准备一台Windows域控制器, 在Samba服务器上安装Webmin图形化管理工具, samba, krb5-user, winbind.

修改/etc/krb5.conf.

[logging]default = FILE:/var/log/krb5libs.logkdc = FILE:/var/log/krb5kdc.logadmin_server = FILE:/var/log/kadmind.log[libdefaults]default_realm = HZVOBILE.LOCALdns_lookup_kdc = false[realms]HZVOBILE.LOCAL = {   default_domain = hzvobile.local   kdc = vobile-dc1.hzvobile.local:88   admin_server = vobile-dc1.hzvobile.local:749}[domain_realm].hzvobile.local = HZVOBILE.LOCALhzvobile.local = HZVOBILE.LOCAL

 

修改/etc/samba/smb.conf, 用testparm -s来检查smb.conf文件的合规性.

[global]    winbind use default domain = yes    pam password change = yes;   winbind trusted domains only = yes       ##这行决定getent passwd是否能获得域帐号    map to guest = bad user    workgroup = HZVOBILE    passdb backend = tdbsam    log file = /var/log/samba/log.%m    idmap config * : range = 16777216-33554431       ##如果不指定用户的UID, 上传文件后通过ll命令会发现所上传的用户和组都是root; 指定之后, 就显示用户user和domain user组    obey pam restrictions = yes    os level = 20    panic action = /usr/share/samba/panic-action %d    realm = HZVOBILE.LOCAL;   password server = vobile-dc1.hzvobile.local    passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .    server string = %h server (Samba, Ubuntu)    dns proxy = no    passwd program = /usr/bin/passwd %u    usershare allow guests = yes    unix password sync = yes    security = ads    syslog = 0    max log size = 1000    server role = standalone server    winbind offline logon = false    winbind enum groups = yes    winbind enum users = yes

 

修改/etc/nsswitch.conf, 添加winbind验证方式.

passwd:         compat winbindgroup:          compat winbindshadow:         compat winbind

 

使用net ads join -U administrator命令将Samba服务器加入域.

重启后用wbinfo -t和-u或-g检查连通性, 正常情况下你可以看到活动目录中的所有账号和组.

checking the trust secret for domain HZVOBILE via RPC calls succeeded

 

此时你应该可以通过getent passwd查看到所有域帐号.

创建文件夹, 并将文件夹权限777(此处类似Windows权限控制, NTFS与Share权限共同作用于一个用户对文件的最终权限)

[chen_chen]    valid users = hzvobile\chen_chen    path = /mnt/hd2/chen_chen    writeable = yes[it]    path = /mnt/hd2/it    writeable = yes    valid users = @hzvobile\it

 

客户端访问: smbclient //ip/folder -W workgroup -U chen.

 

2015-10-8更新:

我在Debian 8.2上安装了Samba 4.1.17, 发现wbinfo可以获取域帐号和组, 但是getent却不行, 经Google后找到解决方案

apt-get install libnss-winbind

 

2015-10-15更新:

域控设置的变更到winbind有一个刷新时间, 如果想缩短这个时间, 可以在smb.conf中加入以下设置:

[global]...idmap cache time = 1idmap negative cache time = 1winbind cache time = 1

 

2015-10-15更新磁盘配额:

首先, Linux的磁盘配额是对于整个分区生效的, 然后可以针对User或者Group进行限制, 下面对几种"矛盾"的情况作出分析:

1. 同时设置了User1和PGroup1的配额 (User1属于PGroup1), 则User1的配额生效.

2. 同时设置了PGroup2和SGroup2的配额 (User2同时属于PGroup2和SGroup2), 以User2的身份上传数据时, 哪个组是User2的Primary Group, 则哪个组的配额生效.

    2.1 在Windows活动目录中, 所有域帐号的Primary Group都是Domain Users, 一开始我希望通过usermod命令修改用户的Primary Group, 然后系统提示我: XXX用户不存在于/etc/passwd. 想想也是这样! Google后发现对于Winbind+ Active Directory的方式, 需要在Windows中修改用户的Primary Group, 具体方式是开启ADUC的高级功能, 然后在"隶属于"中"设置主要组". 注意: 如果组类型是本地域组, 则"设置主要组"按钮为灰色.

 

 

参考资料:

http://winda.blog.51cto.com/55153/261293/

http://rainbird.blog.51cto.com/211214/197509

http://blog.yam.com/gavint/article/4530697

http://ubuntuforums.org/showthread.php?t=2206822