開源軟件samba的主要功能是使得unix,linux系統與windows系統相連接,實現文件可以跨平臺共享。Samba的安全級別有uesr;share;domain等,在企業應用上應當選取安全級別較高的策略,所以結合現有的windows域控制器,實現samba的ads級別認證,使用samba結合域身份認證既可以滿足企業對域用戶的安全策略,又可以通過跨文件系統平臺提高文件的安全性。
二、 準備環境
1. 安裝操作系統
操作系統選擇CentOS 5.7 Final版本,選擇base安裝,並在language選取chinese support。
2. 檢查kerberos安裝情況查看kerberos安裝情況,windows域認證需要用到kerberos協議,所以linux需要對其支持
# rpm -aq | grep krb5
krb5-workstation-1.6.1-55.el5
krb5-libs-1.6.1-55.el5
pam_krb5-2.2.14-18.el5
3. 安裝samba#yum install samba
4. 安裝ntp與域控制器時間同步Samba需要與域控時間同步,所以查看時間是否一致
#yum install ntp
三、 Samba與域集成AD認證 5. Edit:/etc/security/pam_winbind.conf#vi /etc/security/pam_winbind.conf
krb5_auth = yes
mkhomedir = yes
6. Edit:/etc/krb5.conf更改如下內容
[realms]
VANCLOA.CN = {
kdc = 10.8.3.4:88
admin_server = 10.8.3.4:749
default_domain = vancloa.cn
}
[domain_realm]
.vancloa.cn = VANCLOA.CN
vancloa.cn = VANCLOA.CN
7. Edit:/etc/hosts 8. Edit:/etc/nsswitch.conf#vi /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
9. Edit:/etc/pam.d/system-auth# vi /etc/pam.d/system-auth
auth sufficient pam_winbind.so
account required pam_winbind.so
password sufficient pam_winbind.so
10. 配置samba#============ Global Settings ===================
[global]
workgroup = VANCLOA
server string = Samba Server Version %v
netbios name = pek6-samba
security = ads
passdb backend = tdbsam
realm = VANCLOA.CN
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /sbin/nologin
template homedir /home/%D/%U
#============ Share Definitions =================
[homes]
comment = Home Directories
path = /home/VANCLOA/%U
browseable = no
writable = yes
valid users = %U
[public]
comment = Public Stuff
path = /home/samba
public = yes
writable = yes
printable = no
write list = +staff
11. 加入windows域#net ads join -U [email protected]
#/etc/init.d/winbind restart
四、 測試是否可以與域控制器正常通信#wbinfo -u