- 论坛徽章:
- 0
|
实验过程中我发现可以把SAMBA服务器模拟成PDC,我没试过,不过我想既然可以模拟成DC,那就应该可以真正的实现集成AD身份验证了,这个实验我会马上着手去做的,可能需要一段时间,所以先把下面的这个实验写了文档
注意:LINUX里是严格区分大小写的,这个一定要注意了,这个可是高手也会犯的错误哦!!
注意:这里有一点要特别说明,AD中的所有账户在redhat中必须要有
使用useradd username创建用户,这里的用户名必须和AD中的一样,比如:AD中有个用户为TEST,那么在redhat中也必须要有一个TEST用户,但是验证的时候使用的是AD的TEST。*只要创建用户就可以了,可以不设密码。
PS:本来可以早点做好的,却忽略了这一点,导致实验没有成功。
1、实验环境:
Linux:
Red Hat 9
host/NetBIOS name –luxing(192.168.1.50)
security = ads
Win2k3:
Machine name -dc(192.168.1.100)
AD domain name - test.com
DNS
WINS
Client:
Machine name –peter(192.168.1.200)
FQDN:client.test.com
2、所需软件:
samba-common-3.0.5-0.5.1.i386.rpm
samba-client-3.0.5-0.5.1.i386.rpm
samba-3.0.5-0.5.1.i386.rpm
Redhat的几张光盘准备好
插入REDHAT的第二张光盘,并进入到RPMS目录下,安装如下几个软件包(后面的版本号我没写,到时你可以用TAB键来补完)
rpm –ivh krb5-workstation
rpm -ivh krb5-server
3、INSTALLING SAMBA 3.0:
如果已经安装了低版本的SAMBA,就先删掉,具体命令我就省略
删完后把从网上下的三个SAMBA软件包装上,具体命令我就省略
4、CONFIGURE KERBEROS:
[libdefaults]
ticket_lifetime = 24000
default_realm = TEST.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
TEST.COM = {
kdc = 192.168.1.100
admin_server = 192.168.1.100
default_domain = TEST.COM
}
[domain_realm]
.test.com = TEST.COM
test.com = TEST.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
5、验证一下:(在做这步之前可能要重启一下,如果你是按以上顺序做的话,应该是不要重启的)
[root@luxing root]# kinit administrator@TEST.COM
Password for administrator@TEST.COM:
[root@luxing root]#(上面输入密码后,如果正确,就直接到这里)
root@luxing root]# smbclient -L /dc -k
OS=[Windows Server 2003 3790 Service Pack 1] Server=[Windows Server 2003
5.2]
Sharename Type Comment
--------- ---- -------
C$ Disk ─1/4╚¤╣▓¤Y'
IPC$ IPC E`A^│╠ IPC
ADMIN$ Disk E`A^│╠╣▄└Y'
SYSVOL Disk Logon server share
NETLOGON Disk Logon server share
OS=[Windows Server 2003 3790 Service Pack 1] Server=[Windows Server 2003
5.2]
Server Comment
--------- -------
Workgroup Master
--------- -------
6、配置SAMBA:(这是我的smb.conf文件,对照你的smb.conf文件,进行修改)
=======================GlobalSettings=========================
[global]
# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = TEST
# server string is the equivalent of the NT Description field
server string = Samba Server
# if you want to automatically load your printer list rather
# than setting them up individually then you'll need this
printcap name = /etc/printcap
load printers = yes
# It should not be necessary to spell out the print system type unless
# yours is non-standard. Currently supported print systems include:
# bsd, sysv, plp, lprng, aix, hpux, qnx
printing = cups
# Uncomment this if you want a guest account, you must add this to
/etc/passwd# otherwise the user "nobody" is used
; guest account = pcguest
# this tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/%m.log
# all log information in one file
# log file = /var/log/samba/smbd.log
# Put a capping on the size of the log files (in Kb).
max log size = 50
# Security mode. Most people will want user level security. See
# security_level.txt for details.
security = ads
realm = TEST.COM
winbind separator = +
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind emum users = yes
winbind use default domin = yes
# Use password server option only with security = server
password server = 192.168.1.100
# Password Level allows matching of _n_ characters of the password for
# all combinations of upper and lower case.
; password level = 8
; username level = 8
# You may wish to use password encryption. Please read
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
# Do not enable this option unless you have read those documents
encrypt passwords = yes
; smb passwd file = /etc/samba/smbpasswd
# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
local master = no
# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
; os level = 33
# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
domain master = no
# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
preferred master = no
# Enable this if you want Samba to be a domain logon server for
# Windows95 workstations.
; domain logons = yes
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS
Server
; wins support = yes
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
wins server = 192.168.1.100
# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one WINS Server on the network. The default is NO.
; wins proxy = yes
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
dns proxy = no
# Case Preservation can be handy - system default is _no_
# NOTE: These can be set on a per share basis
; preserve case = no
; short preserve case = no
# Default case is normally upper case for all DOS files
; default case = lower
# Be very careful with case sensitivity - it can break things!
; case sensitive = no
#==============ShareDefinitions=================
[homes]
comment = Home Directories
browseable = no
writable = yes
valid users = %S
create mode = 0664
directory mode = 0775
[myshare]
comment = Mary's and Fred's stuff
path = /share
public = yes
writable = yes
printable = no
create mask = 0765
7、编辑nsswitch.conf:
[root@luxing root]# vi /etc/nsswitch.conf
[root@luxing root]# cat /etc/nsswitch.conf
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: files winbind(这里要改)
shadow: files
group: files winbind(这里要改)
8、
[
[email=root@luxing]root@luxing[/email]
root]# ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
[root@luxing root]# /sbin/ldconfig -v | grep winbind
libnss_winbind.so -> libnss_winbind.so.2(使用上面的命令后出现这里的信息的如果)
9、然后重启一下SAMBA服务
重启一下WINBIND(service winbind restart)
使用net ads join -S TEST -U administrator把REDHAT加入到AD中,在“AD用户和计算机”中会看到相对应的计算机
10、TEST:
[root@luxing root]# wbinfo -u
TEST+Administrator
TEST+Guest
TEST+SUPPORT_388945a0
TEST+DC$
TEST+krbtgt
TEST+a
TEST+ab
TEST+HOST/luxing
11、在CLINET上使用
192.168.1.50
(用ab帐号登录)
12、在CLINET1(没加入域)上使用192.168.1.50(提示要用户名和密码,我用了cd)
13、做登录脚本,这个不用我说了,你一定会的,也就是net use p: ip address\%username%
这里不知为何只能用IP地址,可能那里设置还有误,不过也没有影响的
14、以上是用不同用户连接到SAMBA服务器时所有的共享资源,除了“MYSHARE”这个对外开放的共享文件夹外,每个用户对应人一个文件夹
这里所共享的文件夹全部在/home下面,每个用户对应一个文件夹,
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u/10887/showart_57245.html |
|
免费注册
发表于 2005-11-16 10:43