由于内部需要有共享网盘,方便大家共享,需要一台samba服务,但是一般都是使用Windows共享就可以完成,但是因License版权问题,还是使用Linux解决,还要解决AD域控账号认证授权。
1 编译安装Samba 编译安装步骤解决依赖问题再次略过,编译安装的samba添加以下参数
--prefix=/usr/local/samba \--with-system-mitkrb5 \--with-ldap \--with-syslog \--with-pam \--with-systemd \--with-ads \--without-ad-dc \--with-winbind \--enable-debug添加samba环境变量
echo "export PATH=/usr/local/samba/bin:/usr/local/samba/sbin:$PATH" > /etc/profile.d/samba.shsource /etc/profile1.1 配置samba管理启动服务
cat /etc/systemd/system/smbd.service[Unit]Description=Samba SMB DaemonAfter=network.target
[Service]Type=forkingExecStart=/usr/local/samba/sbin/smbd -s /usr/local/samba/etc/smb.conf -DExecReload=/bin/kill -HUP $MAINPIDExecStop=/bin/kill -TERM $MAINPIDPIDFile=/usr/local/samba/var/run/smbd.pid#User=samba#Group=sambaRestart=always
[Install]WantedBy=multi-user.target
cat /etc/systemd/system/nmbd.service[Unit]Description=Samba NetBIOS Name ServerAfter=network.target
[Service]Type=forkingExecStart=/usr/local/samba/sbin/nmbd -s /usr/local/samba/etc/smb.conf -DPIDFile=/usr/local/samba/var/run/nmbd.pid#User=samba#Group=sambaRestart=always
[Install]WantedBy=multi-user.target
cat /etc/systemd/system/winbindd.service[Unit]Description=Samba Winbind DaemonAfter=network.target
[Service]Type=forkingExecStart=/usr/local/samba/sbin/winbindd -s /usr/local/samba/etc/smb.conf -DPIDFile=/usr/local/samba/var/run/winbindd.pid#User=samba#Group=sambaRestart=always
[Install]WantedBy=multi-user.target我起初是想samba+ldap认证组合,不用加入AD域控就能认证,结果测试了很多次,依旧无法实现通过AD域控ldap协议完成账号认证,最后无奈使用samba+AD域控认证!
2 设置nsswitch配置
编辑/etc/nsswitch.conf配置文件
## Example configuration of GNU Name Service Switch functionality.# If you have the `glibc-doc-reference' and `info' packages installed, try:# `info libc "Name Service Switch"' for information about this file.
passwd: files winbind # 设置passwd由winbind处理group: files winbind # 设置group由winbind处理shadow: files winbind # 设置shadow由winbind处理gshadow: files systemd
hosts: files dnsnetworks: files
protocols: db filesservices: db filesethers: db filesrpc: db files
netgroup: nis3 设置krb5配置
编辑/etc/krb5.conf配置文件
[libdefaults] default_realm = KOEVN.COM dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = true
[domain_realm] .koevn.com = KOEVN.COM koevn.com = KOEVN.COM然后通过dig _kerberos._udp.koevn.com SRV命令测试能否正常返回解析记录
4 配置samba服务
[global] workgroup = KOEVN realm = KOEVN.com security = ADS
winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind nss info = template
idmap config * : backend = tdb idmap config * : range = 1000000-1999999 idmap config KOEVN : backend = rid idmap config KOEVN : range = 10000-999999
template shell = /bin/false template homedir = /nonexistent winbind refresh tickets = yes
log file = /data/samba/logs/samba.log log level = 2
[test] path = /data/samba/test comment = 测试目录 browseable = yes browseable = no read only = no guest ok = no hide unreadable = yes force group = samba create mask = 0660 directory mask = 0770 valid users = K95221 delete readonly = no5 启动samba并验证访问 5.1 启动samba
systemctl start smbd.service && systemctl start nmbd.service && systemctl start winbindd.service5.2 加入AD域控 将当前Linux主机加入AD域控,最好先修改主机名称
net ads join -U ldap@KOEVN.COM{% note warning %}
这个账户需要有加域权限,是否加域一直失败!
{% endnote %}
加入成功会看到Joined 'hostname' to realm 'KOEVN.COM'信息
验证账户是否映射正常
wbinfo -n K95221 # 执行这命令会返回一串SIDwbinfo -S SID # 执行这命令会返回一个UID,解析失败意味共享目录认证直接失败添加libnss_winbind库文件到系统目录
cp /usr/local/samba/lib/libnss_winbind.so.2 /lib/x86_64-linux-gnu/cd /lib/x86_64-linux-gnu/ln -sf libnss_winbind.so.2 libnss_winbind.so⚠️ 注意 wbinfo -S SID 这个值之前被误导了,我是使用AD域控认证,结果陷在需要创建Linux本地用户与AD域控用户一对一映射关系,其实这不需要,问题关键就在smb配置文件
idmap配置项,他会自动映射AD域控账号sAMAccountName与UID关系,所以当用户上传文件到samba共享目录,文件所有者就为AD域控sAMAccountName属性的账号。
以上验证没问题后,基本就能访问共享目录。