Chinaunix首页 | 论坛 | 博客
  • 博客访问: 10736295
  • 博文数量: 2905
  • 博客积分: 20098
  • 博客等级: 上将
  • 技术积分: 36298
  • 用 户 组: 普通用户
  • 注册时间: 2009-03-23 05:00
文章存档

2012年(1)

2011年(3)

2009年(2901)

分类: LINUX

2009-03-23 11:11:36

Set up samba on linux server

Linux must be configured in order to belong to a Windows domain. This is done by using the Samba file server which offers several interesting tools. The goal is not to create a Samba file server but only to use some tools which come with this server.
Samba server contains among others the following components:
  • Winbind, a daemon which permits connectivity to Windows -NT environment.
  • Ntlm_auth, a tool which uses winbind for evaluating NTLM (NT Lan Manager) requests. This tool allows verifying user credentials on the domain controller and returns either a success or an error message.
Please have a look at your Linux box and check if Samba is already installed.
[root@siptest ]# rpm -q samba
samba-3.0.28-0.el5.8
To ensure samba could support LDAP,KRB,ADS and WINBIND, run following commands to check samba build options
~#smbd -b | grep LDAP
~#smbd -b | grep KRB
~#smbd -b | grep ADS
~#smbd -b | grep WINBIND
pleaes make sure the time is identical to the DC's  (the maximum offset time is 5 mins)
~#ntpdate 172.18.8.10
Key config. files for samba
[smb.conf] 
[root@siptest ~]# cat /etc/samba/smb.conf |sed '/ *#/d; / *;/d; /^ *$/d'
[global]
   workgroup = 800BEST
   password server = 172.18.8.10
   realm = 800BEST.NET
   security = ads
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   template shell = /bin/false
   winbind use default domain = true
   winbind offline logon = false
        server string = Samba Server Version %v
        passdb backend = tdbsam
        load printers = yes
        cups options = raw
[homes]
        comment = Home Directories
        browseable = no
        writable = yes
[printers]
        comment = All Printers
        path = /var/spool/samba
        browseable = no
        guest ok = no
        writable = no
        printable = yes
[krb5.conf] 
 (Watch out for case sensitivity) //注意大小写
 [root@siptest ~]# cat /etc/krb5.conf |sed '/ *#/d; /^ *$/d'
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
[libdefaults]
 default_realm = 800BEST
 dns_lookup_realm = false
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes
[realms]
 800BEST.NET = {
  kdc = 172.18.8.10:88
  admin_server = 172.18.8.10:749
  default_domain = 800BEST.NET
 }
 800BEST = {
  kdc = 172.18.8.10
 }
[domain_realm]
 .800best.net = 800BEST.NET
 800best.net = 800BEST.NET
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }
[nsswitch.conf ]
[root@siptest ~]# cat /etc/nsswitch.conf |sed '/ *#/d; /^ *$/d'
passwd:     files winbind
shadow:     files winbind
group:      files winbind
hosts:      files dns
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files winbind
rpc:        files
services:   files winbind
netgroup:   files winbind
publickey:  nisplus
automount:  files winbind
aliases:    files nisplus

[Steps -- how to join to domain]

1.
kinit--- obtain and cache Kerberos ticket-granting ticket
kinit
[root@siptest etc]# kinit
[root@siptest etc]#Password for :
[root@siptest etc]#
it works well
2.
Verify if the Samba service is running by typing: ps -ef | grep nmbd
~#ps -ef | grep smbd
3.
Execute the following command line (you must be connected as root)
~#net join -U Administrator
Administrator is the name of the domain controller admin. Enter your password when prompted. If everything works fine, the Linux server has been registered to the Windows domain.
4. 
Verify now if the winbindd daemon is running:
~#ps -ef | grep winbindd 
check trust has been established between samba and AD:
~#wbinfo -t
checking the trust secret via RPC calls succeeded

5.
Try next if you can authenticate a user from the domain: ~#wbinfo -a user%password  
e.g ~#wbinfo -a bl00250%Iloveyou~!@#$%
challenge/response password authentication succeeded
6. 
Type the following line:
root@siptest# ntlm_auth --request-nt-key --domain= --username=
For me, the command would look like this:
[root@siptest]# ntlm_auth --request-nt-key --domain=800BEST --username=bl00250
[root@siptest ~]# ntlm_auth --request-nt-key --domain=800BEST --username=bl00250
password:
NT_STATUS_OK: Success (0x0)

WARNING!!!
When called by radiusd - thus directly setting the challenge value - the ntlm_auth program needs permission to access winbindd's winbindd_privileged directory (somewhere under /var). According to my experiences read access will suffice.
The radiusd.conf file sets the uid and gid your radiusd process will run as (by the user and group directives, respectively). The ntlm_auth process will have the same identity. If your filesystem containing the winbindd_privileged directory supports POSIX ACLs, you can safely grant ntlm_auth the necessary permissions, in case your disribution's default setting were insufficient. If radiusd runs as the user radiusd for example, then you should use setfacl the following way:
setfacl -m u:radiusd:rx winbindd_privileged
Or something like that. See
阅读(951) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~