Chinaunix首页 | 论坛 | 博客
  • 博客访问: 178165
  • 博文数量: 18
  • 博客积分: 804
  • 博客等级: 军士长
  • 技术积分: 220
  • 用 户 组: 普通用户
  • 注册时间: 2007-02-01 13:30
文章分类

全部博文(18)

文章存档

2015年(1)

2012年(2)

2011年(1)

2010年(2)

2009年(12)

分类: LINUX

2012-09-15 21:34:10

一、List:

NO.

HOSTS

IP

OS

Application

1

Ad.studios.com

192.168.0.253

Win2008

DNS,AD

2

Samba.studios.com

192.168.0.150

Centos 6.3

Samba,krb5

3

Vc.studios.com

192.168.0.252

WIN7

 


二、Config
1. Centos 6.3

#service iptables stop

#chkconfig iptables off

(vi /etc/selinux/config SELINUX=disabled)
2. #vi /etc/krb5.conf
  [logging]

 default = FILE:/var/log/krb5libs.log

 kdc = FILE:/var/log/krb5kdc.log

 admin_server = FILE:/var/log/kadmind.log

 

[libdefaults]

 default_realm = STUDIOS.COM

 dns_lookup_realm = false

 dns_lookup_kdc = false

 ticket_lifetime = 24h

 renew_lifetime = 7d

 forwardable = true

 

[realms]

 STUDIOS.COM = {

  kdc = ad.studios.com:88

  admin_server = ad.studios.com:749

  default_domain = STUDIOS.COM

 }

[domain_realm]

 .studios.com = STUDIOS.COM

 studios.com = STUDIOS.COM

[appdefaults]

 pam = {

   debug = false

   ticket_lifetime = 36000

   renew_lifetime = 36000

   forwardable = true

   krb4_convert = false

}

3. sync time with ad :
#ntpdate -b 192.168.0.253
test with ad:

#service winbind start

#kinit administrator@STUDIOS.COM
4. Samba config

#vi /etc/samba/smb.conf

######################################################
[global]

workgroup = STUDIOS

        netbios name = samba

        server string = Samba Server Version %v       

realm = STUDIOS.COM

        security = ADS       

password server = ad.studios.com

        idmap uid = 10000 - 20000

        idmap gid = 10000 - 20000      

template shell = /sbin/nologin

        template homedir = /var/homes/STUDIOS /%U

              winbind offline logon = true      

winbind separator = /

        winbind use default domain = yes

        winbind enum users = yes

        winbind enum groups = yes

        encrypt passwords = yes

[homes]

        comment = User's Home Directories

        path = /var/homes/STUDIOS/%U

        valid users = %U

        browseable = no

        writable = yes

        root preexec = /var/homes/buildhome.sh %U %G    (后面附)

[FNA] (设置组共享文件)

        comment = FNA share files

        path = /var/homes/FNA

        create mask = 0664

        directory mask = 0755

        writable = yes

        valid users = @fna

        write list = @fna

        browseable = yes

        guest ok = no

 

######################################################5.Join Samba to win AD
 [root@samba selinux]# net ads join -U administrator@STUDIOS.COM

Enter administrator@STUDIOS.COM's password:

Using short domain name -- STUDIOS

Joined 'SAMBA' to realm 'studios.com'

[root@samba selinux]#
注:

net ads leave -U (退出AD)
net ads info
(查看域信息)      net ads 回车,可以看多个选项

6
Config NSS:
#vi /etc/nsswitch.conf
passwd:     files winbind
shadow:     files winbind
group:      files winbind
7. Restart services:
  #service smb restart
  #service winbind restart

8. TEST

# wbinfo -t                  
checking the trust secret via RPC calls succeeded
# wbinfo -u
# wbinfo -g
# getent passwd 

# getent group   

9.  
Such as
User:it01; AD:STUDIOS; group:its
mkdir -p /var/homes/STUDIOS/it01
chown it01:its /var/homes/STUDIOS/it01
setfacl -R -m u:administrator:rwx bob/
这样设置就可以也给了administrator用户读写执行权限了
#getfacl it01         (
查看权限)
10. Addition to script:(Test
)

 

#!/bin/bash

user=$1

group=$2

userhome=/var/homes/STUDIOS/$1

if [ ! -d $userhome ] ; then

   mkdir -p $userhome

   chown $user $userhome

   chgrp $group $userhome

   chmod 700 $home

fi

阅读(4469) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~