欢迎光临
我们一直在努力

Samba 4与Active Directory在CentOS 7 rpm基础上安装共享支持

最后一个教程中 ,我向您展示了如何通过从源代码编译Samba来在Centos 7上配置Samba,因为RedHat提供的程序包不支持Active Directory。 我注意到有一个名为Wing的存储库,它为samba4 rpm提供AD支持。 在本教程中,我将使用此存储库进行Samba安装。 我还将展示如何创建Samba分享。

在本教程中,我将使用安装最少的CentOS 7服务器作为启用SELinux的基础。

准备CentOS 7服务器

检查SELinux状态。

[[email protected] ~]# sestatusSELinux status:                 enabledSELinuxfs mount:                /sys/fs/selinuxSELinux root directory:         /etc/selinuxLoaded policy name:             targetedCurrent mode:                   enforcingMode from config file:          enforcingPolicy MLS status:              enabledPolicy deny_unknown status:     allowedMax kernel policy version:      28[[email protected] ~]# 

在主机文件中输入具有服务器IP地址,后跟完整(fqdn)主机名,然后是主机名的本地部分。

[[email protected] ~]# cat /etc/hosts127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4::1         localhost localhost.localdomain localhost6 localhost6.localdomain6192.168.1.190   samba4.sunil.cc samba4[[email protected] ~]#      

安装Epel CentOS存储库。

[[email protected] ~]# yum install epel-release -y

安装基本软件包。

[[email protected] ~]# yum install vim wget authconfig krb5-workstation -y    

现在安装机翼回购。

[[email protected] ~]# cd /etc/yum.repos.d/[[email protected] yum.repos.d]# wget http://wing-net.ddo.jp/wing/7/EL7.wing.repo[[email protected] yum.repos.d]# sed -i '[email protected][email protected][email protected]' /etc/yum.repos.d/EL7.wing.repo[[email protected] yum.repos.d]# yum clean allLoaded plugins: fastestmirrorCleaning repos: base extras updates wing wing-sourceCleaning up everythingCleaning up list of fastest mirrors[[email protected] yum.repos.d]#   

在CentOS 7上安装Samba 4

用yum从机架仓库安装Samba4软件包。

[[email protected] yum.repos.d]# yum install -y samba45 samba45-winbind-clients samba45-winbind samba45-client\samba45-dc samba45-pidl samba45-python samba45-winbind-krb5-locator perl-Parse-Yapp\perl-Test-Base python2-crypto samba45-common-tools    

删除这些文件。

 [[email protected] ~]# rm -rf /etc/krb5.conf[[email protected] ~]# rm -rf /etc/samba/smb.conf    

Samba 4配置

现在我们将进行域配置。

[[email protected] ~]# samba-tool domain provision --use-rfc2307 --interactive Realm [SUNIL.CC]: Domain [SUNIL]: Server Role (dc, member, standalone) [dc]: DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: DNS forwarder IP address (write 'none' to disable forwarding) [4.2.2.1]:Administrator password:Retype password:Looking up IPv4 addressesLooking up IPv6 addressesNo IPv6 address will be assignedSetting up secrets.ldbSetting up the registrySetting up the privileges databaseSetting up idmap dbSetting up SAM dbSetting up sam.ldb partitions and settingsSetting up sam.ldb rootDSEPre-loading the Samba 4 and AD schemaAdding DomainDN: DC=sunil,DC=ccAdding configuration containerSetting up sam.ldb schemaSetting up sam.ldb configuration dataSetting up display specifiersModifying display specifiersAdding users containerModifying users containerAdding computers containerModifying computers containerSetting up sam.ldb dataSetting up well known security principalsSetting up sam.ldb users and groupsSetting up self joinAdding DNS accountsCreating CN=MicrosoftDNS,CN=System,DC=sunil,DC=ccCreating DomainDnsZones and ForestDnsZones partitionsPopulating DomainDnsZones and ForestDnsZones partitionsSetting up sam.ldb rootDSE marking as synchronizedFixing provision GUIDsA Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.confSetting up fake yp server settingsOnce the above files are installed, your Samba4 server will be ready to useServer Role:           active directory domain controllerHostname:              samba4NetBIOS Domain:        SUNILDNS Domain:            sunil.ccDOMAIN SID:            S-1-5-21-1578983437-3114190590-2362936743[[email protected] etc]#    

确保端口在防火墙中打开。

[[email protected] etc]#firewall-cmd --add-port=53/tcp --permanent;firewall-cmd --add-port=53/udp --permanent;firewall-cmd --add-port=88/tcp --permanent;firewall-cmd --add-port=88/udp --permanent; \firewall-cmd --add-port=135/tcp --permanent;firewall-cmd --add-port=137-138/udp --permanent;firewall-cmd --add-port=139/tcp --permanent; \firewall-cmd --add-port=389/tcp --permanent;firewall-cmd --add-port=389/udp --permanent;firewall-cmd --add-port=445/tcp --permanent; \firewall-cmd --add-port=464/tcp --permanent;firewall-cmd --add-port=464/udp --permanent;firewall-cmd --add-port=636/tcp --permanent; \firewall-cmd --add-port=1024-3500/tcp --permanent;firewall-cmd --add-port=3268-3269/tcp --permanent[[email protected] ~]# firewall-cmd --reload

该包不提供init脚本,我们现在将添加它。

[[email protected] ~]# cat  /etc/systemd/system/samba.service[Unit]Description= Samba 4 Active DirectoryAfter=syslog.targetAfter=network.target[Service]Type=forkingPIDFile=/var/run/samba.pidExecStart=/usr/sbin/samba[Install]WantedBy=multi-user.target[[email protected] ~]#[[email protected] ~]# systemctl enable sambaCreated symlink from /etc/systemd/system/multi-user.target.wants/samba.service to /etc/systemd/system/samba.service.[[email protected] ~]# systemctl restart samba

所有其他步骤与我之前的文章相似

要配置Windows和Linux主机,请参考

从源代码安装Samba4域控制器

使用Windows ACL支持创建Samba共享

我们需要为samba4配置扩展ACL。 在全局下的smb.conf文件中添加以下内容。

[[email protected] ~]# cat /etc/samba/smb.conf# Global parameters[global]        ------------		-------------        vfs objects = acl_xattr        map acl inherit = yes        store dos attributes = yes		------------		-------------[[email protected] ~]#

现在重新启动Samba服务。

[[email protected] ~]# systemctl restart samba

只有授予了SeDiskOperatorPrivilege权限的用户和组才能配置共享权限。

[[email protected] ~]# net rpc rights grant "SUNIL\Domain Admins" SeDiskOperatorPrivilege -U "USER\administrator"Enter USER\administrator's password:Successfully granted rights.[[email protected] ~]#

在创建共享之前,我们需要确保samba4服务器自身进行身份验证。

我们不能做通常的方法,因为它不起作用,因为现有的机箱将与RedHat提供的软件包冲突,我们不能在这里使用sssd。 我们将使用winbind来实现这一点。

请使用以下方法。 创建具有特定权限的samba共享是必需的

安装下面的包装。

[[email protected] ~]#yum -y install authconfig-gtk*

运行命令。

[[email protected] yum.repos.d]# authconfig-tui

请选择winbind,按照下一步。

您将无法输入密码,只需按确定即可。

然后注释掉/etc/samba/smb.conf中的行,然后重新启动samba服务。

您的配置应如下所示:

[[email protected] ~]# cat /etc/samba/smb.conf# Global parameters[global]#--authconfig--start-line--# Generated by authconfig on 2017/05/26 17:23:04# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)# Any modification may be deleted or altered by authconfig in future#   workgroup = SUNIL#   password server = samba4.sunil.cc#   realm = SUNIL.CC#   security = ads#   idmap config * : range = 16777216-33554431#   template shell = /sbin/nologin#  kerberos method = secrets only#   winbind use default domain = false#   winbind offline logon = false#--authconfig--end-line--        netbios name = SAMBA4        realm = SUNIL.CC        workgroup = SUNIL        dns forwarder = 4.2.2.1        server role = active directory domain controller        idmap_ldb:use rfc2307 = yes        vfs objects = acl_xattr        map acl inherit = yes        store dos attributes = yes[netlogon]        path = /var/lib/samba/sysvol/sunil.cc/scripts        read only = No[sysvol]        path = /var/lib/samba/sysvol        read only = No[[email protected] ~]#[[email protected] ~]# systemctl restart samba

检查我们是否可以填写用户和组:

[[email protected] ~]# wbinfo -uSUNIL\administratorSUNIL\sambauserSUNIL\testuserSUNIL\krbtgtSUNIL\guest[[email protected] ~]# wbinfo -gSUNIL\cert publishersSUNIL\ras and ias serversSUNIL\allowed rodc password replication groupSUNIL\denied rodc password replication groupSUNIL\dnsadminsSUNIL\enterprise read-only domain controllersSUNIL\domain adminsSUNIL\domain usersSUNIL\domain guestsSUNIL\domain computersSUNIL\domain controllersSUNIL\schema adminsSUNIL\enterprise adminsSUNIL\group policy creator ownersSUNIL\read-only domain controllersSUNIL\dnsupdateproxy[[email protected] ~]#

修改nsswitch.conf中的行:

[[email protected] ~]# cat /etc/nsswitch.conf-------------------passwd:     files winbindshadow:     files winbindgroup:      files winbindhosts:      files dns winsservices:   files winbindnetgroup:   files winbind-------------------

现在检查我们是否能够使用id命令获取用户名:

[[email protected] ~]# id testuseruid=3000019(SUNIL\testuser) gid=100(users) groups=100(users),3000019(SUNIL\testuser),3000009(BUILTIN\users)[[email protected] ~]#

创建一个Samba共享

我将创建两个共享,一个只能由testuser访问,另一个共享可由域用户组中的所有用户访问。

testuser可访问的共享将被称为testshare。

所有用户可访问的共享将被称为commonshare。

[[email protected] ~]# mkdir /testshare[[email protected] ~]# mkdir /commonshare[[email protected] ~]# chmod 770 /testshare[[email protected] ~]# chmod 770 /commonshare[[email protected] ~]# chown -R root:testuser /testshare[[email protected] ~]# chown -R root:"Domain Users" /commonshare

现在在smb.conf中添加条目

[[email protected] ~]# cat /etc/samba/smb.conf# Global parameters[global]        netbios name = SAMBA4        realm = SUNIL.CC        workgroup = SUNIL        dns forwarder = 4.2.2.1        server role = active directory domain controller        idmap_ldb:use rfc2307 = yes        vfs objects = acl_xattr        map acl inherit = yes        store dos attributes = yes[netlogon]        path = /var/lib/samba/sysvol/sunil.cc/scripts        read only = No[sysvol]        path = /var/lib/samba/sysvol        read only = No[TestShare]        comment = Test share accessible by testuser        path = /testshare        valid users = SUNIL\testuser        writable = yes        read only = no        force create mode = 0660        create mask = 0770        directory mask = 0770        force directory mode = 0770        access based share enum = yes        hide unreadable = yes[CommonShare]         comment = Accessible by all the users          path = /commonshare          valid users = "@SUNIL\Domain Users"          writable = yes        read only = no        force create mode = 0660        create mask = 0777        directory mask = 0777        force directory mode = 0770        access based share enum = yes        hide unreadable = yes[[email protected] ~]#

重新开始Samba服务。

[[email protected] ~]# systemctl restart samba

访问samba共享作为测试用户。

在这里,您将看到testshare和commonshare都可见。

测试了在testshare下创建文件和文件夹。

[[email protected] /]# cd /testshare/[[email protected] testshare]# ls -ltotal 8-rwxrwx---+ 1 SUNIL\testuser users 0 May 27 22:56 1.txtdrwxrwx---+ 2 SUNIL\testuser users 6 May 27 22:56 test[[email protected] testshare]#

现在我以不同的用户身份登录,只有commonshare可见:

在commonshare下创建文件。

[[email protected] commonshare]# ls -ltotal 8drwxrwxrwx+ 2 SUNIL\testuser  users 6 May 27 23:02 testdrwxrwxrwx+ 2 SUNIL\sambauser users 6 May 27 23:07 test2[[email protected] commonshare]#

这就是我们如何在Samba 4下创建共享。

赞(0) 打赏
未经允许不得转载:老赵部落 » Samba 4与Active Directory在CentOS 7 rpm基础上安装共享支持

评论 抢沙发