Windows AD域使用Linux Samba
1. 初始化配置
1.1 初始化配置
配置服务器名
hostnamectl set-hostname samba.sh.pana.cn
hosts文件配置,确保正常解析到本机和域控
[root@centos7 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 samba.sh.pana.cn
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 samba.sh.pana.cn
192.168.31.104 samba.sh.pana.cn
192.168.31.101 ad.sh.pana.cn
确保域控为dns
[root@centos7 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search sh.pana.cn
nameserver 192.168.31.101
[root@centos7 ~]# grep DNS /etc/sysconfig/network-scripts/ifcfg-eth0
DNS1=192.168.31.101
禁用selinux
[root@samba ~]# sed -ir 's#=enforcing#=disabled#g' /etc/selinux/config
[root@samba ~]# grubby --update-kernel ALL --args selinux=0
配置防火墙(或者直接关闭防火墙)
[root@samba ~]# firewall-cmd --permanent --add-service=samba
success
[root@samba ~]# firewall-cmd --reload
success
[root@samba ~]# systemctl stop firewalld && systemctl disable --now firewalld
Removed "/etc/systemd/system/multi-user.target.wants/firewalld.service".
Removed "/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service".
1.2 Yum仓库
可以使用光盘镜像仓库或者云yum仓库
[root@centos7 ~]# mount /dev/sr0 /media/
mount: /dev/sr0 is write-protected, mounting read-only
[root@centos7 ~]# cat /etc/yum.repos.d/centos7.repo
[centos7]
name=centos7
baseurl=file:///media/
gpgcheck=0
[root@centos7 ~]# yum makecache
Loaded plugins: fastestmirror
Determining fastest mirrors
centos7 | 3.6 kB 00:00:00
(1/4): centos7/group_gz | 153 kB 00:00:00
(2/4): centos7/primary_db | 6.1 MB 00:00:00
(3/4): centos7/filelists_db | 7.2 MB 00:00:00
(4/4): centos7/other_db | 2.6 MB 00:00:00
Metadata Cache Created
2. 安装Samba
[root@samba BaseOS]# yum install -y samba samba-client* samba-winbind* samba-swat* \
samba-common-tools realmd adcli sssd oddjob oddjob-mkhomedir \
samba-common-tools krb5-workstation authselect-compat vim
3. 将Samba服务器加入域
发现网络中的域
[root@samba ~]# realm list
[root@samba ~]# realm discover ad.sh.pana.cn
sh.papa.cn
type: kerberos
realm-name: SH.PAPA.CN
domain-name: sh.papa.cn
configured: no
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
扫描域是否可达
[root@centos7 ~]# realm join --user=Administrator ad.sh.pana.cn
Password for Administrator:
## 确认加域成功
[root@centos7 ~]# realm list
sh.papa.cn
type: kerberos
realm-name: SH.PAPA.CN
domain-name: sh.papa.cn
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U@sh.papa.cn
login-policy: allow-realm-logins
将Samba服务器加入pana域
[root@samba ~]# net ads join -U administrator
Enter administrator's password:
Using short domain name -- SH
Joined 'SAMBA' to dns domain 'sh.papa.cn'
DNS update failed: NT_STATUS_UNSUCCESSFUL
[root@samba ~]# systemctl restart winbind
[root@samba ~]# wbinfo -t
checking the trust secret for domain SH via RPC calls succeeded
[root@samba ~]# wbinfo -u
administrator
guest
krbtgt
samba
此时在ad服务器上可以看到samba服务器已经加入
4. Samba配置
[root@samba BaseOS]# mkdir -p /samba/data
[root@samba BaseOS]# chmod -R a+rw /samba/data
4.1 配置文件smb.conf
/etc/samba/smb.conf
# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.
[global]
workgroup = SH
realm = sh.papa.cn
security = ADS
password server = 192.168.31.101
idmap uid = 10000 - 20000
idmap gid = 10000 - 20000
template shell = /bin/bash
winbind separator = /
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
encrypt passwords = yes
printing = cups
printcap name = cups
load printers = yes
cups options = raw
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @printadmin root
force group = @printadmin
create mask = 0664
directory mask = 0775
[share]
comment = Home Directories
path=/samba/data
browseable = yes
writable = yes
valid users = samba
4.2 配置文件nsswitch.conf
/etc/nsswitch.conf
[root@centos7 ~]# sed -ir 's#^passwd:.*#passwd: files winbind#g' /etc/nsswitch.conf
[root@centos7 ~]# sed -ir 's#^group:.*#group: files winbind#g' /etc/nsswitch.conf
[root@centos7 ~]# sed -ir '/^shadow/d' /etc/nsswitch.conf
4.3 修改配置文件krb5.conf
/etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
# default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = SH.PAPA.CN
[realms]
## 修改以下4行
SH.PAPA.CN = {
kdc = 192.168.31.101:88
defautl_domain = SH.PAPA.CN
}
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
sh.papa.cn = SH.PAPA.CN
.sh.papa.cn = SH.PAPA.CN
4.4 重启samba服务
[root@samba ~]# systemctl enable --now smb
Created symlink from /etc/systemd/system/multi-user.target.wants/smb.service to /usr/lib/systemd/system/smb.service.
[root@samba ~]# systemctl restart smb
5. Windows域服务器访问Samba
5.1 确保网络正常
C:\Users\Administrator>ping samba.sh.pana.cn
正在 Ping samba.sh.pana.cn [192.168.31.104] 具有 32 字节的数据:
来自 192.168.31.104 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.31.104 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.31.104 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.31.104 的回复: 字节=32 时间<1ms TTL=64
192.168.31.104 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 0ms,最长 = 0ms,平均 = 0ms
C:\Users\Administrator>
5.2 访问Samba
输入域用户名密码
用户名取决于/etc/samba/smb.conf中share中的valid user
此时就能在samba上正常创建和删除文件了
此时在samba服务器下也能看到此文件
[root@samba ~]# ls /samba/data/
111.bmp
