Since a shared network disk is required internally for everyone to share, a samba service is needed. However, it can usually be done using Windows sharing. However, due to license copyright issues, Linux is used to solve the problem, and AD domain control account authentication and authorization must also be solved.
1 Compile and install Samba The compilation and installation steps to solve the dependency problem are skipped again. The following parameters are added to the compiled and installed samba
--prefix=/usr/local/samba \--with-system-mitkrb5 \--with-ldap \--with-syslog \--with-pam \--with-systemd \--with-ads \--without-ad-dc \--with-winbind \--enable-debugAdd samba environment variables
echo "export PATH=/usr/local/samba/bin:/usr/local/samba/sbin:$PATH" > /etc/profile.d/samba.shsource /etc/profile1.1 Configure samba management startup service
cat /etc/systemd/system/smbd.service[Unit]Description=Samba SMB DaemonAfter=network.target
[Service]Type=forkingExecStart=/usr/local/samba/sbin/smbd -s /usr/local/samba/etc/smb.conf -DExecReload=/bin/kill -HUP $MAINPIDExecStop=/bin/kill -TERM $MAINPIDPIDFile=/usr/local/samba/var/run/smbd.pid#User=samba#Group=sambaRestart=always
[Install]WantedBy=multi-user.target
cat /etc/systemd/system/nmbd.service[Unit]Description=Samba NetBIOS Name ServerAfter=network.target
[Service]Type=forkingExecStart=/usr/local/samba/sbin/nmbd -s /usr/local/samba/etc/smb.conf -DPIDFile=/usr/local/samba/var/run/nmbd.pid#User=samba#Group=sambaRestart=always
[Install]WantedBy=multi-user.target
cat /etc/systemd/system/winbindd.service[Unit]Description=Samba Winbind DaemonAfter=network.target
[Service]Type=forkingExecStart=/usr/local/samba/sbin/winbindd -s /usr/local/samba/etc/smb.conf -DPIDFile=/usr/local/samba/var/run/winbindd.pid#User=samba#Group=sambaRestart=always
[Install]WantedBy=multi-user.targetAt first, I wanted to use a combination of samba+ldap authentication so that I could authenticate without joining the AD domain controller. However, after many tests, I still couldn’t complete the account authentication through the AD domain controller ldap protocol. In the end, I had no choice but to use samba+AD domain controller authentication!
2 Setting up nsswitch configuration
Edit the /etc/nsswitch.conf configuration file
## Example configuration of GNU Name Service Switch functionality.# If you have the `glibc-doc-reference' and `info' packages installed, try:# `info libc "Name Service Switch"' for information about this file.
passwd: files winbind # Set passwd to be handled by winbindgroup: files winbind # Setting group is handled by winbindshadow: files winbind # Set shadow to be handled by winbindgshadow: files systemd
hosts: files dnsnetworks: files
protocols: db filesservices: db filesethers: db filesrpc: db files
netgroup: nis3 Setting up krb5 configuration
Edit the /etc/krb5.conf configuration file
[libdefaults] default_realm = KOEVN.COM dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = true
[domain_realm] .koevn.com = KOEVN.COM koevn.com = KOEVN.COMThen use the dig _kerberos._udp.koevn.com SRV command to test whether the resolution record can be returned normally
4 Configure samba service
[global] workgroup = KOEVN realm = KOEVN.com security = ADS
winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind nss info = template
idmap config * : backend = tdb idmap config * : range = 1000000-1999999 idmap config KOEVN : backend = rid idmap config KOEVN : range = 10000-999999
template shell = /bin/false template homedir = /nonexistent winbind refresh tickets = yes
log file = /data/samba/logs/samba.log log level = 2
[test] path = /data/samba/test comment = Test Directory browseable = yes browseable = no read only = no guest ok = no hide unreadable = yes force group = samba create mask = 0660 directory mask = 0770 valid users = K95221 delete readonly = no5 Start samba and verify access 5.1 Start samba
systemctl start smbd.service && systemctl start nmbd.service && systemctl start winbindd.service5.2 Join AD domain controller Add the current Linux host to the AD domain controller. It is best to change the host name first.
net ads join -U ldap@KOEVN.COM{% note warning %}
This account needs to have the permission to add domain, and adding domain has always failed!
{% endnote %}
If you join successfully, you will see the message Joined 'hostname' to realm 'KOEVN.COM'
Verify that the account is mapped correctly
wbinfo -n K95221 # Executing this command will return a string of SIDswbinfo -S SID # Executing this command will return a UID. Failure to resolve means that shared directory authentication fails directly.Add the libnss_winbind library file to the system directory
cp /usr/local/samba/lib/libnss_winbind.so.2 /lib/x86_64-linux-gnu/cd /lib/x86_64-linux-gnu/ln -sf libnss_winbind.so.2 libnss_winbind.so⚠️ 注意 I was previously misled by the wbinfo -S SID value. I was using an AD domain controller for authentication, and ended up needing to create a one-to-one mapping between Linux local users and AD domain controller users. This isn’t necessary. The key issue lies in the
idmapconfiguration item in the SMB configuration file. It automatically maps the AD domain controller accountsAMAccountNameto the UID. Therefore, when a user uploads a file to a Samba share, the file owner becomes the account in the AD domain controller’ssAMAccountNameattribute.
After the above verification is successful, you can basically access the shared directory.