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
SCRIPT.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
5.yum install ntp 安装NTP,Samba服务器与AD域控服务器时间同步
6.ntpdate 10.86.9.6
7.chkconfig --level 2345 krb5kdc on
8.service krb5kdc start
9.kinit [email protected] 测试是否绑定AD成功
10.vi /etc/samba/smb.conf 配置Samba
[global]
workgroup = SCRIPT
server string = Kuai le de da jiao
hosts allow = 127. 10.86.
log level = 10
log file = /var/log/samba/log.%m
max log size = 50
security = ads
realm = SCRIPT.COM
password server = 10.86.9.6
idmap uid = 10000-20000
idmap gid = 10000-20000
encrypt passwords = yes
winbind use default domain = true
winbind offline logon = false
winbind enum groups = yes
winbind enum users = yes
winbind separator = /
username map = /etc/samba/users.txt
#============================ Share Definitions ==============================
[homes]
comment = Normal Area H: Drive
path = /hdrives/%S
browseable = yes
read only = no
create mode = 0640
directory mask = 0750
hosts allow = .script.com
# hosts deny = 172.26.3.0/24
[groot]
comment = Group Shares
path = /groot
public = no
; browseable = no
writable = yes
printable = no
create mode = 0664
directory mask = 0775
hosts allow = .script.com
hosts deny = 172.26.3.0/24
[tools]
comment = Tool Shares (Read Only)
path = /tools
public = no
read only = yes
create mask = 0664
directory mask = 0775
printable = no
hosts allow = .script.com
[pro]
comment = Project Shares
path = /pro
public = no
writable = yes
printable = no
create mask = 0664
directory mask = 0775
hosts allow = .script.com
hosts deny = 172.26.3.0/24
[protest]
comment = Project Shares
path = /export/home/protest
public = no
writable = yes
printable = no
create mask = 0664
directory mask = 0775
hosts allow = .script.com
hosts deny = 172.26.3.0/24
[proot]
comment = Project Shares, RW in common area, RO in secure area
# path = /PROJECT2/proots_n
path = /proot
public = no
writable = yes
printable = no
create mode = 0664
directory mask = 0775
hosts allow = .script.com
hosts deny = 172.26.3.0/24
[project]
comment = Project Shares, RW in common area, RO in secure area
path = /project
public = no
writable = yes
printable = no
create mode = 0664
directory mask = 0775
hosts allow = .script.com
hosts deny = 172.26.3.0/24
11.net rpc join -S pdc.script.com -U lala_admin 把Samba这台机器加入到Windows域Script.com
12. vi /etc/nsswitch.conf 配置NIS客户端
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: files winbind nis
shadow: files winbind nis
group: files winbind nis
#hosts: db files nisplus nis dns
hosts: files nis dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files nis
rpc: files
services: files nis
netgroup: files nis
publickey: files
automount: files nis
aliases: files nis
13. service krb5kdc restart
14. service winbind start
15. wbinfo -u 查看AD帐号是否已经同步到SAMBA服务器了
16. wbinfo -t
17. service smb start
18. vi /etc/sysconfig/network 配置NIS客户端
19. reboot
20. mount -t nfs -o intr micsfs1n:/PROJECT2/proots_n /proot 挂载NFS,这些网络共享的权限设置是依据NIS用户名和用户组的, 不是AD的帐号哦
21. mount -t nfs -o intr micsfs1n:/HOME/hdrives /hdrives
22. mount -t nfs -o intr micsfs1n:/PROJECT1/groots /groot
23. vi /etc/samba/users.txt AD域帐号和NIS帐号名称不相同的帐号,需要手动指定匹配.
比如说某个帐号,在AD中是test,但在NIS中是test-n,那就指定test-n = SCRIPT/test . SCRIPT是域script.com的NETBIOS.
24. smbclient -L localhost -U lala_admin 测试SMB
25. smbclient -L pc.script.com -U script\lala_admin
26. mount -o username=lala_admin //pc.script.com/soft-tools$ /root/test
以上只是工作记录,涉及到敏感信息的部分,被假定的名称代替掉了。