Share My Idea from life

Samba Domain Integration-Samba加入Windows 2008網域

ipstor -

Samba Domain Integration-Samba加入Windows 2008網域

標籤: 
Samba Domain Integration-Samba加入Windows 2008網域
所需檔案:
yum install samba
yum install krb5-server
yum install krb5-workstation
yum install samba-winbind
 
DC
IP: 192.168.3.48
Hostname:dc33
domain:hs.example.com.tw
 
RHEL 6.5 X64
HOSTNAME:test1
 
設定步驟:
一、設定Hostname,
[root@test1 samba]# vi /etc/sysconfig/network
HOSTNAME=test1
 
二、Samba設定:
[root@test1 samba]# vi /etc/samba/smb.conf
[global]
   workgroup = SWC
   password server = dc33.hs.example.com.tw #密碼server指定ad server
   realm = HS.EXAMPLE.COM.TW #完整網域名稱
   security = ads #認證方式交給ad認證
   encrypt passwords = yes #編碼方式傳遞密碼
   idmap config * : range = 16777216-33554431 #修改UID與GID的範圍及目錄
   template shell = /bin/bash #指定AD帳號的SHELL
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = yes
   template homedir =  /home/%D/%U
 
        server string = EXAMPLE TEST Server #描述
        netbios name = test1 #Linux主機名稱
 
        # logs split per machine
        log file = /var/log/samba/%m.log #Log message
        # max 50KB per log file, then rotate
        max log size = 102400 #最大的檔案
 
[TMP]
        comment         = For tmp
        path            = /tmp
        browseable      = yes
        writable        = yes
        valid users     = @"swc\FS47_test_rw"
        create mask     = 0644
        directory mask  = 0750
 
三、DNS/認證順序設定:
[root@test1 samba]# cat /etc/resolv.conf
search hs.example.com.tw example.com.tw
nameserver 192.168.3.48
nameserver 192.168.3.47
options timeout:1
options attempts:1 rotate
 
[root@test1 samba]# vi /etc/nsswitch.conf
passwd:     files winbind
shadow:     files winbind
group:      files winbind
hosts:      dns files
 
四、Kerberos認證設定:
[root@test1 samba]# vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
 
[libdefaults]
default_realm = hs.example.com.tw
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
hs.example.com.tw = {
  kdc = dc33.hs.example.com.tw
  kdc = dc35.hs.example.com.tw
  admin_server = dc33.hs.example.com.tw
  default_domain=hs.example.com.tw
}
 
[domain_realm]
hs.example.com.tw = hs.example.com.tw
.hs.example.com.tw = hs.example.com.tw
swc = hs.example.com.tw
.swc = hs.example.com.tw
 
五、將samba/winbind 服務啟動,並設定開機自動啟動該服務
# service smb start
# chkconfig smb on
# service winbind start
# chkconfig winbind on
 
 
六、測試連線
[root@test1 ~]# kinit sidney@HS.EXAMPLE.COM.TW
 
PS.網域一定要大寫,小寫會出錯
七、將Linux主機加入/退出網域
加入網域:
[root@test1 ~]# net ads join -U sidney@hs.example.com.tw
Enter sidney@hs.example.com.tw's password:
Using short domain name — SWC
Joined 'TEST1' to dns domain 'hs.example.com.tw'
 
或用以下的方式加入網域:
net ads join -S hs.example.com.tw
net rpc join -S hs.example.com.tw
net ads join -U sidney@hs.example.com.tw
net rpc join -U sidney@hs.example.com.tw
net rpc join -U sidney
 
退出網域方式:
net ads leave -U sidney@hs.example.com.tw
 
八、設定NTP(同步時間和domain不能超過5分鐘)
 
[root@test1 ~]# cat /etc/ntp.conf 
server 192.168.6.86
server 192.168.6.87
 
九、Check:
確認連線
[root@test1 ~]# wbinfo -t
checking the trust secret for domain SWC via RPC calls succeeded
 
確認網域資訊
[root@test1 ~]# net ads info
LDAP server: 192.168.3.48
LDAP server name: DC33.hs.example.com.tw
Realm: HS.EXAMPLE.COM.TW
Bind Path: dc=HS,dc=EXAMPLE,dc=COM,dc=TW
LDAP port: 389
Server time: Thu, 15 Oct 2015 15:19:39 CST
KDC server: 192.168.3.48
Server time offset: 0
 
確認user資訊:
[root@test1 ~]# wbinfo -i sidney
 
確認domain user資訊:
[root@test1 ~]# wbinfo -i
 
 
十、文字介面設定:
 
#setup
設定授權:
選擇授權方式:Winbind & Kerberos
 

 

 
輸入網域資料
認證選擇ads認證
輸入帳密
 
做認證過程中的錯誤訊息:
 
 
十一、        錯誤記錄
 
[root@test1 samba]# cat /var/log/krb5kdc.log
krb5kdc: No such file or directory – while initializing database for realm hs.example.com.tw
krb5kdc: No such file or directory – while initializing database for realm hs.example.com.tw
 
[root@test1 samba]# kdb5_util create -s -r hs.example.com.tw
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'hs.example.com.tw',
master key name 'K/M@hs.example.com.tw'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
[root@test1 samba]# service krb5kdc restart
Stopping Kerberos 5 KDC:                                   [FAILED]
Starting Kerberos 5 KDC:                                   [  OK  ]
 
十二、        相關Reference: