公司服务器用LDAP实现登录认证,但是LDAP服务器是389-ds,而另一台是 UBUNTU,这样用LDAP认证samba有点问题(可能是我还没太明白),昨天把389服务器都搞挂两次.
现在samba改为 AD实现认证
sudo apt-get install krb5-user winbind samba #========================================== sudo vi /etc/nsswitch.conf passwd: files ldap winbind group: files ldap winbind shadow: files ldap winbind #=========================================== sudo vi /etc/krb5.conf [libdefaults] default_realm = HA.NET ticket_lifetime = 24000 dns_lookup_realm = false dns_lookup_kdc = false # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [realms] HA.NET = { kdc = 192.168.100.8:88 # master_kdc = krb5auth1.HA.NET # admin_server = krb5-admin.HA.NET default_domain = HA.NET } [domain_realm] .ha.net = HA.NET ha.net = HA.NET [login] krb4_convert = true krb4_get_tickets = false #========================================================== sudo vi /etc/samba/smb.conf [global] workgroup = HA server string = %h dns proxy = no log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d encrypt passwords = true security = ads realm = HA.NET password server = AD.HA.NET passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes # sending the correct chat script for the passwd program in Debian Sarge). passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\ n *password\supdated\ssuccessfully* . pam password change = yes # to anonymous connections map to guest = bad user usershare allow guests = yes idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /sbin/nologin template homedir = /home/%U winbind use default domain = true winbind offline logon = true winbind enum groups = yes winbind enum users = yes winbind separator = / [printers] comment = All Printers browseable = no path = /var/spool/samba printable = yes guest ok = no read only = yes create mask = 0700 # Windows clients look for this share name as a source of downloadable # printer drivers [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = yes read only = yes guest ok = no [homes] comment = Home Directories path = /local_home/%U valid users = ha.net/%U read only = yes browseable = No
还得加入域
sudo net ads join -U xxx@HA.NET(域名要大写)
固定uid和gid 参考
idmap domains = DOMAIN idmap config DOMAIN:backend = rid idmap config DOMAIN:base_rid = 0 idmap config DOMAIN:range = 20000 - 49999