- 论坛徽章:
- 0
|
环境:
Version:RHEL 5.1
DNS and AD server is 172.16.50.5
Domain is SC.COM
AD和samba之间通过Kerberos来认证,通过winbind做同步,在linux上创建一个叫abc的目录作为共享目录
#vi /etc/resolv.conf
nameserver 172.16.50.5
#vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = SC.COM
dns_lookup_realm = false
dns_lookup_kdb = false
[realms]
SC.COM = {
kdc = 172.16.50.5:88
default_domain = SC.COM
}
[domain_realm]
.sc.com = SC.COM
sc.com = SC.COM
#vi /etc/samba/smb.conf
workgroup = SC
realm = SC.COM
security = ADS
password server = 172.16.50.5
idmap uid = 10000 - 20000
idmap gid = 10000 - 20000
template shell = /sbin/nologin
template homedir = /home/%D/%U
winbind separator = %
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
encrypt passwords = yes
[abc]
path = /abc
writeable = yes
; browseable = yes
guest ok = yes
#chmod 777 /abc
#vi /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
#service smb restart
#service winbind restart
#kinit administrator@SC.COM
检测显示正常
#net ads join -U Administrator
加入成功
#wbinfo -t
可以看到成功的信息
#wbinfo -u
能找到AD中的用户了
#gentent passwd
#gentent group
可以看到从0~500是linux系统用户,然后10000以后是AD用户了
测试:
在AD中创建一个新用户,然后在linux端用gentent passwd查看,发现新用户被同步添加,此过程并不需要重起samba和winbind服务.删除此用户亦是如此
但是,目前还有个没解决的问题,就是所有的AD用户对于abc卷都是可读可写可执行的,用AD的Administrator身份无法为这些AD用户修改abc的权限.
也就是说,我想要某几个用户对于abc目录是只读的,修改的时候系统提示我的Administrator为no access.
---------------------
难道每次我给User分配此共享目录的权限时,非得到linux下用root来搞定?
要是能把Administrator变成和root具有相同权限的用户就好了,可惜导入的samba用户是无法具有root权限的,毕竟不是本地用户
有谁知道怎么搞定吗?感激不甚 |
|