- 论坛徽章:
- 0
|
Samba 3 与 MS AD 之初体验
参考文档:http://ar.samba.org/samba/docs/man/domain-member.html
这个是比较详细、权威的,一定要看的啊。
实现功能:Samba 登陆 MS AD 成为域成员
测试平台:RedHat AS 3 + W2K Server (均运行在Vmware workstation 4.06下)
涉及软件:(均为 RedHat AS 3 下默认版本)
samba-client-3.0.0-14.3E
samba-common-3.0.0-14.3E
samba-3.0.0-14.3E
krb5-libs-1.2.7-19
krb5-workstation-1.2.7-19
文档编写:free2wind@hotmail.com 水平有限, 不到之处, 希望大家帮忙提高啊 : )
预备工作:
. MS AD 已经可以正常使用, 在AD添加用户 admin (有管理员权限)
. MS DNS 做好必要的解析
w2kserver.foo.com <--->; 192.168.0.33
. 安装好必要的RPM包
假设环境如下:
Domain: foo.com
AD short name: AD
network: 192.168.0.0/24
dns: 192.168.0.33
OS: RedHat AS 3
Hostname: linux34.foo.com
IP: 192.168.0.34
Action: File server
OS: MS Win2k Server + SP4
Hostname: w2kserver.foo.com
IP:192.168.0.33
AD Administrator: admin
password: 123
Action: authentication server for user who want to login in File server (linux34.foo.com)
. 编辑 Samba 配置文件 smb.conf
# cd /etc/samba
# cp -a smb.conf smb.conf.orig
# vi /etc/samba/smb.conf
workgroup = MYGROUP
改为(MS AD服务器的短名) ------>;
workgroup = AD
; hosts allow = 192.168.1. 192.168.2. 127.
改为 ------>; hosts allow= 192.168.0.
security = user
改为使用AD来认证用户------>;
security = ADS
; password server = <NT-Server-Name>;
在这条下面添加如下2行------------>;
realm = FOO.COM
password server = w2kserver.foo.com
; encrypt passwords = yes
改为(去掉注释符) ---------------->;
encrypt passwords = yes
上面只是实现登入 AD , 其它的共享项目, 可以按需自己加入
. 查看Samba的配置情况
# testparm (testparm 属于包 samba-common-3.0.0-14.3E)
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
# Global parameters
[global]
workgroup = FOO.COM
realm = FOO.COM
server string = samba
security = ADS
password server = w2kserver.foo.com
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = No
hosts allow = 192.168.0.
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
. 添加系统用户及Samba用户 admin , 该用户admin应有管理MS AD 的权限
# useradd -d /dev/null -s /bin/false admin
# passwd admin
. 添加Samba用户
# smbpasswd -a admin (密码为123)
# pdbedit -L (查看一下添加的用户)
.
. 配置 /etc/krb5.conf, 属于包krb5-libs-1.2.7-19
#cp -a /etc/krb5.conf /etc/krb5.conf.orig
#vi /etc/krb5.conf
# more /etc/krb5.conf.orig (默认 krb5.conf 如下)
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com:88
admin_server = kerberos.example.com:749
default_domain = example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
----------->;
更改所有的 "EXAMPLE.COM" 到 "FOO.COM"
更改所有的 "example.com" 到 "foo.com"
更改
kdc = kerberos.example.com:88
admin_server = kerberos.example.com:749
到
kdc =w2kserver.foo.com:88
admin_server = w2kserver.foo.com:749
. 初始化用户 admin和密码
# /usr/kerberos/bin/kinit admin@FOO.COM kinit 属于包krb5-workstation-1.2.7-19
#
Samba 和 MS AD 的系统时间相差不大于5分钟, 否则会出现下面的错误
kinit(v5): Clock skew too great while getting initial credentials
. 加入AD
# net ads join (net 属于包 samba-client-3.0.0-14.3E)
Using short domain name -- AD
Joined 'LINUX34' to realm 'FOO.COM'
. 在 MS AD 中查看主机 LINUX34 已经加入到AD中
. Samba 做 PDC 的文档正在拟写中 |
|