公司服务器用LDAP实现登录认证,但是LDAP服务器是389-ds,而另一台是 UBUNTU,这样用LDAP认证samba有点问题(可能是我还没太明白),昨天把389服务器都搞挂两次.
现在samba改为 AD实现认证
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
sudo
apt-get
install
krb5-user winbind samba
#==========================================
sudo
vi
/etc/nsswitch
.conf
passwd
: files ldap winbind
group: files ldap winbind
shadow: files ldap winbind
#===========================================
sudo
vi
/etc/krb5
.conf
[libdefaults]
default_realm = HA.NET
ticket_lifetime = 24000
dns_lookup_realm =
false
dns_lookup_kdc =
false
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config =
/etc/krb
.conf
krb4_realms =
/etc/krb
.realms
kdc_timesync = 1
ccache_type = 4
forwardable =
true
proxiable =
true
v4_instance_resolve =
false
v4_name_convert = {
host = {
rcmd = host
ftp
=
ftp
}
plain = {
something = something-
else
}
}
fcc-mit-ticketflags =
true
[realms]
HA.NET = {
kdc = 192.168.100.8:88
# master_kdc = krb5auth1.HA.NET
# admin_server = krb5-admin.HA.NET
default_domain = HA.NET
}
[domain_realm]
.ha.net = HA.NET
ha.net = HA.NET
[login]
krb4_convert =
true
krb4_get_tickets =
false
#==========================================================
sudo
vi
/etc/samba/smb
.conf
[global]
workgroup = HA
server string = %h
dns proxy = no
log
file
=
/var/log/samba/log
.%m
max log size = 1000
syslog = 0
panic action =
/usr/share/samba/panic-action
%d
encrypt passwords =
true
security = ads
realm = HA.NET
password server = AD.HA.NET
passdb backend = tdbsam
obey pam restrictions =
yes
unix password
sync
=
yes
# sending the correct chat script for the passwd program in Debian Sarge).
passwd
program =
/usr/bin/passwd
%u
passwd
chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\
n *password\supdated\ssuccessfully* .
pam password change =
yes
# to anonymous connections
map to guest = bad user
usershare allow guests =
yes
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell =
/sbin/nologin
template homedir =
/home/
%U
winbind use default domain =
true
winbind offline logon =
true
winbind enum
groups
=
yes
winbind enum
users
=
yes
winbind separator = /
[printers]
comment = All Printers
browseable = no
path =
/var/spool/samba
printable =
yes
guest ok = no
read
only =
yes
create mask = 0700
# Windows clients look for this share name as a source of downloadable
# printer drivers
[print$]
comment = Printer Drivers
path =
/var/lib/samba/printers
browseable =
yes
read
only =
yes
guest ok = no
[homes]
comment = Home Directories
path =
/local_home/
%U
valid
users
= ha.net/%U
read
only =
yes
browseable = No
|
还得加入域
sudo net ads join -U xxx@HA.NET(域名要大写)
固定uid和gid 参考
1
2
3
4
|
idmap domains = DOMAIN
idmap config DOMAIN:backend = rid
idmap config DOMAIN:base_rid = 0
idmap config DOMAIN:range = 20000 - 49999
|
本文转自 nonono11 51CTO博客,原文链接:http://blog.51cto.com/abian/1269289,如需转载请自行联系原作者