http://tw.myblog.yahoo.com/jw!7KOAi5OEGQL9D1WOQ2X5/article?mid=8&prev=11&next=6
1 . 實作環境
AD Server Windowns Server 2003
AD Samba CentOS 5.1 (未更新套件)
主機 Hostname IP
PDC adserver 10.20.5.180/24
linux adsamba.example.com.tw 10.20.5.181/24
Domain name example.com.tw
DNS 10.20.5.180
需安裝NTP時間驗證套件
# mount /dev/cdrom /cdrom
# rpm -ivh /cdrom/CentOS/RPMS/ntp-4.2.2p1-7.el5.i386.rpm
與AD Server 驗證時間
# ntpdate 10.20.5.180
# hwclock -w
這裡有一點要注意一下,adsamba與adserver兩台的時間不能差超過五分鐘,但是既然adsamba是adserver的成員,不如時間的驗證就以adserver為主。
安裝Samba套件
[root@adsamba CentOS]# rpm -qa | grep samba
samba-common-3.0.25b-0.el5.4
samba-3.0.25b-0.el5.4
samba-client-3.0.25b-0.el5.4
2 . 編輯設定檔
2.1 # vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM.TW # 大寫網域名稱
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
EXAMPLE.COM.TW = { # 大寫網域名稱
kdc = 10.20.5.180:88 # 網域伺服器IP
admin_server = 10.20.5.180:749 # 網域伺服器IP
default_domain = example.com.tw # 預設網域名稱
}
[domain_realm]
.example.com.tw = EXAMPLE.COM.TW # 網域驗證範圍
example.com.tw = EXAMPLE.COM.TW
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
測試一下
故意打錯的網域administrator的密碼
# kinit administrator@EXAMPLE.COM.TW
Password for administrator@EXAMPLE.COM.TW:
kinit(v5): Preauthentication failed while getting initial credentials
輸入正確的網域administrator的密碼
# kinit administrator@EXAMPLE.COM.TW
Password for administrator@EXAMPLE.COM.TW:
測試一下網域中沒有的帳號
# kinit rrrrr@EXAMPLE.COM.TW
kinit(v5): Client not found in Kerberos database while getting initial credentials
測試一下網域中一般使用者的帳號
# kinit 00001@EXAMPLE.COM.TW
Password for 00001@EXAMPLE.COM.TW:
這代表了已經可以與ADserver做溝通了,但並不代表Samba Server已經加入網域。
2.2 # vi /etc/samba/smb.conf
#===================== Global Settings =========================
[global]
workgroup = EXAMPLE # 一定要填自己的domain名稱
netbios name = ADSAMBA
# ----------------------- Domain Members Options ------------------------
security = ads
; passdb backend = tdbsam
realm = EXAMPLE.COM.TW
password server = 10.20.5.180
idmap uid = 10000 - 20000 #這些是帳號同步的一些選項
idmap gid = 10000 - 20000
template shell = /sbin/nologin
template homedir = /home/%U
winbind separator = %
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
encrypt passwords = yes
修改home分享的選項
#[homes]
# comment = Home Directories
# browseable = no
# writable = yes
#; valid users = %S
#; valid users = MYDOMAIN\%S
[homes]
path = /home/%U
browsable = no
writable = yes
2.3 編輯 /etc/nsswitch.conf 來修改winbind對帳號的信任
修改以下位置
passwd: files winbind
shadow: files winbind
group: files winbind
3 . 加入網域與測試
[root@adsamba ~]# net rpc join -S adserver.example.com.tw -U administrator
Password:
Joined domain EXAMPLE.
我記得CentOS 4都可以用ads的方法加入的,現在卻不行,出現一堆錯誤。
# net ads join -U administrator@EXAMPLE.COM.TW
# service smb restrart
# service winbind start
[root@adsamba ~]# wbinfo -t
checking the trust secret via RPC calls succeeded
[root@adsamba ~]# wbinfo -u
administrator
guest
support_388945a0
krbtgt
wenlin
00001
00002
00003
00004
使用者資料夾建立
# mkdir -P /home/00001
# chmod 700 /home/00001
# chown 00001.00001 00001/
[root@adsamba home]# ll
drwxrwxrwx 2 00001 deamon 4096 5??19 12:50 00001
注意一下群組的部分,群組便deamon了。
這裡唯一的問題就是,分享資料夾得子資料夾權限無法用windows介面修改,就算打開acl支援也不行
。
另外一個問題就是,在一般來說在網域要打的帳號是example.com.tw\00001,但是這裡卻不用?
是不是我網域架的不好??
後紀
這裡分享一下小祕技,要怎樣在指令模式下打中文。
1 . 語系改為 zh_TW.UTF-8
語系查詢 # locale
語系修改 # LANG=zh_TW.UTF-8
2 . 連線的終端機要支援Unicode ,我是用pietty,在選項->字元編碼->UTF8。
用你的新注音就可以建立中文資料夾了。
drwxr-xr-x 11 root root 0 5月 21 2008 sys
drwxrwxrwt 4 root root 4096 5月 20 23:49 tmp
drwxr-xr-x 14 root root 4096 4月 16 17:35 usr
drwxr-xr-x 19 root root 4096 4月 16 17:38 var
drwxrwxrwx 4 root root 4096 5月 21 00:00 我的分享
也可以分享中文目錄喔
# A publicly accessible directory, but read only, except for people in
# the "staff" group
[我的分享]
path = /中文的分享目錄
public = yes
writable = yes
一些資料
(接擷取自http://us3.samba.org/samba/docs/using_samba/toc.html)
Port 137 Used for NetBIOS network browsing
Port 138 Used for NetBIOS name service
Port 139 Used for file and printer sharing and other operations
Port 445 Used by Windows 2000/XP when NetBIOS over TCP/IP is disabled
Table 6-2. Samba variables
Variable Definition
Client variables
%a Client's architecture (see Table 6-1)
%I Client's IP address (e.g., 172.16.1.2)
%m Client's NetBIOS name
%M Client's DNS name
User variables
%u Current Unix username
%U Requested client username (not always used by Samba)
%H Home directory of %u
%g Primary group of %u
%G Primary group of %U
Share variables
%S Current share's name
%P Current share's root directory
%p Automounter's path to the share's root directory, if different from %P
Server variables
%d Current server process ID
%h Samba server's DNS hostname
%L Samba server's NetBIOS name
%N Home directory server, from the automount map
%v samba version
%D 網域名稱
Miscellaneous variables
%R The SMB protocol level that was negotiated
%T The current date and time
%$var The value of environment variable var
