Windows AD域使用Linux Samba
1. 初始化配置
1.1 初始化配置
配置服务器名
hostnamectl set-hostname samba.sh.pana.cn
hosts文件配置,确保正常解析到本机和域控
[root@centos7 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 samba.sh.pana.cn
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 samba.sh.pana.cn
192.168.31.104 samba.sh.pana.cn
192.168.31.101 ad.sh.pana.cn
确保域控为dns
[root@centos7 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search sh.pana.cn
nameserver 192.168.31.101
[root@centos7 ~]# grep DNS /etc/sysconfig/network-scripts/ifcfg-eth0
DNS1=192.168.31.101
禁用selinux
[root@samba ~]# sed -ir 's#=enforcing#=disabled#g' /etc/selinux/config
[root@samba ~]# grubby --update-kernel ALL --args selinux=0
配置防火墙(或者直接关闭防火墙)
[root@samba ~]# firewall-cmd --permanent --add-service=samba
success
[root@samba ~]# firewall-cmd --reload
success
[root@samba ~]# systemctl stop firewalld && systemctl disable --now firewalld
Removed "/etc/systemd/system/multi-user.target.wants/firewalld.service".
Removed "/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service".
1.2 Yum仓库
可以使用光盘镜像仓库或者云yum仓库
[root@centos7 ~]# mount /dev/sr0 /media/
mount: /dev/sr0 is write-protected, mounting read-only
[root@centos7 ~]# cat /etc/yum.repos.d/centos7.repo
[centos7]
name=centos7
baseurl=file:///media/
gpgcheck=0
[root@centos7 ~]# yum makecache
Loaded plugins: fastestmirror
Determining fastest mirrors
centos7 | 3.6 kB 00:00:00
(1/4): centos7/group_gz | 153 kB 00:00:00
(2/4): centos7/primary_db | 6.1 MB 00:00:00
(3/4): centos7/filelists_db | 7.2 MB 00:00:00
(4/4): centos7/other_db | 2.6 MB 00:00:00
Metadata Cache Created
2. 安装Samba
[root@samba BaseOS]# yum install -y samba samba-client* samba-winbind* samba-swat* \samba-common-tools realmd adcli sssd oddjob oddjob-mkhomedir \samba-common-tools krb5-workstation authselect-compat vim
3. 将Samba服务器加入域
发现网络中的域
[root@samba ~]# realm list
[root@samba ~]# realm discover ad.sh.pana.cn
sh.papa.cntype: kerberosrealm-name: SH.PAPA.CNdomain-name: sh.papa.cnconfigured: noserver-software: active-directoryclient-software: sssdrequired-package: oddjobrequired-package: oddjob-mkhomedirrequired-package: sssdrequired-package: adclirequired-package: samba-common-tools
扫描域是否可达
[root@centos7 ~]# realm join --user=Administrator ad.sh.pana.cn
Password for Administrator:
## 确认加域成功
[root@centos7 ~]# realm list
sh.papa.cntype: kerberosrealm-name: SH.PAPA.CNdomain-name: sh.papa.cnconfigured: kerberos-memberserver-software: active-directoryclient-software: sssdrequired-package: oddjobrequired-package: oddjob-mkhomedirrequired-package: sssdrequired-package: adclirequired-package: samba-common-toolslogin-formats: %U@sh.papa.cnlogin-policy: allow-realm-logins
将Samba服务器加入pana域
[root@samba ~]# net ads join -U administrator
Enter administrator's password:
Using short domain name -- SH
Joined 'SAMBA' to dns domain 'sh.papa.cn'
DNS update failed: NT_STATUS_UNSUCCESSFUL
[root@samba ~]# systemctl restart winbind
[root@samba ~]# wbinfo -t
checking the trust secret for domain SH via RPC calls succeeded
[root@samba ~]# wbinfo -u
administrator
guest
krbtgt
samba
此时在ad服务器上可以看到samba服务器已经加入
4. Samba配置
[root@samba BaseOS]# mkdir -p /samba/data
[root@samba BaseOS]# chmod -R a+rw /samba/data
4.1 配置文件smb.conf
/etc/samba/smb.conf
# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.
[global]workgroup = SHrealm = sh.papa.cnsecurity = ADSpassword server = 192.168.31.101idmap uid = 10000 - 20000idmap gid = 10000 - 20000template shell = /bin/bashwinbind separator = /winbind use default domain = yeswinbind enum users = yeswinbind enum groups = yesencrypt passwords = yesprinting = cupsprintcap name = cupsload printers = yescups options = raw[homes]comment = Home Directoriesvalid users = %S, %D%w%Sbrowseable = Noread only = Noinherit acls = Yes[printers]comment = All Printerspath = /var/tmpprintable = Yescreate mask = 0600browseable = No[print$]comment = Printer Driverspath = /var/lib/samba/driverswrite list = @printadmin rootforce group = @printadmincreate mask = 0664directory mask = 0775
[share]comment = Home Directoriespath=/samba/databrowseable = yeswritable = yesvalid users = samba
4.2 配置文件nsswitch.conf
/etc/nsswitch.conf
[root@centos7 ~]# sed -ir 's#^passwd:.*#passwd: files winbind#g' /etc/nsswitch.conf
[root@centos7 ~]# sed -ir 's#^group:.*#group: files winbind#g' /etc/nsswitch.conf
[root@centos7 ~]# sed -ir '/^shadow/d' /etc/nsswitch.conf
4.3 修改配置文件krb5.conf
/etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]default = FILE:/var/log/krb5libs.logkdc = FILE:/var/log/krb5kdc.logadmin_server = FILE:/var/log/kadmind.log[libdefaults]dns_lookup_realm = falseticket_lifetime = 24hrenew_lifetime = 7dforwardable = truerdns = false
# default_realm = EXAMPLE.COMdefault_ccache_name = KEYRING:persistent:%{uid}default_realm = SH.PAPA.CN
[realms]
## 修改以下4行SH.PAPA.CN = {kdc = 192.168.31.101:88defautl_domain = SH.PAPA.CN}[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COMsh.papa.cn = SH.PAPA.CN.sh.papa.cn = SH.PAPA.CN
4.4 重启samba服务
[root@samba ~]# systemctl enable --now smb
Created symlink from /etc/systemd/system/multi-user.target.wants/smb.service to /usr/lib/systemd/system/smb.service.
[root@samba ~]# systemctl restart smb
5. Windows域服务器访问Samba
5.1 确保网络正常
C:\Users\Administrator>ping samba.sh.pana.cn正在 Ping samba.sh.pana.cn [192.168.31.104] 具有 32 字节的数据:
来自 192.168.31.104 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.31.104 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.31.104 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.31.104 的回复: 字节=32 时间<1ms TTL=64192.168.31.104 的 Ping 统计信息:数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):最短 = 0ms,最长 = 0ms,平均 = 0msC:\Users\Administrator>
5.2 访问Samba
输入域用户名密码
用户名取决于/etc/samba/smb.conf中share中的valid user
此时就能在samba上正常创建和删除文件了
此时在samba服务器下也能看到此文件
[root@samba ~]# ls /samba/data/
111.bmp
