- 论坛徽章:
- 0
|
一、实验环境:
windows AD server:windows server 2003
samba:centos 4.7
AD server的hostname和IP地址:
pdc 192.168.0.240
samba的hostname和IP地址:
server 192.168.0.249
Domain name:test.com
DNS:192.168.0.240
二,安装NTP时间验证套件,再来与AD server校准时间
# ntpdate 192.168.0.240
# hwclock -w
三,安装Samba服务器软件需求:
krb5-workstation-1.2.7-19
pam_krb5-1.70-1
krb5-devel-1.2.7-19
krb5-libs-1.2.7-19
samba-3.0.5-2
当然我在这里偷了下懒,我直接用yum进行的安装,毕竟只是了解下这个实验的思路,所以就不用管安全性了。
#yum -y install samba
安装完后,如果你要确认samba安装成功没有可以用下述命令来检查samba包的基础库支持,一般用yum安装或RPM安装是不会有问题的。
# smbd -b | grep LDAP
HAVE_LDAP_H
HAVE_LDAP
HAVE_LDAP_DOMAIN2HOSTLIST
...
# smbd -b | grep KRB
HAVE_KRB5_H
HAVE_ADDRTYPE_IN_KRB5_ADDRESS
HAVE_KRB5
...
# smbd -b | grep ADS
WITH_ADS
WITH_ADS
# smbd -b | grep WINBIND
WITH_WINBIND
WITH_WINBIND
三,二、编辑设定档
1、krb5配置
#vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = TEST.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
TEST.COM = {
kdc = 192.168.0.240:88
admin_server = 192.168.0.240:749
default_domain = test.com
}
[domain_realm]
.test.com = TEST.COM
test.com = TEST.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
以上红色部分是要注意的位置。
连接AD server
kinit
administrator@TEST.COM
Kerberos 的 kinit 命令将测试服务器间的通信,后面的域名TEST.COM 是你的活动目录的域名,必须大写,否则会收到错误信息:
kinit(v5): Cannot find KDC for requested realm while getting initial credentials.
如果通信正常,你会提示输入口令,口令正确的话,就返回 bash 提示符,如果错误则报告:
kinit(v5): Preauthentication failed while getting initial credentials.
這一步代表了已经可以和AD server做沟通了,但并不代表Samba Server已经加入域了。
smb.conf配置
vi /etc/samba/smb.conf
[global]
workgroup = TEST
netbios name = server
idmap uid = 15000-20000
idmap gid = 15000-20000
realm = TEST.COM
winbind use default domain = yes
winbind enum groups = yes
winbind enum users = yes
winbind separator = %
template homedir = /home/%D/%U
template shell = /bin/bash
security = ads
encrypt passwords = yes
password server = 192.168.0.240
[homes]
path = /home/%D/%U
browseable = no
writable = yes
valid users = test.com/%U
create mode = 0777
directory mode = 0777
配置nsswitch.conf
#vi /etc/nsswitch.conf
修改以下位置
passwd: files winbind
shadow: files winbind
group: files winbind
启用samba和winbind服务
#service smb start
#service winbind start
5、加入AD域
[root@server ~]# net rpc join -S pdc.test.com -U administrator
Password:
Joined domain TEST.
6、验证加入是否成功
[root@server ~]# net rpc testjoin
Join to 'TEST' is OK
[root@server ~]# wbinfo -t
checking the trust secret via RPC calls succeeded
[root@server ~]# wbinfo -u
TEST/administrator
TEST/guest
TEST/krbtgt
TEST/zbhdpx
[root@server ~]# wbinfo -g
TEST/domain computers
TEST/domain controllers
TEST/schema admins
TEST/enterprise admins
TEST/domain admins
TEST/domain users
TEST/domain guests
TEST/group policy creator owners
TEST/dnsupdateproxy
[root@server ~]#getent passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
[root@server ~]#getent group
root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
7、做完这些,就可以到AD server上的活动目录中看到该机器了
参考了:
http://blog.sina.com.cn/s/blog_596dc5a30100bzwy.html
http://bbs.winos.cn/thread-13764-1-1.html
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u/18630/showart_2114489.html |
|
免费注册
发表于 2009-12-08 18:19