Samba与AD集成认证

For convenient manage account, Samba can integrate with AD.

1.

environment: windows 2008 R2 domain, Centos, Please bind your ip and hostname.

2.

The necessary software for samba:

yum install samba samba-client samba-common samba-swat samba-winbind krb5-libs krb5-workstation

3.

Check your iptables,Selinux. grand samba in and out.

4.

Setting server time

Sync your AD server time with Centos

#crontab -e0 7 *  *  * ntpdate ad2008domain

5.configure your kerberos, edit which is domain to yourself.

cat /etc/krb5.conf[logging]default = FILE:/var/log/krb5libs.logkdc = FILE:/var/log/krb5kdc.logadmin_server = FILE:/var/log/kadmind.log[libdefaults]default_realm = DOMAIN.COMdns_lookup_realm = falsedns_lookup_kdc = falseticket_lifetime = 24hforwardable = yes[realms]DOMAIN.COM = {   kdc = ad1.domain.com   kdc = ad2.domain.com   admin_server = ad1.domain.com   default_domain = DOMAIN.COM}[domain_realm].domain.com = DOMAIN.COMdomain.com = DOMAIN.COM[kdc]profile = /var/kerberos/krb5kdc/kdc.conf[appdefaults]pam = {   debug = false   ticket_lifetime = 36000   renew_lifetime = 36000   forwardable = true   krb4_convert = false}

Verify your configuration

#kinit domainadmin@DOMAIN.COM

6. Configure nsswitch.conf like this. The key location is passwd shadow group

/etc/nsswitch.confpasswd: files winbindshadow: files winbindgroup: files winbind#hosts: db files nisplus nis dnshosts: files dns wins# Example - obey only what nisplus tells us...#services: nisplus [NOTFOUND=return] files#networks: nisplus [NOTFOUND=return] files#protocols: nisplus [NOTFOUND=return] files#rpc: nisplus [NOTFOUND=return] files#ethers: nisplus [NOTFOUND=return] files#netmasks: nisplus [NOTFOUND=return] filesbootparams: nisplus [NOTFOUND=return] filesethers: db filesnetmasks: filesnetworks: files dnsprotocols: db filesrpc: filesservices: filesnetgroup: filespublickey: nisplusautomount: filesaliases: files nisplus

7.Configrure PAM like this

cat /etc/pam.d/system-auth#%PAM-1.0# This file is auto-generated.# User changes will be destroyed the next time authconfig is run.auth required /lib/security/$ISA/pam_env.soauth sufficient /lib/security/$ISA/pam_unix.so likeauth nullokauth sufficient /lib/security/$ISA/pam_winbind.so use_first_passauth required /lib/security/$ISA/pam_deny.soaccount required /lib/security/$ISA/pam_unix.soaccount sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quietaccount sufficient /lib/security/$ISA/pam_winbind.so use_first_passaccount required /lib/security/$ISA/pam_permit.sopassword requisite /lib/security/$ISA/pam_cracklib.so retry=3 type=password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadowpassword sufficient /lib/security/$ISA/pam_winbind.so use_first_passpassword required /lib/security/$ISA/pam_deny.sosession required /lib/security/$ISA/pam_limits.sosession required /lib/security/$ISA/pam_unix.sosession required /lib/security/$ISA/pam_winbind.so use_first_passsession required /lib/security/pam_mkhomedir.so

8.configure samba

#--------------------------- GLOBAL PARAMETERS -----------------------------#After changing this file ,Please run testparm for check these parameters.[global];This controls what workgroup your server will appear to be in when queried by clients   workgroup = DOMAIN;This option specifies the kerberos realm to use. The realm is used as the ADS equivalent of the NT4 domain. It is usually set to the DNS name of the kerberos server   realm = DOMAIN.COM;Don't become a domain master   preferred master = no   server string = Linux Samba Server;In this mode, Samba will act as a domain member in an ADS realm. To operate in this mode, the machine running Samba will need to have Kerberos installed and configured and Samba will need to be joined to the ADS realm using the net utility;Note that this mode does NOT make Samba operate as a Active Directory Domain Controller.   security = ADS   encrypt passwords = yes  passdb backend = tdbsam   map untrusted to domain = Yes;winbind setting;allow enumeration of winbind users and groups   winbind enum users = Yes   winbind enum groups = Yes   winbind use default domain = Yes   winbind nested groups = Yes# separate domain and username with '\', like DOMAIN\username   winbind separator = +# default it is \;   winbind separator = \;use uids from 10000 to 20000 for domain users   idmap uid = 10000-20000   idmap gid = 10000-20000;give winbind users a real shell (only needed if they have telnet access)#  template shell = /bin/bash#  template homedir = /home/winnt/%D/%U;disconnected time   deadtime = 15;Don't attempt to map UNIX permissions into Windows NT access control lists   nt acl support = no# --------------------------- Logging Options -----------------------------;log level =10 is debug mode, log level =3 is normal mode.;max log size = 1000kb,Samba periodically checks the size and if it is exceeded it;will rename the file, adding a .old extension   log level = 10   log file = /var/log/samba/%m   max log size = 1000# --------------------------- Printing Options -----------------------------   load printers = yes   printcap name = cups   printing = cups# --------------------------- Sharing Options -----------------------------#[HPPrinter]#        comment = HP Printer#        path = /var/spool/samba#        guest ok = Yes#        printable = Yes[homes]    comment = Home Directories    browseable = no    path = /home/userone/data/%S    writable = yes    valid users = %S#auto create user home folder    root preexec = /home/userone/mkhomedir.sh %U[public]    path = /home/userone/public    read only = no    browsable = yes    writeable = yes#if login success then force using this role to  read and wirte file    force user = userone    force group = userone    valid users = "@Domain Admins", "@Domain Users"    create mask = 0777    directory mask =0760    force create mode = 0777    force directory security mode = 0777[resumes]        comment = Resumes        path = /home/userone/resumes        valid users = domainadmin        force user = userone        force group = userone        read only = No        create mask = 0775        force create mode = 0550        force directory security mode = 0550

9.Check the samba configuration

#testparm

If there is no error, Please continue

10.Add domain

#net ads join -U domainadmin

verify method

#net ads info

#wbinfo -u

#getent passwd

11.Chang your Share folder permission, It's so important

chown userone:userone share folder

12.restart winbind samba

service smb restart
service winbind restart

13.Debug

We can't successful in the first time, So if happen any error, You can check it from /var/log/samba/*