准备一台Windows域控制器, 在Samba服务器上安装Webmin图形化管理工具, samba, krb5-user, winbind.
修改/etc/krb5.conf.
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = HZVOBILE.LOCAL dns_lookup_kdc = false [realms] HZVOBILE.LOCAL = { default_domain = hzvobile.local kdc = vobile-dc1.hzvobile.local:88 admin_server = vobile-dc1.hzvobile.local:749 } [domain_realm] .hzvobile.local = HZVOBILE.LOCAL hzvobile.local = HZVOBILE.LOCAL
修改/etc/samba/smb.conf, 用testparm -s来检查smb.conf文件的合规性.
[global] winbind use default domain = yes pam password change = yes ; winbind trusted domains only = yes ##这行决定getent passwd是否能获得域帐号 map to guest = bad user workgroup = HZVOBILE passdb backend = tdbsam log file = /var/log/samba/log.%m idmap config * : range = 16777216-33554431 ##如果不指定用户的UID, 上传文件后通过ll命令会发现所上传的用户和组都是root; 指定之后, 就显示用户user和domain user组 obey pam restrictions = yes os level = 20 panic action = /usr/share/samba/panic-action %d realm = HZVOBILE.LOCAL ; password server = vobile-dc1.hzvobile.local passwd chat = *Entersnews*spassword:* %n *Retypesnews*spassword:* %n *passwordsupdatedssuccessfully* . server string = %h server (Samba, Ubuntu) dns proxy = no passwd program = /usr/bin/passwd %u usershare allow guests = yes unix password sync = yes security = ads syslog = 0 max log size = 1000 server role = standalone server winbind offline logon = false winbind enum groups = yes winbind enum users = yes
修改/etc/nsswitch.conf, 添加winbind验证方式.
passwd: compat winbind group: compat winbind shadow: compat winbind
使用net ads join -U administrator命令将Samba服务器加入域.
重启后用wbinfo -t和-u或-g检查连通性, 正常情况下你可以看到活动目录中的所有账号和组.
checking the trust secret for domain HZVOBILE via RPC calls succeeded
此时你应该可以通过getent passwd查看到所有域帐号.
创建文件夹, 并将文件夹权限777(此处类似Windows权限控制, NTFS与Share权限共同作用于一个用户对文件的最终权限)
[chen_chen] valid users = hzvobilechen_chen path = /mnt/hd2/chen_chen writeable = yes [it] path = /mnt/hd2/it writeable = yes valid users = @hzvobileit
客户端访问: smbclient //ip/folder -W workgroup -U chen.
2015-10-8更新:
我在Debian 8.2上安装了Samba 4.1.17, 发现wbinfo可以获取域帐号和组, 但是getent却不行, 经Google后找到解决方案
apt-get install libnss-winbind
2015-10-15更新:
域控设置的变更到winbind有一个刷新时间, 如果想缩短这个时间, 可以在smb.conf中加入以下设置:
[global] ... idmap cache time = 1 idmap negative cache time = 1 winbind cache time = 1
2015-10-15更新磁盘配额:
首先, Linux的磁盘配额是对于整个分区生效的, 然后可以针对User或者Group进行限制, 下面对几种"矛盾"的情况作出分析:
1. 同时设置了User1和PGroup1的配额 (User1属于PGroup1), 则User1的配额生效.
2. 同时设置了PGroup2和SGroup2的配额 (User2同时属于PGroup2和SGroup2), 以User2的身份上传数据时, 哪个组是User2的Primary Group, 则哪个组的配额生效.
2.1 在Windows活动目录中, 所有域帐号的Primary Group都是Domain Users, 一开始我希望通过usermod命令修改用户的Primary Group, 然后系统提示我: XXX用户不存在于/etc/passwd. 想想也是这样! Google后发现对于Winbind+ Active Directory的方式, 需要在Windows中修改用户的Primary Group, 具体方式是开启ADUC的高级功能, 然后在"隶属于"中"设置主要组". 注意: 如果组类型是本地域组, 则"设置主要组"按钮为灰色.
参考资料:
http://winda.blog.51cto.com/55153/261293/
http://rainbird.blog.51cto.com/211214/197509
http://blog.yam.com/gavint/article/4530697
http://ubuntuforums.org/showthread.php?t=2206822