samba作业

Chapter 2. Installing Samba on a Unix System
2.1. Binary Packages
察看版本：
$ smbd –V
查询Samba是否安装
$ rpm -qa | grep samba
察看一个二进制文件依赖哪些库：
$ ldd /usr/local/samba/sbin/smbd


2.2. Compiling from Source
Download the source distribution from the Samba web site, unpack it, and then run the ./configure, make, and make install commands.

$ gunzip samba-latest.tar.gz
$ tar xvf samba-latest.tar
The configure script is located in the samba-3.0.x/source/ directory.
$ ./configure | more

One method is to add the directory (e.g., /opt/openldap/lib) to the global library search path. On some platforms, this can be done at run time by appending the new directory to the LD_LIBRARY_PATH search list：
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/openldap/lib
Other, more permanent solutions, differ from platform to platform. For example, Linux's /etc/ld.so.conf file and Solaris' crle tool have already been mentioned.
The other solution is to encode the library search path in the binary itself during the compilation process, usually done by instructing the compiler to pass additional flags onto the linker. The following script shows how this would be done if Heimdal Kerberos were installed in /opt/heimdal and OpenLDAP were installed in /opt/openldap

2.3. Compiling and Installing Samba
$ make
$ make install    //root user
export MANPATH=$MANPATH:/usr/local/samba/man

2.4. Enabling the Samba Web Administration Tool (SWAT)
For SWAT to work, entries must be added for it in the /etc/services and /etc/inetd.conf (or /etc/xinetd.d/swat) configuration files. To add the entries, follow these three steps:
1. Check your /etc/services file, and add the following line to the end if a line like it does not already appear.
swat   901/tcp
2. If an entry exists and has assigned port 901 to a service other than SWAT, you can select any unused port. However, you will need to adapt any references to port 901 in our examples to your local configuration.
3. Make sure that an inetd-style daemon is running. inetd and xinetd are "Internet super daemons" that handle starting daemons on demand, instead of letting them sit around in memory consuming system resources. Most Unix systems use inetd, but some utilize the more secure xinetd service. Most Linux distribution now use xinetd by default. You can use the ps command to see which of the two your system is running.

If your system is using xinetd , add a file named swat in your /etc/xinetd.d directory and make sure it is readable by the account used to run the xinetd metadaemon (usually root). The file should contain the following:
# description: swat is the Samba Web Administration Tool, which
#       allows an administrator to configure Samba using a web
#       browser interface, with the URL http://localhost:901
service swat
{
        socket_type             = stream
        wait                    = no
        protocol                = tcp
        only_from               = localhost
        user                    = root
        log_on_failure          += USERID
        server                  = /usr/local/samba/sbin/swat
        port                    = 901
        disable                 = no
}
Then xinetd needs to be sent a signal[*] to make it reread its configuration files:
$ kill -HUP -a xinetd    //如果想要更改配置而不需停止并重新启动服务，请使用该命令。在对配置文件作必要的更改后，发出该命令以动态更新服务配置。

2.5. A Basic Samba Configuration File
By default, Samba 3.0 enables the encrypt passwords option. For the sake of clarity, and because you may not be familiar with all of Samba's default settings, we add the following line to our smb.conf in the [global] section.
encrypt passwords = yes

enter the username/password combinations of the Samba users into Samba's encrypted password database:
$ smbpasswd -a lizard    //add user
The parser, testparm, examines an smb.conf file for syntax errors and reports any it finds along with a list of the services enabled on your machine
$ testparm -s /usr/local/samba/lib/smb.conf | more

2.6. Firewall Configuration    看得不是很懂

2.7. Starting the Samba Daemons
If you're in a hurry, you can start the Samba daemons by hand. As root, enter the following commands:
$ /usr/local/samba/sbin/smbd -D
$ /usr/local/samba/sbin/nmbd -D
A convenient way to make sure that everything is working as we think it should is to use the smbclient program to examine what the server is offering to the network.
$ smbclient -L localhost -N

3.1.3. Name Resolution
If you require a WINS server for your network, Samba can happily perform that function if you specify the following line in the [global] section of the server's smb.conf:
wins support = yes



不用编译的直接用rpm包安装:
rpm –ivh samba-****.rpm    #安装Samba

service smb start      #启动Samba服务

vim /etc/samba/smb.conf
[global]

[test]                      #在Windows网上邻居中看到的共享目录的名字
    comment = SambaServer          #在Windows网上邻居中看到的共享目录的备注信息
    path = /       #共享目录在系统中的位置
    read only = no
#保存配置

smbpasswd –a fnst    #将用户fnst添加入到Samba用户数据库as root
然后就可以直接使用了!!

Samba 3.0 cannot at this time act as a domain controller for an Active Directory domain.















一、安装前准备
1、使用Samba服务器需要防火墙开放以下端口
    UDP 137 UDP 138 TCP 139 TCP 445
#配置防火墙端口
[root@roothomes ~] vi /etc/sysconfig/iptables   
-A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
#重启防火墙，使规则生效
[root@roothomes ~] /etc/rc.d/init.d/iptables restart     

2、关闭CentOS6系统的 SELinux
[root@roothomes ~] vi /etc/selinux/config
#SELINUX=enforcing     #注释掉
#SELINUXTYPE=targeted  #注释掉
SELINUX=disabled       #增加
#:wq  保存。
#重启系统
[root@roothomes ~] shutdown -r now  或者 init 6

二、安装Samba
1、检查Samba服务包是否已安装
[root@roothomes ~] rpm -qa | grep samba
    samba-3.5.4-68.el6.x86_64
    samba-common-3.5.4-68.el6.x86_64
    samba-client-3.5.4-68.el6.x86_64
    samba4-libs-4.0.0-23.alpha11.el6.x86_64
    samba-winbind-clients-3.5.4-68.el6.x86_64

   说明samba已经安装，如果没有安装，运行下面命令安装 [root@roothomes ~] yum install samba
   
2、配置samba
[root@roothomes ~] chkconfig smb on　 #设置 Samba开机自动启动
[root@roothomes ~] service smb start      #启动Samba服务
[root@roothomes ~] /etc/init.d/smb restart  #重启
[root@roothomes ~] /etc/init.d/smb stop    #停止
[root@roothomes ~] cp /etc/samba/smb.conf  /etc/samba/bak_smb.conf_bak  #备份
[root@roothomes ~] cp /etc/samba/bak_smb.conf_bak  /etc/samba/smb.conf  #恢复
[root@roothomes ~] vi /etc/samba/smb.conf
[global]                           #找到这一行（全局设置标签），在此行下面添加如下行：
    workgroup = WORKGROUP          #工作组名称改为 Windows 网络所定义的工作组名
    server string = Samba Server   #设置samba服务器的主机名称
    security = user                #设置samba服务器安全级别为user，即以账号和口令访问
    netbios name = SambaServer     #设置Samba服务器访问别名
#在配置文件的末尾添加以下自定义内容
[SambaServer]                      #在Windows网上邻居中看到的共享目录的名字
    comment = SambaServer          #在Windows网上邻居中看到的共享目录的备注信息
    path = /home/SambaServer       #共享目录在系统中的位置
    public = no                    #不公开目录
    writable = yes                 #共享目录可以读写
    valid users=SambaServer        #只允许SambaServer用户访问
#保存配置

3、添加访问linux共享目录的账号SambaServer
   用户家目录为/home/SambaServer, 用户登录终端设为/bin/false(即使之不能登录系统)
[root@roothomes ~] mkdir -p /home/SambaServer #建立SambaServer文件夹
[root@roothomes ~] cd /home/SambaServer
[root@roothomes ~] touch  samba.txt   #创建测试文件samba.txt
[root@roothomes ~] useradd SambaServer -d /home/SambaServer -s /bin/false
[root@roothomes ~] chown SambaServer:SambaServer /home/SambaServer -R

4、将用户SambaServer添加入到Samba用户数据库，并设置登录共享目录的密码为：123456
[root@roothomes ~] smbpasswd -a SambaServer
   New SMB password:　 输入该用户用于登录Samba的密码
   Retype new SMB password:　 再次确认输入该密码
   Added user SambaServer.
#备注:这里设置的密码是SambaServer用户登录该机的Samba共享的密码，非登陆OS的密码;
5、重启Samba服务器
[root@roothomes ~] /etc/init.d/smb restart
6、浏览共享信息
在Windows客户端输入 \ip  或者 \SambaServer  #服务器别名
   回车之后，会跳出来登录框，输入账号SambaServer ,密码123456 , 即可访问共享目录



问题：
如果无法访问共享目录的内容，请把防火墙停止；
[root@roothomes ~] service iptables stop




1.宏

在基本配置里有提到一些参数的可以尾随%u、%m，这是samba里定义的宏，宏用百分号后面跟一字符表示，在具体运作的时候就用实际的参数来代替。常用的宏有：

%S = 当前服务名；

%P = 当前服务的根路径；

%u = 当前服务的用户名；

%g = 给定%u的所在的主工作组名；

%H = 给定的%u的宿主目录；

%v = Samba 版本号；

%h = 运行Samba的机器的主机名；

%m = 客户机的NETBIOS名；

%L = 服务器的 NetBIOS 名；

%T = 当前的日期和时间；



5.1. Security Modes
认证是授权的先决条件.
这章主要讲如何配置samba, 使之能用一堆本地账户验证请求(Authentication and Authorization)
5.1.1. Guest Access with security = user
现在我们考虑一种非常简单的情况, 服务器必须向用户开放入口而不需要创建个人账号.一个用户要进入samba服务器上的一个共享文件, 服务器上如果没有这个用户那就默认拒绝连接以示登录失败. 何种失败的响应由map to guest参数决定




9.5. 移植 an NT 4.0 Domain to Samba
之前我们说过Samba 3.0 不支持Windows NT 4.0 SAM(安全账户管理器) 复制协议. 从这个意义上来说确实是这样的,你不能配置Samba 接受来自Windows主域控制器的增量变化集 (反之亦然). 然而, 开发者已经执行充足的协议以允许之前提到的SAM synchronization. 当备份域控制器第一次上线时Windows服务器就做的这个. 它通过域SAM向PDC请求完整的用户和组集来同步本地SAM. 通过这种利用Windows NT 4.0 PDC请求初始同步操作, Samba 可以获得一份完整的用户和组的详细账户和密码列表, 从而为migrating from the Windows domain controller to a Samba-based domain提供了一种方法.
把NT 4.0 domain从Windows移植到Samba的基本操作是:
1.    Ensure that all Samba daemons are stopped.
2.    Configure the Samba host's smb.conf as a BDC for the domain, including the user management family of scripts.
3.    Synchronize the Samba's machine SID stored in secrets.tdb with the domain SID.
4.    Create a BDC account on the Windows PDC for the Samba server.
5.    Join the domain.
6.    Issue the SAM synchronization request.
7.    Reconfigure Samba as a PDC.
8.    Shut down the Windows PDC.
9.    Start smbd and nmbd on the Samba server.
移植最主要的工作是生成一个用户管理脚本工作集. 这些都是必需的,这样Samba才能在passdb中创建用户账户或组之前生成一个新的Unix用户或组. 然而, 许多Unix账户工具限制了新用户名或组名的格式是一个主要的障碍. 例如, 如果组名包含空格的话Linux命令 groupadd会失效:
# groupadd "Domain Admins"
groupadd: Invalid group name 'Domain Admins'.

一个解决办法是绕过操作系统的工具而手动创建Unix组. 至少在Linux上, 组名中有空格被拒绝是工具的问题,而不是/etc/group or the libnss_files.so.2 library的限制. 以下从/etc/group之中的摘录阐释了这些group names:
Domain Admins:!:1000:
Domain Users:!:1001:
Domain Guests:!:1002:
Account Operators:!:1003:
Server Operators:!:1004:
Backup Operators:!:1005:
Print Operators:!:1006:

可是如果你想创建大量的组, 这样的手动创建可能太单调乏味. 这种情况下, 定制在Samba中称为用户管理的脚本去接收有效的Windows用户和组名.
接下来的问题是passdb后端的使用. 我们的建议是开始使用tdbsam. 理由是显而易见的. tdbsam 比LDAP后端更容易配置并且比smbpasswd文件鲁棒性更好.此外, 在执行移植实验时it is easier to remove tdb files than to rebuild an LDAP DIT. 你总是能使用下面这条命令后将Samba下的用户和组从tdb backend转换到LDAP directory service:
# pdbedit -i tdbsam -e ldapsam:ldap://ldap.example.com/

在我们心中有了这些建议后, 让我们举个定义下面这个smb.conf的例子,即将是Samba PDC. 这时候所有的参数类似. 我们要移植的Windows NT domain叫做DOA. 记住当我们配置备份域控制器时使domain master这项不能. The [netlogon] share 在移植过程中并不是必需的, 然而我们一旦把Samba服务器换成PDC却是必要的. 最后, we have omitted any support for roaming user profiles, because this feature is independent of transferring accounts. We will, however, revisit some specific issues surrounding the user environment profile after completing the migration.
[global]
    netbios name = CAT
    workgroup = DOA
    security = user
    encrypt passwords = yes
    passdb backend = tdbsam

    domain logons = yes
    domain master = no

    add user script = /usr/sbin/useradd -m '%u'
    delete user script = /usr/sbin/userdel '%u'
    rename user script = /usr/sbin/usermod -l '%unew' '%uold'
    add group script = /usr/sbin/groupadd '%g'
    delete group script = /usr/sbin/groupdel '%g'
    add user to group script = /usr/sbin/groupmod -A '%u' '%g'
    delete user from group script = /usr/sbin/groupmod -D '%u' '%g'
    set primary group script = /usr/sbin/usermod -g '%g' '%u'

[netlogon]
    path = /data/netlogon
    read only = yes
    write list = +"Domain Admins"

在smb.conf 初步创建后, 接下来就是要用domain SID(安全标识符?)来同步Samba's machine SID. 可以通过运行net rpc getsid命令command. 因为你是直接写入到secrets.tdb, 所以要以root运行这些命令. 例如, medic 是DOA 域下的PDC名.
# net rpc getsid -S medic
Storing SID S-1-5-21-406022937-1377575209-526660263 for Domain DOA in secrets.tdb

Samba's machine SID一定要手动设置以和使用net setlocalsid命令相一致. 如果命令成功, 会直接返回一个没有额外输出的提示信息.
# net setlocalsid S-1-5-21-406022937-1377575209-526660263

接下来的两部, 创建BDC账户和加入到域中, 为了防止攻击者劫持机器账户应该紧接着执行. 理想情况下这些应该在独立和安全的网络上做, 但当我们移植a production domain时并不总是可能的. 当我们实验时, 认为移植Windows BDC到一个独立的网络后升级成为PDC.
Figure 9-11 shows the Server Manager (srvmgr.exe) application and the Add Computer to Domain dialog boxes. Use these to create a BDC account for the Samba host.
Figure 9-11. Using Server Manager to create a BDC account for the Samba host CAT
 
接下来使用net rpc join命令加入域. 在下一章关于加入Windows (and Samba)域我们会提供更详细的说明. 目前这条命令足以使工作完成:
# net rpc join
Joined domain DOA.

你终于准备好了要把DOA域下的用户和组移植到Samba's passdb. 假设之前在/etc/group中创建的所有组名都包含空格. 运行net rpc vampire来开始移植过程. The -S option is used to define the name of the Windows NT 4.0 PDC to contact. 移植完后, 最好在server's Unix accounts and in Samba's passdb里确认下新用户和组.
# net rpc vampire -S medic
Fetching DOMAIN database
Creating unix group: 'testgroup'
Creating unix group: 'testgroup2'
Creating account: Administrator
Creating account: Guest
Creating account: foo
Creating account: foo2
Creating account: foo3
Creating account: user1
Creating account: NURSE$
Creating account: CAT$
Group members of Domain Admins: Administrator,
Group members of Domain Users: Administrator(primary),foo2(primary),
  user1(primary),foo3(primary),NURSE$(primary),CAT$(primary),
Group members of Domain Guests: nobody,
Group members of testgroup: foo(primary),
Group members of testgroup2: foo,
Creating unix group: 'LocalTestGrp'
Fetching BUILTIN database
skipping SAM_DOMAIN_INFO delta for 'Builtin' (is not my domain)
Creating unix group: 'Administrators'
Creating unix group: 'Guests'
Creating unix group: 'Replicator'
Creating unix group: 'Users'

最后一步就是关闭Windows PDC后启动新的Samba PDC. Before starting smbd and nmbd, 确保参数项domain master生效so that Samba registers the DOA<0x1b> name and the Windows客户端识别新的PDC.
Here are a few pieces of advice. Migrating a domain is tricky business麻烦的事. You should expect to run through several test migrations before disabling the Windows PDC. Also consider any additional services such as file and printer shares, web servers, or other applications offered by the Windows PDC. These must be migrated individually. The good news is that you have to successfully complete the migration process only once.


9.6. Domain Trusts域信任
Samba 3.0 是第一个支持Windows NT 4.0单向信任的版本, 可以用来将Samba domains连接到NT and Active Directory domains. 在本章开始一个信任关系和之前描述的加入一个域的过程非常相似. The trusted domain creates a domain trust account that has a purpose analogous to a machine trust account. The trusting domain then establishes the relationship by joining the trust. We'll next walk you through an example of configuring a Samba domain to trust an AD domain.
First, you must have a fully configured Samba domain. Samba restricts the right to create domain trusts to members of the Domain Admins group, so it is necessary to configure an appropriate group mapping entry for this if you have not already done so. You also must either create the necessary Unix user account for the domain trust using the name of the trusting domain followed by a $ character (e.g., books$), or configure a working add machine script in smb.conf.
Use the net rpc trustdom command to create the domain trust account on the Samba PDC. The add subcommand accepts the name of the domain (BOOKS) followed by the new trust account password (sambapw):
$ net rpc trustdom add BOOKS sambapw -S stork -U cindy
Password: <enter cindy's password>

If all goes well, you are returned immediately to a shell prompt. You can verify that the account was created using pdbedit. The I account flag is used to mark this as a domain trust account. (Note that the following output has been wrapped for better readability.)
# pdbedit -L -w books$
BOOKS$:10018:A01531C54AE6F75CAAD3B435B51404EE:
  45F9E3989DD87751210C054A9B3A134E:[I          ]:LCT-44DA55A9:

Now establish the trust account from the Windows domain controller. Figure 9-12 shows the books.plainjoe.org domain properties, as displayed by the Windows 2000 Active Directory Domains and Trusts MMC plug-in. The top section of this dialog is used to connect to a trusted domain. There are no existing domain trust relationships in the screenshot.
Figure 9-12. Trust relationships for the books.plainjoe.org AD domain
 

Now select Add from the top section and enter the name of the Samba domain (ORA) along with the password specified in the net rpc trustdom add command. You should be greeted with a dialog box similar to the one in Figure 9-13, indicating that the trust has been established and verified.
Figure 9-13. Confirming a successfully established trust between Samba and AD
 

You can use smbclient to test the trust relationship by connecting to a share on any member server in the BOOKS domain as a user from the ORA domain:
$ smbclient //windc/public -U cindy -W ORA
Password: <enter cindy's password>
Domain=[BOOKS] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
smb: >

Next, it is time to create the trust relationship in the other direction. This time, create the trust account on the Windows DC using the lower half of the Trusts dialog box shown in Figure 9-12.
You will initially receive a message that Windows cannot verify the trust. This is because you have not established the trust on the Samba DC yet. To do so, run the net rpc trustdom establish command, giving the trusted domain name as the sole parameter. This must be done as root so that the net tool can write the new password to secrets.tdb.
# net rpc trustdom establish BOOKS
Password: <enter trust password here>
Trust to domain BOOKS established

You should now be able to return to the Windows DC and verify the trust.
You can view the list of current trusts using the net rpc trustdom list command. This command does not display any information about the status of the trust, only that Samba has a trust account entry or password for the listed domain.
# net rpc trustdom list -U cindy
Password: <enter cindy's password>
Trusted domains list:
BOOKS               S-1-5-21-4200961138-2496335650-1239021823
Trusting domains list:
BOOKS               S-1-5-21-4200961138-2496335650-1239021823

In order to connect to the Samba server using an account from the BOOKS domain, the server requires some method to deal with users and groups from the trusted domain. The best way to do this is with Winbind. Conceptually, these trusted users and groups on a Samba PDC are no different from domain users and groups on a Samba member server. To set up Winbind on a Samba DC, follow the same steps you would for a Samba member server (described in Chapter 10) with the exception of maintaining the security = user setting instead of one of the domain mode security settings. On a DC, Winbind allocates uids and gids only for accounts outside of its own domain.
Table 9-5 completes our discussion of domain trusts with an overview of the net rpc trustdom commands.
Table 9-5. net rpc trustdom commands
Command    Options    Description
add    DOMAIN password    Create a domain trust account for a trusting domain using the specified password.
del    DOMAIN    Remove a domain trust account.
establish    DOMAIN    Establish a trust relationship with a trusted domain.
revoke    DOMAIN    Disconnect a trust relationship with a trusted domain.
list    none    List the currently configured domain trust relationships.






Chapter 10. Domain Member Servers 域成员服务器
Windows域是基于域控制器提供的集中认证服务. 一个中等大小的域拥有数量有限的域控制器, 但是可能拥有数百file and print servers.在一个大的域中服务器的数量可以超过这个量的十倍或更多.
In many networks, Samba利用这些域认证服务和Windows并肩. 1998年的第一次引入, 作为一个加入到Windows域的成员服务器, Samba作为一个成员服务器加入到Windows域的这一支持帮助了管理员把Unix服务器与Windows客户端整合到了一起. 2003年, Samba 3.0通过支持Kerberos authentication and LDAP directory services升级了这项特性, 产生改进的与Microsoft Active Directory domains的整合.
Chapter 5以讨论authentication认证 and authorization授权的概念开始的. 这些任务不仅适用于本地用户也适用于domain member servers. For all but除了 the smallest domain, 手动同步Unix hosts and Windows domains之间用户和组账户信息能消耗你相当大一部分时间. 本章的重点在于通过利用保存在Windows domain controllers 中的认证和授权数据配置Samba成员服务器从而减少工作. We address the steps necessary for Samba to join and participate in both Windows NT 4.0 and Active Directory domains, 包括怎样配置必需的额外依赖软件, 如the Kerberos client libraries, time synchronization, and the DNS client resolver. 我们也检查 Winbind's account management features and 有利于member servers.
10.1. Joining a Domain 加入域
把一个新机器添加到域很像添加一个新用户. In the case of a human user, 新账户先在域控制器上创建. 然后告知用户他的登录名和证书. 用户记住密码以便于进入可用的网络服务such as email or printing. 一台电脑加入到域的同时也建立了一个只有域控制器和它自己知道的随机密码. 客户端把该密码存放在本地注册表中或其他本地数据库.
We described the process used to authenticate a connection request to a share on a standalone server in Chapter 1. If necessary, 现在是复习 "Connecting to a CIFS File Share"这节的好时as a refresher on session setup requests关于会话建立请求的一个复习资料. 独立服务器对检查域认证提供一个优秀的起点, 因为连接过程的基本要素和独立服务器和成员服务器完全一样. 主要的差别就是如何让服务器最终使客户端发的证书生效.
Samba 3.0 and Windows NT 4.0 域控制器用Remote Procedure Call (RPC)机制, 通过这个机制成员服务器可以建立一种安全的通信方法然后发出DC认证用户会话的请求. Figure 10-1简单说明了这个概念. 客户端\FOX连接文件服务器\HOUND, 文件服务器反过来请求域控制器\RABBIT认证用户rose的会话请求. The NetRequestChallenge( ) and NetAuth2( ) RPCs used the password stored as part of the domain join process to establish the identity of \HOUND. The third RPC, NetSamLogon( ) , 是代表用户的认证请求. 在收到域控制器的回复NetSamLogon( )后, 文件服务器要么应答成功要么返回一段错误的代码, 比如Logon Failure or Password Expired, specified by the DC.
Figure 10-1. Connecting to a domain file server using NTLM and RPC
 

加入AD域时, Windows 2000 and later clients能够使用Kerberos 5 (Krb5) 的认证服务.[*] We say "capable," 因为AD域仍然支持NTLM authentication and刚刚描述的RPC mechanisms. 对Kerberos的更多讨论超出了本书的范畴. Two excellent sources of information on the subject are Kerberos: The Definitive Guide, by Jason Garman (O'Reilly), and Network Security: Private Communication in a Public World, by Charlie Kaufman et al. (Prentice Hall). The former discusses implementation issues for Kerberos administrators and the latter is an in-depth examination of Kerberos and other security protocols.
[*] Active Directory domains do not support Kerberos v4.
Figure 10-2 阐述了用户用Kerberos认证连接文件文件服务器时发生的事. 同样, the client machine \FOX connects to the server \HOUND, 只是这次域控制器不需要认证会话请求. 文件服务器在本地解密the Kerberos ticket, 因此用户之前就被DC认证过了.
Figure 10-2. Connecting to a file server in an Active Directory domain
 

  10.2 Domain and ADS Security Modes
Samba提供了两种域操作模式, security = domain and security = ads. 两种都支持允许samba利用域控制器提供的中心认证服务. Both modes support the NTLM and NTLMv2 authentication protocols. 然后ads还支持Kerberos authentication, 但是domain不支持. 一个不错的经验法则是选择ads模式if you are joined to an AD domain, regardless of whether the domain runs in mixed or native mode.
如果你打算将Samba配置成security = ads模式, 记得用Chapter 2给的命令确认你的samba能支持Kerberos, LDAP, and Active Directory. There are no such external software dependencies for enabling domain security; this mode is always provided.
10.2.1 security = domain
Joining a Samba host using security = domain 包含两个步骤:
1. Define the domain and member server settings for your environment in smb.conf.
2. Establish the machine account credentials by joining the domain.
第一个要设置的参数是security项. Start by defining domain mode security in the [global] section of smb.conf:
[global]
security = domain
Supporting password encryption is a requirement for member servers, 所以即使默认是yes的你也要显示的设置下:
encrypt password = yes
最后, 指定你的服务器所属域的名字. Samba, like Windows, 重用workgroup这个参数来当做域. Here, we are joining the GLASS Windows NT 4.0 domain:
workgroup = GLASS
一旦smb.conf配置好后, 在域中使用net命令建立服务器证书. You need a user account that is properly authorized to join your server to the domain.* 不确定的时候, an account that is a member of the Domain Admins group will always work. Next, run the net join command from 根用户shell to join the domain, using the -U option to 定义连接用户名字:
$ net join -U Administrator
Administrator's password: <enter password for Administrator>
<...intermediate output deleted...>
Joined domain GLASS.
If you are greeted by the “Joined domain ...” message, net成功建立了机器账户证书并且现在你的服务器是域中的一部分了. If not, 这里列了三个普遍的错误.
First, if you receive the following message, make sure that you entered the correct
user name and password:
Could not connect to server XXX
The username or password was not correct.
Second, if you entered the correct credentials but the account does not possess the sufficient rights to join the server to domain, you will receive this error message:
error setting trust account password: NT_STATUS_ACCESS_DENIED
Unable to join domain XXX.
The third common error is the inability to locate a DC for the domain specified in smb.conf. This error is signaled by the following message:
Unable to find a suitable server
This situation is frequently caused by a mistyped name, so verify your smb.conf settings before proceeding. If your configuration is correct, it could be that this error is caused by a name service failure. We cover how Samba attempts to locate domain controllers shortly. If you are joining a Samba domain, you may encounter the additional following error:
Creation of workstation account failed
This error is normally caused by some failure in the add machine script. Or possibly the script succeeded, but smbd is unable to locate the Unix account it created, a situation frequently caused by running the Name Service Cache Daemon (nscd) on the Samba DC. To resolve this problem, ensure that the DC’s /etc/nsswitch.conf file is set up correctly, that the add machine script did in fact create the trust account, and that nscd is using up-to-date information.
你可以通过下面这条命令来核实你的服务器可信账户:
$ net rpc testjoin
Join to 'GLASS' is OK
10.2.2 security = ads
从用户的角度, 把一个服务器配置成ads security 和domain security是完全一样的. 从管理员的角度,通过为连接域附加的一些配置步骤,the ads method显示地提供了Kerberos这一额外支持. Instead of the two steps described for security = domain, 这次需要四个步骤来完成:
1. Define the domain and member server settings for your environment in smb.conf. 同之前
2. Synchronize the server’s clock with the domain controller.
3. Configure the Kerberos client library and DNS resolver settings.
4. Establish the machine account credentials by joining the domain.同之前
10.2.2.1 Basic Samba settings samba基本设置
Once again, we start with configuring the server’s smb.conf file. Our initial file defines ads security and includes the required encrypted password support:
[global]
security = ads
encrypt passwords = yes
接下来包含AD domain的范围. In Active Directory domains, the Kerberos realm和域的大写DNS名一样.* So the AD domain blue.plainjoe.org is defined as:
realm = BLUE.PLAINJOE.ORG
The workgroup参数为域名的缩写, 一般和the realm name的第一部分一样. However, this setup is not guaranteed. If you define the wrong value, the net tool complains when it joins the domain and reminds you to set the correct value. In our example, the short domain name is the first component of the realm name, so we specify the workgroup as follows:
workgroup = BLUE
10.2.2.2 Time synchronization 时间同步
时间同步的Kerberos authentication的先决条件/前提. 因此, Microsoft chooses to make all AD domain controllers act as time servers. Non-Microsoft clients can synchronize their system clocks with an AD DCs by using version 4 of the Simple Network Time Protocol (SNTP). The ntpdate tool, included in
the NTP distribution from http://www.ntp.org, can synchronize the server’s local clock with an AD DC. Most systems already have some form of the NTP tools included.
Kerberos Terminology 101术语
For the purposes of our discussion, understanding some basic terminology can be
helpful to map Kerberos concepts onto Active Directory functionality:
Principal
A user or computer in a Kerberos authentication database (e.g., a user or computer
object in AD).
Principal：在Kerberos中，Principal是参加认证的基本实体。一般来说有两种，一种用来表示Kerberos数据库中的用户， 另一种用来代表某一特定主机，也就是说Principal是用来表示客户端和服务端身份的实体, Principal的格式采用ASN.1标准,即Abstract Syntax Notation One，来准确定义)，Principal是由三个部分组成：名字（name），实例（instance），REALM（域）。比如一个标准的 Kerberos的用户是：name/instance@REALM 。
  Name：第一部分。在代表客户方的情况，它是一个用户名；在代表主机的情况，它是写成host。  
  Instance：第二部分。对name的进一步描述，例如name所在的主机名或name的类型等,可省略。它与第一部分之间用‘ / ’分隔，但是作为主机的描述时写成host/Instance。  
   Realm：第三部分。是Kerberos在管理上的划分，在 KDC中所负责的一个域数据库称作为Realm。这个数据库中存放有该网络范围内的所有Principal和它们的密钥，数据库的内容被Kerberos 的认证服务器AS和票据授权服务器TGS所使用。Realm通常是永远是大写的字符,并且在大多数Kerberos系统的配置中，一般Realm和该网络环境的DNS域是一致的。与第二部分之间用‘@’分隔，缺省为本地的Realm。比如，Principal " cnhawk/hawk.the9.com@THE9.COM " 表示Realm " THE9.COM "中主机hawk.the9.com上的用户cnhawk，而Principal " host/hawk.the9.com @THE9.COM " 则通常用来表示Realm " THE9.COM"中主机hawk.the9.com。
Credential： Ticket和与它相联系的会话密钥合在一起称为Credential。之所以有这个概念是因为它们是客户端在向服务器证明自己的身份时必需的两样东西．在一个Ticket的生存期内客户端会将这两样东西以Credential为单位保存在一个Cache文件中。
Ticket： 一个Ticket是一个用于安全的传递用户身份所需要的信息的集合。它不仅包含该用户的身份，而且包含其它一些相关的信息。一般来说，它主要包括客户方Principal，目的服务方Principal，客户方IP地址，时间戳（分发该Ticket的时间），该Ticket的生存期，以及会话密钥等内容。它的格式亦用ASN.1来准确定义。
Authenticator: 在客户端向服务端进行认证时，伴随Ticket一起发送的另外一个部分，它的作用是证明发送Ticket 的用户就是拥有Ticket的用户，即防止重放攻击。它的主要内容是一个时间戳（客户端发送Ticket的时间），在rfc1510中有它的完整的ASN.1定义。
AS(Authentication Server)： 为用户分发TGT(Ticket Granting Ticket)的服务器。
TGT(Ticket Granting Ticket)： 用户向TGS(Ticket Granting Server)证明自己身份的Ticket.
TGS(Ticket Granting Server)： 为用户分发到最终目的Ticket的服务器，用户使用这个Ticket向自己要求提供服务的服务器证明自己的身份。在实现上，AS和TGS实际上是由同一程序完成的，因为它们的实现机制并没有太大的差别，只是在加密所发出的Ticket时所使用的密钥不同（AS使用用户的密钥，而TGS使用会话密钥）。
KDC(Key Distribution Center)：密钥发放中心，通常将AS和TGS统称为KDC，有时也把AS 单独称为KDC。
Realm
A collection of Kerberos principals. In AD, this is the same as the DNS domain.
Ticket Granting Ticket (TGT)
An encrypted blob of data issued to a principal, which can be used to requests tickets to other principals.
Service Ticket
An encrypted blob of data that can be used to access application services such as a mail, web, or file server.
Key Distribution Center (KDC)
The Kerberos database server.
Authentication Server (AS)
The service responsible for issuing TGTs.
Ticket Granting Service (TGS)
The service responsible for issuing service tickets.
Secret Key
The hashed version of a principal’s passphrase. This is also referred to as the longterm key, because it does not expire or change based on an individual session.
Session Key
A short-term key valid only for the life of a specific application session or Kerberos ticket. Windows 2000 and later systems use this key to encrypt certain communications between clients and servers.
In most implementations, Microsoft and Unix alike, the KDC, AS, and TGS are all implemented in the same service, although each has a logically separate function. An AD domain controller fulfills all three of these roles. Frequently, the term KDC is used to refer to the KDC+AS+TGS server.
为了自己的服务器和域控制器时间一致To set your server's clock to match the time on the domain controller named bluedc1.blue.plainjoe.org, 以root身份运行以下命令:
$ ntpdate bludc1.blue.plainjoe.org
17 Jun 12:46:46 ntpdate[16773]: step time server 192.168.1.148 offset 8.734885 sec
If you receive the error message, "no server suitable for synchronization found," confirm that the hostname used is valid and reachable. If the name is correct, an administrator of the DC (possibly you) must verify the w32time.exe service. More information about Active Directory and time synchronization can be found by searching http://support.microsoft.com for the keyword "w32time.exe."
The ntpdate command can be run periodically as a cron job to prevent the Samba server's clock from drifting. Another option is to run the ntpd daemon and have it synchronize the local clock on a continuing basis. To use this method, specify the domain controllers using a server line in /etc/ntp.conf and then have the daemon started as part of the system boot process. More on configuring NTP clients can be found in the book Essential System Administration, by Æleen Frisch (O'Reilly).
10.2.2.3. Encryption types 加密形式
下一项是配置服the server's Kerberos client libraries, Samba用它来验证用户的连接. 尽管这个过程会因你所用的Krb5版本而有稍微的不同, 不管是Heimdal还是MIT, 非常幸运的是两者的配置文件完全兼容. By default, both distributions use the file /etc/krb5.conf to define client-side settings. The options of interest (是客户端支持什么样的加密形式和客户端由给定的realm怎么找到KDC)are what encryption types the client supports and how it locates a KDC for a given realm.
Active Directory realms implement three Krb5 encryption types三种加密形式:
•    RC4-HMAC
•    DES-CBC-MD5
•    DES-CBC-CRC
AD domain controllers总是为a principal has assigned keys选择更强的加密算法. The most secure encryption type in our list is RC4-HMAC. Remember from Chapter 2 that this new encryption type is supported in open source Kerberos distributions beginning only with MIT krb5 1.3 and with Heimdal 0.6.1. Krb5 authentication still works on systems with older Kerberos libraries such as RedHat Enterprise Linux 3, but only DES keys will be available.
我们限定客户端库只用微软也支持的加密形式. 这是非常重要的, 因为默认的Unix Kerberos implementations是the Advanced Encryption Standard (AES) or triple-DES (3DES) methods, 他们目前并没有被Windows domain controllers支持. There are several points during Krb5 communications where an encryption type mismatch can cause failure. If the Samba server cannot decrypt a user's ticket, that user cannot be authenticated. To be safe, we use a single list for obtaining TGTs, service tickets, and any session-key-based encryption that may be performed by adding three options (default_tgs_enctypes, default_tkt_enctypes, and preferred_enctypes) to the [libdefaults] section of krb5.conf.
[libdefaults]
    default_tgs_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
    default_tkt_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
    preferred_enctypes   = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
10.2.2.4. Realm/domain and KDC lookups
接下来我们像配置smb.conf一样定义the client library's default realm. 当the Krb5 libraries被给予一个不合格的principal name 时使用This realm. 例如, if asked to retrieve a TGT for the user Administrator, Krb5 uses the principal Administrator@BLUE.PLAINJOE.ORG. The default realm also goes in krb5.conf's [libdefaults] section:
    default_realm = BLUE.PLAINJOE.ORG

最终我们要做一个选择, the Krb5 libraries到底该怎样去通过a realm找到KDC. The simplest means is to use the same DNS service as the AD domain. The reasoning behind this recommendation is that there is no need to duplicate information that Active Directory already maintains. If you find that KDC DNS lookups are not available on your platform or if you do not wish to use them, you must manually configure the KDC addresses in krb5.conf. We'll show both methods in the following sections.
10.2.2.4.1. Using DNS for KDCs lookups KDC查找方式一 用DNS
The goal of this configuration is to enable the Kerberos client libraries to find a KDC by generating a query to the DNS server. If you configure the use of DNS, a request to contact a KDC for a realm results in DNS SRV lookups for _kerberos._udp.<domain> or _kerberos._tcp.<domain>. For example, locating a KDC in the realm BLUE.PLAINJOE.ORG results in a DNS query for the SRV record _kerberos._udp.blue.plainjoe.org. Lookups for the corresponding TCP record result when the Krb5 replies are too large for UDP and must be retried over TCP.
The Heimdal Kerberos client implementation has always supported locating KDC via DNS SRV lookups. The MIT distribution has also possessed support for several releases, but did not enable the feature by default until the 1.4 release. DNS queries for KDCs can be enabled in older version of MIT Kerberos by defining the KRB5_DNS_LOOKUP and KRB5_DNS_LOOKUP_KDC preprocessor macros at compile time.
To configure the Kerberos libraries for DNS lookups, first configure /etc/resolv.conf to point to the DNS servers used by the AD clients and servers. Also be sure to set the DNS search suffix to the name of the AD domain. For our example, the DNS servers for the blue.plainjoe.org domain are at 192.168.1.101 and 192.168.2.101, which gives us the following resolv.conf file:
search blue.plainjoe.org
nameserver 192.168.1.101
nameserver 192.168.2.101

The only other step is to instruct the Krb5 libs to query DNS for the name and address of KDCs by enabling the dns_lookup_kdc option in the [libdefaults] section:
    dns_lookup_kdc = true

10.2.2.4.2. Manually configuring KDCs lookups KDC查找方式二 手动配置KDC地址
Although we recommend the use of AD for lookups whenever possible, as shown in the previous section, you can instead configure KDC addresses manually in krb5.conf. To do so, add a section for each realm that may be contacted in the [realms] section. Assuming that we have no trusted domains, a single entry for BLUE.PLAINJOE.ORG will suffice.
In this example, we have one KDC named bluedc1.blue.plainjoe.org. Multiple KDCs may be specified by including additional kdc lines in the realm's configuration.
[realms]
    BLUE.PLAINJOE.ORG = {
        kdc = bluedc1.blue.plainjoe.org
    }

10.2.2.5. Final steps 最后的步骤
在移一个客户端到连接AD域的最后阶段之前, 最好确认下the Kerberos client configuration正常工作. 最简单的方法是使用kinit获得域用户的TGT. Our example uses the built-in Administrator account:
$ kinit Administrator
Password for Administrator@BLUE.PLAINJOE.ORG: <password for Administrator>

The MIT variant of kinit does not provide any feedback unless the TGT request is unsuccessful. Heimdal's kinit indicates success by providing the maximum lifetime of the obtained TGT. Regardless of the Krb5 distribution used, it is possible to view the current ticket cache using the klist command:
$ klist
Default principal: Administrator@BLUE.PLAINJOE.ORG

Valid starting     Expires            Service principal
06/18/06 20:49:03  06/19/06 06:49:05  krbtgt/BLUE.PLAINJOE.ORG@BLUE.PLAINJOE.ORG
        renew until 06/19/06 20:49:03

The command output proves that we have obtained a TGT for Administrator by listing the ticket for the principal krbtgt/BLUE.PLAINJOE.ORG@BLUE.PLAINJOE.ORG, the standard principal name given to the Kerberos authentication server for our realm.
这儿有一些这阶段常见的错误. The most common errors and potential solutions are:

Unable to locate a KDC for the requested realm
The client was unable to determine a KDC for the principal's realm. Verify that the default_realm value in krb5.conf is spelled correctly. If so, verify that either the kdc parameter is specified for the realm in the [realms] section or dns_lookup_dns is enabled in [libdefaults]. When using DNS SRV queries to locate a KDC, use either nslookup or the host utility to confirm that the SRV record for the _kerberos._udp hostname is resolvable in the domain.

KDC has no support for encryption type while getting initial credentials
Verify that the list of supported encryption types in /etc/krb5.conf includes RC4-HMAC. If you are using an older version of Kerberos libraries that do no support this encryption type, it is recommended that you upgrade your Kerberos libraries if possible. However, you may be able to work around the error by changing the Administrator's password once to generate the user's necessary DES Krb5 keys.

Preauthentication failed
Confirm that you are entering the correct password for the user's account.

Clock skew too great
By default, all AD domain controllers require that the clocks on both clients and servers are within five minutes of each other. Go back and resync the system's time to match that of the DC.
一旦你确认了Krb5 client installation 生效, the existing ticket cache should be cleared using the kdestroy command. 这条命令防止net命令忽略在命令行输入的用户凭据. Both the Heimdal and MIT implementation of this tool return directly to a command prompt upon success with no additional messages.
随着初步步骤的完成, 到了该执行网络连接的时候了. The command-line arguments are identical to the ones used to join using security = domain; once again, this command must be run as root:
$ net join -U Administrator
Administrator's password: <enter password for Administrator>
Using short domain name - BLUE
Joined 'OAK' to realm 'BLUE.PLAINJOE.ORG'

Any failures during the join process can usually be traced to Kerberos errors or net failures, both of which have been previously discussed. If you have misspelled or omitted the workgroup in smb.conf, the join process may succeed, but will inform you of an error. Make sure to correct this mistake in smb.conf:
The workgroup in smb.conf does not match the short
domain name obtained from the server.
Using the name [BLUE] from the server.
You should set "workgroup = BLUE" in smb.conf.
Using short domain name - BLUE

We can verify our machine account at any time in AD by running the following command:
$ net ads testjoin
Join is OK

10.2.2.6. Integrating Kerberized Unix services 整合kerberos unix服务
Even before its adoption by Microsoft, Kerberos always supported machine principals. For example, an SSH server may use the principal name host/machine.example.com, and an LDAP directory server may use ldap/machine.example.com. These are different principals even though they are hosted by the same machine. The secret keys for these service principals are stored in a keytab file (usually /etc/krb5.keytab). In AD domains, these secret keys are derived from the machine trust account password.
在smb.conf中如果use kerberos keytab项为yessamba将管理服务器的keytab文件
[global]
    use kerberos keytab = yes

在连接域时这个参数是yes的话, the net join command 自动生成the keytab file. 如果你决定要再配置好成员服务器后使用keytab file, 你可以创建a keytab file by using the net ads keytab command. The create subcommand generates initial entries for the host/machine principal. This command must be run as root, because it requires access to Samba's secrets.tdb file and must be able to write the keytab records to /etc/krb5.keytab:
$ net ads keytab create -P
New service principals可以加入到域中的机器账户和使用net ads keytab add加入到the keytab file中. All that is needed is the principal (service) name, not the full principal/instance syntax. The -P option uses the machine account and prevents you from having to enter user credentials. For example, to add a keytab entry for the HTTP/machine.example.com service principal used by Apache kerberos modules, we would execute:
$ net ads keytab add HTTP -P
Processing principals to add...

This command adds a new servicePrincipalName to the server's account in AD and stores the new key in the local keytab file. Tables 10-1 and 10-2 summarize the keytab-related parameters and tools covered in this section.
Table 10-1. Keytab-related parameters
Parameter    Value    Description    Default    Scope
use kerberos keytab    boolean    Enables Samba's keytab management functionality.    no    Global

Table 10-2. net ads keytab management options
Command    Description
add    Adds a new service principal value for the server's machine account.
create    Generates a keytab file based on the existing service principal values associated with the server in AD.
flush    Removes all entries from the keytab file.

10.2.3. Locating a Domain Controller 查找域控制器
默认设置下, Samba尝试自动找到任何连接到的域控制器. These auto lookups rely heavily on network name services. Remember that the order in which these services are queried is controlled by the name resolve order global option.
When configured for security = domain, NetBIOS name services用来解决the DOMAIN<0x1b> name当搜索PDC时和the DOMAIN<0x1c> name when any DC will do. Thus, 除非服务器只在它自己的子网和域控制器通信, Samba必须配置成使用the WINS server (or servers) for the domain.
在AD域中, Samba能使用DNS, just as Windows 2000 and later clients do. If the DNS lookup没能返回一个或多个域控制器名, Samba may fall back to NetBIOS name queries, much as it did when using domain mode security, assuming that the disable netbios parameter has not been enabled.
你可以通过设置password server项给samba用的DC添加更多的控制. 这个参数接受一系列用间隔符分开的域控制器 (空格或逗号). Names of these preferred DCs can be NetBIOS names, hostnames, or fully qualified DNS names, but they must be resolvable to an address. For instance, to restrict Samba to using the domain controllers named dc1 and dc2, add the following line to the server's smb.conf file:
    password server = dc1 dc2

Samba先尝试连接dc1主机, 只有在第一个服务器不能连接时菜连接dc2. 只要dc1可用就不使用dc2. Adding the wildcard character (*) to the list instructs Samba to include any domain controllers found using its internal auto lookup support. This means you can use a local DC, but still fall back to any DC, should the preferred DC become unavailable.
NetBIOS: Rest in Peace
It is feasible to remove NetBIOS from your network, but only when operating in an AD environment. Even then, many administrators find it very difficult to remove all applications that have a dependency on some piece of this legacy protocol. However, if you are feeling adventurous, Microsoft operating systems, starting with Windows 2000, can be configured to drop all support for NetBIOS by relying on DNS for name services and using TCP and UDP for the transport protocols. In order to configure Samba to behave the same way, define the following group of parameters:
[global]
    smb ports = 445
    disable netbios = yes
    name resolve order = hosts
At this point, there is no reason to support network browsing, either, because it does not function properly without the presence of NetBIOS name services. So there is no reason to run the nmbd daemon at all, as it is responsible only for NetBIOS name registrations, acting as a WINS server, and participating in browsing elections.
A word of caution before moving on. It is frequently better to allow Samba to find a domain controller on its own. As with most parameter values, developers work extremely hard to make Samba robust and efficient. In some cases, it is necessary to manually specify the DC that your server will use, but it is recommended that you do this only as a last resort.
Table 10-3 concludes this section by giving a brief listing of the parameters recently covered.
Table 10-3. Domain controller location parameters
Parameter    Value    Description    Default    Scope
disable netbios    boolean    Controls Samba use of NetBIOS name services.    no    Global
password server    list    List of domain controllers Samba should prefer when operating as a member server.    *    Global

10.3. Matching Domain Users to Local Accounts 将域用户匹配到本地账户
Remember from Chapter 5 that 每一个进入Samba server的用户必须和Unix uid相关. smbd goes through several steps in its attempt to find a matching Unix account. This is true for users who are authenticated locally as well as those validated by a remote domain controller.
The first step is to process the username map option, which may translate the current account name to another string. For standalone servers, this is done before the authentication request is processed, but for domain members, this transformation occurs after authentication. As a result, any domain names in map entries must be fully qualified.[*]
[*] This requirement was introduced in the 3.0.8 release.
合格的域名采取两种形式. 当服务器使用security = ads并且没有运行Winbind, 为了能处理kerberos登录添加完整的realm前缀条目变得十分有必要. Without winbindd (the Winbind daemon), Samba没有办法把realm names转换成short names. NTLM login requests提供了域的short name, 所以我们必须要包含一个格式为DOMAINuser的条目. The complete entry for the user leezard in the AD domain eden.plainjoe.org (with a short name of EDEN) would appear as:
lizard = EDEN.PLAINJOE.ORGleezard EDENleezard
当winbindd 可用来 convert realm names into short names, or when only NTLM authentication is supported (i.e., security = domain), the previous entry should be simplified to:
lizard = EDENleezard

但是你很快就发现, 当使用winbindd时a username map可能完全没有必要了.
一旦任何相关的mapping records启动, smbd 查询操作系统中和登录名相匹配的uid. 如果用户名仍是合格的全格式, Samba先搜索合格的名字并且如果搜索匹配失败就转向用户名减去域名. 一旦找到uid, Samba就为用户标记一个包含uid和所有组成员的记号.
这个搜索程序意味着a local Unix user and a domain user拥有一样的名字. 这样在可信任域的用户进入服务器时可能会产生混淆. Both EDENadam and FRUITadam map to the same Unix user, adam. 为了防止受信任域的用户获得权限进入到在域中同名用户的文件, 建议在samba主机上设置成使域信任不可用:
[global]
    allow trusted domains = no

Returning to our search, 如果找不到相配的uid, smbd 有两个选择: 拒绝登陆或者转换到游客账户. The map to guest parameter, first presented in Chapter 5, has a special setting that is valid only on domain member servers. When set to the value bad uid, Samba silently maps a domain user to the guest account if no corresponding Unix account can be found. This behavior allows you to require domain users to be authenticated without being concerned with creating any local accounts. The original 3.0 releases removed this functionality, which was the default behavior in Samba 2.2. But it was later included again as part of the map to guest option in version 3.0.20.