samba+windows2003ad+acl for centos4.4（简装版）

zzymonk

samba+windows2003ad+acl for centos4.4（简装版）
操作环境：centos4.4+windows2003dc
整理：zzymonk
1.samba服务器软件需求
krb5-workstation-1.2.7-19
pam_krb5-1.70-1
krb5-devel-1.2.7-19
krb5-libs-1.2.7-19
samba-3.0.5-2
yum install krb5-workstation pam_krb5 krb5-devel krb5-libs samba ntp
ntpdate 210.72.145.44
同步时间、要不加入域时可能出错
2、设置相关的防火墙选项（开139 445端口等）
3、关闭
4、配置以下文件 （以下所有文件先备份一份，然后直接替换以下内容，你自己调整到你的参数注意有大小写之分）
我的DC完整域名是：adserver.ad1.h178.com
我的DC完整IP是：192.168.0.4
域的netbios是:AD1
==========================================================================
修改HOSTS文件以便解释你的域名、NETBIOS、WINS
/etc/hosts
192.168.0.4  adserver.ad1.h178.com
192.168.0.4  adserver
192.168.0.4  ad1.h178.com
192.168.0.4  ad1
===========================================================================
修改SAMBA的认证模块
/etc/pam.d/samba
#%PAM-1.0
#auth       required        pam_nologin.so
auth     required       /lib/security/pam_winbind.so
#auth     required       /lib/security/pam_unix.so
account  required       /lib/security/pam_winbind.so
#account  required       /lib/security/pam_unix.so
session    required        /lib/security/pam_winbind.so
password   required        /lib/security/pam_winbind.so
================================================================================
/etc/nsswitch.conf
passwd:     files winbind
shadow:     files winbind
group:      files winbind
===============================================================================
修改SAMBA的配置文件
/etc/samba/smb.conf
[global]
#        dos charset = cp936
#        unix charset = cp936
#        display charset = GB2312
        workgroup = AD1
        realm = ad1.h178.com
        security = ADS
        netbios name = linuxfile
        server string = Samba Server
        encrypt passwords = yes
        password server = adserver.ad1.h178.com
        domain master = no
        allow trusted domains = yes
        nt acl support = yes
        obey pam restrictions = yes
        winbind uid = 10000-20000
        winbind gid = 10000-20000
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = yes
        template shell = /bin/false
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        hosts allow = 172.16. 192.168.0.
[test]
        
path = /home/test
#       nt acl support = yes
#        writable = no
#        guest ok = no
        
        read only = yes
        valid groups =  AD1\domain users
        write list = AD1\zzymonk
        admin users = AD1\zzymonk
        force create mode = 0660
        force directory mode = 0770
        security mask = 0777
        force security mode = 0
        directory security mask = 0777
        force directory security mode = 0
        inherit acls = yes
===============================================================================
/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = AD1.H178.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
AD1.H178.COM = {
kdc = 192.168.0.4
# admin_server = kerberos.example.com:749
default_domain = AD1.H178.COM
}
[domain_realm]
.mydomain.com = AD1.H178.COM
mydomain.com = AD1.H178.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
===================================================================================
关闭 selinux 这东东是安全，但经常出点小意外，不要也好
/etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
;SELINUX=enforcing
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=targeted
5、将SAMBA加入域
kinit
dcadmin@AD1.H178.COM
（注意dcadmin必须是域管，后面的域名必须大写）
如果跳出要求输入密码就是对了，如果跳出时间不同步你就执行
ntpdate 210.72.145.44 就OK了
6、设置相关启动项
ntsysv
smb、winbind 打勾
重启
OK搞定了
可以chown "domain\user":"domain\group" /test


本文来自ChinaUnix博客，如果查看原文请点：http://blog.chinaunix.net/u1/33319/showart_269050.html