вторник, 29 мая 2007 г.

Samba Server как член Windows Домена

Взято отсюда
====================================================================
# /etc/samba/smb.conf
[global]
workgroup = BMAINS
server string = FileServer
netbios name = LSTORE

printcap name = cups
load printers = no
printcap cache time = 60
printing = cups

log file = /var/log/samba/%m.log
max log size = 50
log level = 1

interfaces = 192.168.07.112/24
hosts allow = 192.168.07. 127.
map to guest = winuser
guest account = winuser

security = domain
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
unix password sync = yes
passwd program = /usr/bin/passwd %u
null passwords = yes
password server = xmain,proxy

winbind use default domain = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind separator = \
auth methods = winbind

socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 IPTOS_LOWDELAY
local master = yes
os level = 33

wins server = 192.168.77.4
dns proxy = no

getwd cache = yes
dead time = 15

default case = lower
case sensitive = no
dos charset = 866
unix charset = utf8

hide dot files = yes
create mask = 0666
directory mask = 0777

[MyShare]
path = /home/win/myshare
comment = Disk
browseable = yes
public = yes
guest ok = yes
writable = yes
hide files = /~*/
hide dot files = yes
create mask = 0666
directory mask = 0777
inherit permissions = yes
#end
====================================================================
#/etc/krb5.conf
[logging]
default = FILE:/var/log/kerberos/krb5libs.log
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmind.log

[libdefaults]
ticket_lifetime = 24000
default_realm = BMAINS
dns_lookup_realm = false
dns_lookup_kdc = false
kdc_req_checksum_type = 2
checksum_type = 2
ccache_type = 1
forwardable = true
proxiable = true

[realms]
BMAINS = {
kdc = 192.168.07.4:88
admin_server = 192.168.07.4:749
default_domain = BMAINS
}

[domain_realm]
.BMAINS = BMAINS

[kdc]
profile = /etc/kerberos/krb5kdc/kdc.conf

[pam]
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false

[login]
krb4_convert = false
krb4_get_tickets = false
==============================================================
# /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind

hosts: files nisplus nis dns
bootparams: files nisplus [NOTFOUND=return]
ethers: files
netmasks: files
networks: files

protocols: files
rpc: files
services: files
netgroup: files
publickey: files

automount: files nisplus
aliases: files nisplus
#end
====================================================================
#/etc/pam.d/samba
auth required pam_winbind.so
auth required pam_nologin.so
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
auth required pam_stack.so service=system-auth
account sufficient pam_winbind.so
password required pam_winbind.so
====================================================================
#/etc/pam.d/system-auth
auth required pam_env.so
auth sufficient pam_winbind.so
auth sufficient pam_unix.so likeauth nullok use_first_pass
auth required pam_deny.so
account sufficient pam_winbind.so
account required pam_unix.so
password required pam_cracklib.so retry=3
password sufficient pam_unix.so nullok use_authtok md5 shadow
password required pam_deny.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_limits.so
session required pam_unix.so
====================================================================
Все...файлы отредактировали. Выполняем:

net rpc join -U Admin

где Admin - имя администратора домена.

Joined to domain DOMAIN.

service winbind stop
service winbind start
service smb restart

Грабли: особенность Мандривы:
файл
/etc/rc.d/init.d/winbind
нужно отредактировать секцию stop в такой вид:

stop()
{
gprintf "Shutting down Winbind services: "
RETVAL=1
killproc winbindd
rm -f /var/run/samba/winbindd.pid
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/winbind
return $RETVAL
}

Проверка подключения
wbinfo -p
Ping to winbindd succeeded
wbinfo -t
Сhecking the trust secret via RPC calls succeeded

Смотрим, отображаются ли пользователи:
wbinfo -u
Тут будут перечислены пользователи домена.

Смотрим, отображаются ли группы:
wbinfo -g
Тут будут перечислены группы домена.

Смотрим видит ли линукс вышеперечисленное:
getent group

Тут будут перечислены сначала группы и пользователи линукса - следом
будут пользователи и группы домена.

Если что-то не так: смотрим
/var/log/samba/log.smbd
/var/log/samba/log.nmbd
/var/log/samba/log.winbindd

Комментариев нет: