一、List:

NO.	HOSTS	IP	OS	Application
1	Ad.studios.com	192.168.0.253	Win2008	DNS,AD
2	Samba.studios.com	192.168.0.150	Centos 6.3	Samba,krb5
3	Vc.studios.com	192.168.0.252	WIN7

二、Config：
1. Centos 6.3

#service iptables stop

#chkconfig iptables off

(vi /etc/selinux/config SELINUX=disabled)
2. #vi /etc/krb5.conf
  [logging]

 default = FILE:/var/log/krb5libs.log

 kdc = FILE:/var/log/krb5kdc.log

 admin_server = FILE:/var/log/kadmind.log

 

[libdefaults]

 default_realm = STUDIOS.COM

 dns_lookup_realm = false

 dns_lookup_kdc = false

 ticket_lifetime = 24h

 renew_lifetime = 7d

 forwardable = true

 

[realms]

 STUDIOS.COM = {

  kdc = ad.studios.com:88

  admin_server = ad.studios.com:749

  default_domain = STUDIOS.COM

 }

[domain_realm]

 .studios.com = STUDIOS.COM

 studios.com = STUDIOS.COM

[appdefaults]

 pam = {

   debug = false

   ticket_lifetime = 36000

   renew_lifetime = 36000

   forwardable = true

   krb4_convert = false

}

3. sync time with ad :
#ntpdate -b 192.168.0.253
test with ad:

#service winbind start

#kinit administrator@STUDIOS.COM
4. Samba config ：
#vi /etc/samba/smb.conf

######################################################
[global]

workgroup = STUDIOS

        netbios name = samba

        server string = Samba Server Version %v       

realm = STUDIOS.COM

        security = ADS       

password server = ad.studios.com

        idmap uid = 10000 - 20000

        idmap gid = 10000 - 20000      

template shell = /sbin/nologin

        template homedir = /var/homes/STUDIOS /%U

              winbind offline logon = true      

winbind separator = /

        winbind use default domain = yes

        winbind enum users = yes

        winbind enum groups = yes

        encrypt passwords = yes

[homes]

        comment = User's Home Directories

        path = /var/homes/STUDIOS/%U

        valid users = %U

        browseable = no

        writable = yes

        root preexec = /var/homes/buildhome.sh %U %G    (后面附)

[FNA] (设置组共享文件)

        comment = FNA share files

        path = /var/homes/FNA

        create mask = 0664

        directory mask = 0755

        writable = yes

        valid users = @fna

        write list = @fna

        browseable = yes

        guest ok = no

 

######################################################5.Join Samba to win AD：
 [root@samba selinux]# net ads join -U administrator@STUDIOS.COM

Enter administrator@STUDIOS.COM's password:

Using short domain name -- STUDIOS

Joined 'SAMBA' to realm 'studios.com'

[root@samba selinux]#
注：

net ads leave -U （退出AD）)
net ads info （查看域信息）      net ads 回车，可以看多个选项

6、Config NSS:
#vi /etc/nsswitch.conf
passwd:     files winbind
shadow:     files winbind
group:      files winbind
7. Restart services:
  #service smb restart
  #service winbind restart

8. TEST：
# wbinfo -t                  
checking the trust secret via RPC calls succeeded
# wbinfo -u
# wbinfo -g
# getent passwd 

# getent group   

9.  
Such as：User:it01; AD:STUDIOS; group:its
mkdir -p /var/homes/STUDIOS/it01
chown it01:its /var/homes/STUDIOS/it01
setfacl -R -m u:administrator:rwx bob/
这样设置就可以也给了administrator用户读写执行权限了
#getfacl it01         (查看权限)
10. Addition to script:(Test 中)

 

#!/bin/bash

user=$1

group=$2

userhome=/var/homes/STUDIOS/$1

if [ ! -d $userhome ] ; then

   mkdir -p $userhome

   chown $user $userhome

   chgrp $group $userhome

   chmod 700 $home

fi