Samba做活动目录(AD)中的成员服务器
准备工作:
操作系统:Red Hat Enterprise Linux 5.2    Windows server 2003 Enterprise
Samba的版本(请从互联网下载最新的rpm包):
samba-3.0.33-3.14.el5.i386.rpm
samba-client-3.0.33-3.14.el5.i386.rpm
samba-common-3.0.33-3.14.el5.i386.rpm
samba-swat-3.0.33-3.14.el5.i386.rpm
注意事项:Samba服务器的时间同AD的时间的差不能超过5分钟。
#date 月日时分年
#hwclock  -w
例如:
#date  042208062010
表示将系统的时间修改为2010422日早上86分。
#hwclock  -w
表示将系统时间写入硬件时钟。
Windows服务器是域控制器,FQDN为:,域名为:
IP192.168.10.44DNS192.168.10.44
Samba服务器的的名字:rhel5(使用hostname命令查看),IP192.168.10.22
DNS192.168.10.44
修改/etc/hosts文件,修改成如下:
# Do not remove the following lineor various programs
#that require network functionality  will fail.
192.168.10.22        rhel5.  rhel5
::1            localhost6.localdomain6  localhost6
修改/etc/sysconfig/network文件,修改成如下:
NETWORKING=yes
NETWOKING_IPV6=no
HOSTNAME=rhel5
GATEWAY=192.168.10.1
1、修改完毕后,重新启动Samba服务器。
配置文件如下:
Samba服务的主配置文件/etc/samba/smb.conf修改如下:
workgroup = TEST
realm =
server string = Samba Server Version %v
security = ADS
encrypt passwords = yes
password server =
netbios name = rhel5
domain master = no
preferred master = no
domain logons = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
pemplate homedir = /home/%D/%U
winbind use default domain = yes
winbind separator = %
 同时注释掉如下两行:
security = user
passdb backend = tdbsam
2、安装kerberos软件包
krb5-workstation-1.6.1-25.el5.rpm
krb5-devel-1.6.1-25.el5.rpm
krb5-libs-1.6.1-25.el5.rpm
pam_krb5-2.2.14-1.rpm
krb5-auth-dialog-0.7-1.rpm
修改/etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
 
[libdefaults]
 default_realm =
 dns_lookup_realm = false
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes
 
[realms]
 = {
  kdc =
  admin_server =
  default_domain =
 }
 
[domain_realm]
 .=
  =
 
[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}
3、修改Samba服务器上的DNS客户端,即/etc/resolv.conf文件
search 
nameserver  192.168.10.44
4、编辑修改/etc/nsswitch.conf配置文件
passwd:     files    winbind
shadow:     files    winbind
group:      files    winbind
5、首先要停止Samba服务和winbind服务:
#service   smb      stop
#service   winbind   stop
6、把Samba服务器加入到活动目录中:
#net  ads   join   -U  Administrator
7、启动Samba服务和winbind服务
#service  smb  start
#service  winbind  start
8、验证winbind服务能否正常工作
#wbinfo   -u
#wbinfo   -g
9、让活动目录的用户可以在Samba服务器服务器所在的Linux主机上登录,需要修改/etc/pamd.d/login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    include      system-auth
session    required     pam_loginuid.so
session    optional     pam_console.so
session    required     pam_mkhomedir.so skel=/etc/skel umask=0066
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    optional     pam_keyinit.so force revoke
注意:smb.conf文件中活动目录账号设置的主目录是/home/%D/%U,而这里的%D指的就是TEST,这个目录需要创建。
#mkdir  /home/TEST
10、修改/etc/pam.d/system-auth文件,修改成如下(注意:修改该文件时请备份该文件,如果修改错误,root账户将不能登录系统):
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
 
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
account required /lib/security/$ISA/pam_permit.so
 
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
password required /lib/security/$ISA/pam_deny.so
 
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session required /lib/security/$ISA/pam_winbind.so use_first_pass
11、在windows域控制器下创建一个账户allen,在Linux系统下使用windows域控制器上的账户登录Samba服务器:
Red  Hat  Enterprise Linux Server release 5.2 (Tikanga)
Kernel 2.6.18-92el5xen on an i686
rhel5 loginallen
password
Creating directory ‘/home/TEST/allen’.
Creating directory ‘/home/TEST/allen/.mozilla’.
Creating directory ‘/home/TEST/allen/.mozilla/extensions’.
Creating directory ‘/home/TEST/allen/.mozilla/plugins’.
[allen@rhel5 ~]$