TeddyluのBlog

生活总是让我们遍体鳞伤,但到后来,那些受伤的地方一定会变成我们最强壮的地方

基于AD认证的samba共享

No Comments on 基于AD认证的samba共享Posted in Linux By duncan21Posted on Tagged , ,
Post Views: 3,320

目标:现要求Centos7服务器加入AD域并实现基于AD认证的samba共享

环境:
Windows Server 2012(AD域控制器)
域名:huiju.com
主机名:win2012-ad1
IP地址:192.168.1.1

CentOS 7
主机名:centos01.huiju.com

 

实现步骤:

1)安装必要软件和配置

yum install -y samba samba-common samba-client samba-winbind* krb5-workstation ntp

#设置服务开机启动

systemctl enable smb
systemctl enable winbind

#配置hosts

vim /etc/hosts
在下面添加ad域控的ip和主机名
192.168.1.1 win2012-ad1.huiju.com

#添加DNS地址
vim /etc/resole.conf
nameserver 192.168.1.1

#设置主机名
hostnamectl set-hostname centos01.huiju.com

2)用setup命令来快速设置winbind

3)#创建共享目录并授权

mkdir -p /share
chgrp -R “fileshare_w” /share/
chmod -R 770 /share/

PS:fileshare_w是AD中的组的名字,与samba配置文件的中的组是匹配的

 

4)配置samba

vim /etc/samba/smb.conf

[global]
encrypt passwords = yes
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/$D/%U
display charset = UTF8
max connections = 100

workgroup = HUIJU
password server = win2012-ad1.huiju.com
realm = HUIJU.COM
security = ads
idmap config * : range = 16777216-33554431
template shell = /bin/bash
kerberos method = secrets only
winbind use default domain = true
winbind offline logon = false
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw

[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes

[share]
comment = Qzing Share Directories
path = /share
valid users = "@HUIJU\fileshare_w"
force group = "fileshare_w"
writable = yes
read only = no
force create mode = 0660
create mask = 0777
directory mask = 0777
force directory mode = 0770
access based share enum = yes
hide unreadable = yes

 

5)设置nsswitch
vim /etc/nsswitch.conf
找到以下三行并将winbind移至sss前面

passwd: files winbind sss
shadow: files winbind sss
group: files winbind sss

6)添加登陆自动创建home目录的设定
用vim编辑/etc/pam.d/system-auth和/etc/pam.d/password-auth这两个文件,在下面添加以下信息
session required pam_mkhomedir.so

7)加域,其中administrator是域控的管理员账号
net ads join -U administrator

加完可以输入wbinfo -t,显示如下代码则表示加域成功,同时域控也可以看到这台centos的主机名

重启smb和winbind
systemctl restart smb
systemctl restart winbind

这个时候share目录可以正常访问,但是home目录还是访问不了的,因为这个账户没有在centos主机上登陆过,所以还没有自动创建home目录,所以无法访问,

基于AD认证的samba共享
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Scroll to top
0
Would love your thoughts, please comment.x
()
x