仔仔满月啦!!
[原]LDAP服务介绍
Dec
8
二、配置
我们先从简单入手,暂时不涉及集成LDAP部分,以smbpasswd作为域的后台数据库。
1、测试平台
主机操作系统:红旗 DC Server 5.0 for x86
Samba版本:3.0.14a-25AX
客户机:Windows XP SP2
2、修改/etc/samba/smb.conf为:
重要的配置会标识出来,其他配置请参考[原]Samba 3.0的简单配置。下面#和;号开头的都是注释。
引用
#==========Global Settings ==========
[global]
# 在域环境中,workgroup用于定义域名称
workgroup = linuxfly
# 下面定义netbios名称,主要是为了方便Windows沟通
netbios name = domain
# server string is the equivalent of the NT Description field
server string = Samba Server
# 定义使用的字符集
unix charset = GB18030
dos charset = CP936
display charset = GB18030
# You can choose the kind of password information database.
# passdb backend = smbpasswd / tdbsam / ldapsam:ldap://ldap-server
# 使用smbpasswd作为后台数据库,也可以使用tdbsam或LDAP作为后台数据库
passdb backend = smbpasswd
;passdb backend = tdbsam
# 使用cups作为打印服务
printing = cups
# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
; guest account = pcguest
# this tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/%m.log
# all log information in one file
# log file = /var/log/samba/log.smbd
# Put a capping on the size of the log files (in Kb).
max log size = 50
# 这个很重要,作为域控制器,需要定义为user验证模式
security = user
# Use password server option only with security = server
# 如果已经有Windows域,则定义为server,并通过下面配置定义到Windows域控制器上
; password server =
# Password Level allows matching of _n_ characters of the password for
# all combinations of upper and lower case.
; password level = 8
; username level = 8
# 开启下面的配置,可以同步smb和linux用户密码
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
# 要实现由Windows修改linux用户密码,除需要激活上面的参数外,还必须配置
unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*
# Unix users can map to different SMB User names
; username map = /etc/samba/smbusers
# 可以针对机器加入个性化的配置,%m表示客户机的netbios名称
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /etc/samba/smb.conf.%m
# 一些优化参数
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
; interfaces = 192.168.12.2/24 192.168.13.2/24
# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
os level = 33
# 要成为域控制器,必须定义下面的参数
domain master = yes
preferred master = yes
domain logons = yes
# 可以通过下面定义客户机登录后自动运行的脚本,%U是登录的用户名
# if you enable domain logons then you may want a per-machine or
# per user logon script
# run a specific logon batch file per workstation (machine)
; logon script = %m.bat
# run a specific logon batch file per username
logon script = %U.bat
# 定义登录的参数,path是保存漫游用户配置的路径,drive是把用户在linux下的主目录
# 映射成Windows下的分区,home是和path类似,一般只对Win95定义
# %L表示NIS名称,但在非NIS环境中等同于%m
# path中定义的share目录,需要在后面的共享里面配置
logon path = \\%L\Profiles\%U
logon drive = H:
logon home = \\%L\%U\winprofile
# 激活wins支持服务
wins support = yes
# 一般Linux环境是区分大小写的,为了防止Windows环境中错误,需要去掉大小写区别
preserve case = no
short preserve case = no
case sensitive = no
# These options adjust time operations to CIFS server
dos filetime resolution = yes
dos filetimes = yes
# 下面的脚本可配置用于Windows下用SRVTOOLS.EXE来同步用户、组、机器名
# These scripts are used for usrmgr.
# If you are using ldapsam, you must change from TDB to LDAP.
;add user script = /usr/sbin/useradd -m %u
;delete user script = /usr/sbin/userdel -r %u
;add group script = /usr/sbin/groupadd %g
;delete group script = /usr/sbin/groupdel %g
;add user to group script = /usr/sbin/groupmod -A %u %g
;delete user from group script = /usr/sbin/groupmod -R %u %g
;add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null %u
#========== Share Definitions ==========
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/false
winbind use default domain = no
[homes]
comment = Home Directories
browseable = no
writable = yes
# netlogon定义是存放用户登录后自动运行的Dos脚本的路径
[netlogon]
comment = Network Logon Service
path = /home/netlogon
guest ok = yes
writable = no
share modes = no
# Profiles是定义存放用户的漫游配置文件的路径,必须配置为可写
[Profiles]
path = /home/profiles
browseable = no
guest ok = yes
read only = no
create mask = 0600
directory mask = 0700
# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
# Set public = yes to allow user 'guest account' to print
guest ok = no
writable = no
printable = yes
# Samba stores the printer drivers for Windows in this share.
[print$]
comment = Printer Drivers Download Area
path = /var/samba/printer
browseable = yes
guest ok = yes
read only = yes
; write list = root, @staff
# 定义一个public目录,可以按需要配置权限,下面的定义是除staff可写外,其他用户只读
[public]
comment = Public Stuff
path = /home/public
public = yes
read only = yes
write list = @staff
[global]
# 在域环境中,workgroup用于定义域名称
workgroup = linuxfly
# 下面定义netbios名称,主要是为了方便Windows沟通
netbios name = domain
# server string is the equivalent of the NT Description field
server string = Samba Server
# 定义使用的字符集
unix charset = GB18030
dos charset = CP936
display charset = GB18030
# You can choose the kind of password information database.
# passdb backend = smbpasswd / tdbsam / ldapsam:ldap://ldap-server
# 使用smbpasswd作为后台数据库,也可以使用tdbsam或LDAP作为后台数据库
passdb backend = smbpasswd
;passdb backend = tdbsam
# 使用cups作为打印服务
printing = cups
# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
; guest account = pcguest
# this tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/%m.log
# all log information in one file
# log file = /var/log/samba/log.smbd
# Put a capping on the size of the log files (in Kb).
max log size = 50
# 这个很重要,作为域控制器,需要定义为user验证模式
security = user
# Use password server option only with security = server
# 如果已经有Windows域,则定义为server,并通过下面配置定义到Windows域控制器上
; password server =
# Password Level allows matching of _n_ characters of the password for
# all combinations of upper and lower case.
; password level = 8
; username level = 8
# 开启下面的配置,可以同步smb和linux用户密码
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
# 要实现由Windows修改linux用户密码,除需要激活上面的参数外,还必须配置
unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*
# Unix users can map to different SMB User names
; username map = /etc/samba/smbusers
# 可以针对机器加入个性化的配置,%m表示客户机的netbios名称
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /etc/samba/smb.conf.%m
# 一些优化参数
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
; interfaces = 192.168.12.2/24 192.168.13.2/24
# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
os level = 33
# 要成为域控制器,必须定义下面的参数
domain master = yes
preferred master = yes
domain logons = yes
# 可以通过下面定义客户机登录后自动运行的脚本,%U是登录的用户名
# if you enable domain logons then you may want a per-machine or
# per user logon script
# run a specific logon batch file per workstation (machine)
; logon script = %m.bat
# run a specific logon batch file per username
logon script = %U.bat
# 定义登录的参数,path是保存漫游用户配置的路径,drive是把用户在linux下的主目录
# 映射成Windows下的分区,home是和path类似,一般只对Win95定义
# %L表示NIS名称,但在非NIS环境中等同于%m
# path中定义的share目录,需要在后面的共享里面配置
logon path = \\%L\Profiles\%U
logon drive = H:
logon home = \\%L\%U\winprofile
# 激活wins支持服务
wins support = yes
# 一般Linux环境是区分大小写的,为了防止Windows环境中错误,需要去掉大小写区别
preserve case = no
short preserve case = no
case sensitive = no
# These options adjust time operations to CIFS server
dos filetime resolution = yes
dos filetimes = yes
# 下面的脚本可配置用于Windows下用SRVTOOLS.EXE来同步用户、组、机器名
# These scripts are used for usrmgr.
# If you are using ldapsam, you must change from TDB to LDAP.
;add user script = /usr/sbin/useradd -m %u
;delete user script = /usr/sbin/userdel -r %u
;add group script = /usr/sbin/groupadd %g
;delete group script = /usr/sbin/groupdel %g
;add user to group script = /usr/sbin/groupmod -A %u %g
;delete user from group script = /usr/sbin/groupmod -R %u %g
;add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null %u
#========== Share Definitions ==========
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/false
winbind use default domain = no
[homes]
comment = Home Directories
browseable = no
writable = yes
# netlogon定义是存放用户登录后自动运行的Dos脚本的路径
[netlogon]
comment = Network Logon Service
path = /home/netlogon
guest ok = yes
writable = no
share modes = no
# Profiles是定义存放用户的漫游配置文件的路径,必须配置为可写
[Profiles]
path = /home/profiles
browseable = no
guest ok = yes
read only = no
create mask = 0600
directory mask = 0700
# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
# Set public = yes to allow user 'guest account' to print
guest ok = no
writable = no
printable = yes
# Samba stores the printer drivers for Windows in this share.
[print$]
comment = Printer Drivers Download Area
path = /var/samba/printer
browseable = yes
guest ok = yes
read only = yes
; write list = root, @staff
# 定义一个public目录,可以按需要配置权限,下面的定义是除staff可写外,其他用户只读
[public]
comment = Public Stuff
path = /home/public
public = yes
read only = yes
write list = @staff
原配置文件下载:
下载文件 3、配置域用户
首先,当然是管理员root用户:
smbpasswd -a root
然后是普通用户:需要先建立linux用户,然后加入到smb中
useradd -m user1
passwd user1
smbpasswd -a user1
passwd user1
smbpasswd -a user1
※请注意,smb密码和linux系统密码是可以不相同的。但对于除root的smb用户,建议使用相同密码,以方便管理。
4、配置域机器
Samba域中的域机器定义为$结尾的Samba用户,可以采用下面的方法为netbios名称为xp的机器,放到域中:
useradd -g computers -d /dev/null -s /bin/false xp
然后修改/etc/passwd,把xp用户那行的用户名改为xp$。
(这是由于linux环境下,useradd认为$作为用户名是非法字符,所以需要手动修改)
为安全看,把该用户名锁住:
passwd -l xp$
最后,加入到域中:
smbpasswd -a -m xp
5、配置相关共享目录
mkdir -p /home/public /home/netlogon /home/profiles
chmod 777 /home/profiles
chmod 777 /home/profiles
内文分页: 
#smbpasswd -a -m xp
我参考了其他资料,运行这一行命令后,才成功把域机器加入进域的。
只要在域里面的机器,它们之间是可以互相做信任关系的。例如一个共享目录,如果是提供给域用户的话,那其他加入这个域的机器,都可以通过域去访问这个共享目录咯。
域的好处,就是一次验证,多次信任。
什么是域机器?应该不是作为域服务器的这台linux机器吧,能祥细解释一下吗?