2011/12/30
2011/12/29
「轉貼」SAMBA3域控及文件服务解决方案
SAMBA3域控及文件服务解决方案
标签: 转载
原文地址:SAMBA3域控及文件服务解决方案 作者:egroupware
在博客里搜到一个经典的samba配置,收藏起来研究研究....有兴趣的朋友也看看.
苏州XX电子有限公司SAMBA3域控及文件服务解决方案
Last update:2006.6.20 by Wang Xiantong
Email:xiantong at gmail dot com
配置文件 /opt/samba/lib/smb.conf:
[global]
workgroup = DOM
netbios name = fileserver
server string = Samba Server
os level = 65
preferred master = yes
domain master = Yes
local master = Yes
security = user
utmp = Yes
winbind use default domain = Yes
map acl inherit = Yes
domain logons = yes
logon path = \\%L\profiles\%U
logon drive = Z:
logon home = \\%L\%U
logon script = logon.bat
encrypt passwords = Yes
wins support = Yes
passdb backend = tdbsam
username map =/opt/samba/smbusers
log level = 1
syslog = 0
log file = /opt/samba/var/log.%m
max log size = 50
smb ports = 139
interfaces = 192.168.1.101/255.255.255.0
hosts allow = 192.168.0. 192.168.1. localhost 192.168.20.
bind interfaces only = yes
name resolve order = wins bcast hosts
time server = Yes
#printcap name = CUPS
#show add printer wizard = No
admin users = @"Domain Admins"
add user script = /usr/sbin/useradd -s /bin/false -g "Domain Users" -m '%u'
delete user script = /usr/sbin/userdel -r '%u'
add group script = /usr/sbin/groupadd '%g'
delete group script = /usr/sbin/groupdel '%g'
add user to group script = /usr/sbin/usermod -G '%g' '%u'
delete user from group script = /usr/sbin/deluser '%u' '%g'
# add user to group script = /usr/bin/gpasswd -a '%u' '%g'
# delete user from group script = /usr/bin/gpasswd -d '%u' '%g'
add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null -g 'Domain Computers' '%u'
dns proxy = No
[netlogon]
path = /opt/samba/lib/netlogon
writeable = no
browsable = no
[profiles]
path = /opt/samba/profiles
browsable = no
writable = yes
create mask = 0600
directory mask = 0700
[homes]
comment = Home Directories
read only = No
browseable = No
#[printers]
#comment = All Printers
#path = /usr/spool/samba
#printable = Yes
#browseable = No
[Common Files]
comment = Common Files
path = /home/DOM/commfiles
read only = yes
valid users = @"Meterail Dept" @"Finance Dept" @"Engineering Dept" @"Quality Dept"
write list = @"Meterail Dept" @"Finance Dept"
read list = @"Engineering Dept" @"Quality Dept"
create mask = 0660
directory mask = 0771
配置文件 /opt/samba/smbusers
root = admin
新建[netlogon]目录
>#mkdir -p /opt/samba/lib/netlogon
配置文件/opt/samba/lib/netlogon/logon.bat
net use x: \\192.168.1.2\DATA
确保是dos格式,最直白的方法是在win下编辑完成上传到这个位置即可
新建[profiles]漫游目录
>#mkdir -p /opt/samba/profiles
新建[Common Files]共享
>#mkdir /home/DOM/commfiles
>#chown -R wxt:"Domain Users" /home/DOM/commfiles
>#chmod -R ug+rwx,o+rx-w /home/DOM/commfiles
添加管理员帐户
>#/opt/samba/bin/pdbedit -a root
用来初始化组的shell smbgroupInit.sh
#!/bin/sh
#smbgroupInit.sh is modified by Wang Xiantong
SMBBIN=/opt/samba/bin
SMBSBIN=/opt/samba/sbin
PATH=$SMBBIN:$SMBSBIN:$PATH
groupdel "Domain Admins"
groupdel "Domain Users"
groupdel "Domain Guests"
groupdel "Domain Computers"
groupadd -g 1512 "Domain Admins"
groupadd -g 1513 "Domain Users"
groupadd -g 1514 "Domain Guests"
groupadd -g 1515 "Domain Computers"
net groupmap delete ntgroup="Domain Admins"
net groupmap delete ntgroup="Domain Users"
net groupmap delete ntgroup="Domain Guests"
net groupmap add ntgroup="Domain Admins" unixgroup="Domain Admins" rid=512 type=d
net groupmap add ntgroup="Domain Users" unixgroup="Domain Users" rid=513 type=d
net groupmap add ntgroup="Domain Guests" unixgroup="Domain Guests" rid=514 type=d
net groupmap add ntgroup="Domain Computers" unixgroup="Domain Computers" rid=515 type=d
groupdel "Sales Dept"
groupdel "Finance Dept"
groupdel "Engineering Dept"
groupdel "Quality Dept"
groupdel "Material Dept"
groupdel "Administrative Dept"
groupadd -g 2000 "Sales Dept"
groupadd -g 2001 "Finance Dept"
groupadd -g 2002 "Engineering Dept"
groupadd -g 2003 "Quality Dept"
groupadd -g 2004 "Material Dept"
groupadd -g 2005 "Administrative Dept"
net groupmap delete ntgroup="Sales Dept"
net groupmap delete ntgroup="Finance Dept"
net groupmap delete ntgroup="Engineering Dept"
net groupmap delete ntgroup="Quality Dept"
net groupmap delete ntgroup="Material Dept"
net groupmap delete ntgroup="Administrative Dept"
net groupmap add ntgroup="Sales Dept" unixgroup="Sales Dept" rid=2000 type=d
net groupmap add ntgroup="Finance Dept" unixgroup="Finance Dept" rid=2001 type=d
net groupmap add ntgroup="Engineering Dept" unixgroup="Engineering Dept" rid=2002 type=d
net groupmap add ntgroup="Quality Dept" unixgroup="Quality Dept" rid=2003 type=d
net groupmap add ntgroup="Material Dept" unixgroup="Material Dept" rid=2004 type=d
net groupmap add ntgroup="Administrative Dept" unixgroup="Administrative Dept" rid=2005 type=d
groupdel "Local Admins"
groupdel "Local Users"
groupdel "Local Guests"
groupdel "Local Power Users"
groupadd -g 1544 "Local Admins"
groupadd -g 1545 "Local Users"
groupadd -g 1546 "Local Guests"
groupadd -g 1547 "Local Power Users"
net groupmap delete ntgroup="Local Admins"
net groupmap delete ntgroup="Local Users"
net groupmap delete ntgroup="Local Guests"
net groupmap delete ntgroup="Local Power Users"
net groupmap add ntgroup="Local Admins" unixgroup="Local Admins" rid=544 type=l
net groupmap add ntgroup="Local Users" unixgroup="Local Users" rid=545 type=l
net groupmap add ntgroup="Local Guests" unixgroup="Local Guests" rid=546 type=l
net groupmap add ntgroup="Local Power Users" unixgroup="Local Power Users" rid=547 type=l
嵌套组
下 面的例子把全局组Domain Admins加到Local Admins本地组,把全局组Domain Users加到Local Users本地组,把全局组Domain Guests加到Local Guests本地组,把用户wxt加到全局组Domain Admins。
>#net rpc group addmem "Local Admins" "Domain Admins" -Uroot%passwd
>#net rpc group addmem "Local Users" "Domain Users" -Uroot%passwd
>#net rpc group addmem "Local Guests" "Domain Guests" -Uroot%passwd
>#net rpc group addmem "Domain Admins" wxt -Uroot%passwd
下面的例子显示本地组Local Guests的成员,从本地组Local Guests中删除全局组Domain Guests。
>#net rpc group members "Local Guests" -Uroot%passwd
>#net rpc group delmem "Local Guests" "Domain Guests" -Uroot%passwd
下面的把全局组加入到另一全局组将不能成功
>#net rpc group addmem "Domain Users" "Sales Dept" -Uroot%passwd
>#net rpc group addmem "Domain Users" "Finance Dept" -Uroot%passwd
>#net rpc group addmem "Domain Users" "Engineering Dept" -Uroot%passwd
>#net rpc group addmem "Domain Users" "Quality Dept" -Uroot%passwd
添加域信任帐户
第 一种方法,在windows nt/200x/xp pro 客户机上加入域,系统会利用smb.conf配置文件中的add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null -g 'Domain Computers' '%u'自动将该客户机加入到域。
2、另一种方法是手动建立(假定机器名为workstation),98/me系统要采用这个方式,XP HOME完全没有这个能力
>#/usr/sbin/useradd -g "Domain Computers" -s /bin/false -d /dev/null workstatian$
>#/usr/bin/passwd -l workstation$
>#/opt/samba/bin/pdbedit -a -m workstation
添加一般域帐户
第一种方法,利用net命令
>#./net rpc user add bbc mypass -Uroot%passwd
但是这种主法得到的User默认是禁用的,还得用pdbedit来改变user-flag
>#/opt/samba/bin/./pdbedit -r -c [X] bbc
>#/opt/samba/bin./pdbedit -r -c [] bbc
删除帐户
>#/opt/samba/bin/./net rpc user delete bbc
系统会利用smb.conf中配置自动建立,删除linux帐户
第二种方法
>#useradd -g "Domain Users" -s /bin/false -d /home/bbc bbc
>#/opt/samba/bin/pdbedit -a bbc
管理员
smb.conf 中参数对admin users = @"Domain Admins"指明所有的"Domain Admins"成员都可以用来管理域,比如添加帐户,组等操作。但是Domain Admins 组做为管理帐户之后,组内成员登入域将会出现无法使用profiles漫游的功能, 这是因为此时Domain Admins的成员登陆域时建立的profiles目录属主是root,而此用户实际不是root(0),profiles目录又是0600,只有目录属 主有操作权限,产生了矛盾。不知道是不是samba 的bug,我用的是samba-3.23c。
我这里的设想是"Domain Admins"会成为工作站administrators组的成员,"Domain Users"会成为工作站的"Users"组或"Power Users"组所成员,那么实际上Domain Admins的成员不能正常登入域。所以这里采取折中的方法,admin users = root bbc 让bbc root这两个帐户来管理samba PDC。chown 命令这里也能帮上忙,比如cp其它帐户的profile,然后chown给新帐户。
另smb.conf配置 文件中add user script = /usr/sbin/useradd -s /bin/false -g "Domain Users" -m '%u',这一句指明用net rpc user add 所建立的用户unix 默认组是Domain Users,因此此时用net rpc group addmem "Domain Users" bbc -Uroot%passwd将不会成功,原因不言自明。
升级samba
下载最新的samba-3.0.25b
>#./configure --prefix=/opt/samba --with-automount --with-smbmount --with
-syslog --with-quotas --with-sys-quotas --with-utmp --with-acl-support --with-ai
o-support
>#make && make install
Samba : Server requested LANMAN password (share-level security) but 'client lanman auth' is disabled
if
Server requested LANMAN password (share-level security) but 'client lanman auth' is disabled
tree connect failed
vi /etc/samba/smb.conf
[global]
client lanman auth = yes
2011/12/27
LDAP & Sonic SRA 4200 SSL VPN
Login SRA 4200 as admin
Portals > Domains
add new (EX : ooxx.com)
Authentication type: LDAP
Domain name: ooxx.com
server address(LDAP server):192.168.0.0
LDAP baseDN(S)*:
dc=ooxx,dc=com
Login user name (LDAP admin) : Manager
Login password (LDAP password): OOXX
[V]allow password changes (if allowed by LDAP server)
Portals > Domains
add new (EX : ooxx.com)
Authentication type: LDAP
Domain name: ooxx.com
server address(LDAP server):192.168.0.0
LDAP baseDN(S)*:
dc=ooxx,dc=com
Login user name (LDAP admin) : Manager
Login password (LDAP password): OOXX
[V]allow password changes (if allowed by LDAP server)
2011/12/15
missing DB_CONFIG
find DB_CONFIG.example
find / | grep DB_CONFIG
cp / file location /DB_CONFIG.example /var/lib/ldap/DB_CONFIG
find / | grep DB_CONFIG
cp / file location /DB_CONFIG.example /var/lib/ldap/DB_CONFIG
2011/12/13
LDAP start WARNING
[root@dogcage var]# service ldap start
/var/lib/ldap/ou.bdb is not owned by "ldap" [WARNING]
/var/lib/ldap/__db.006 is not owned by "ldap" [WARNING]
/var/lib/ldap/log.0000000001 is not owned by "ldap" [WARNING]
/var/lib/ldap/__db.003 is not owned by "ldap" [WARNING]
/var/lib/ldap/objectClass.bdb is not owned by "ldap" [WARNING]
/var/lib/ldap/__db.002 is not owned by "ldap" [WARNING]
/var/lib/ldap/__db.001 is not owned by "ldap" [WARNING]
/var/lib/ldap/alock is not owned by "ldap" [WARNING]
/var/lib/ldap/__db.005 is not owned by "ldap" [WARNING]
/var/lib/ldap/__db.004 is not owned by "ldap" [WARNING]
/var/lib/ldap/dn2id.bdb is not owned by "ldap" [WARNING]
/var/lib/ldap/id2entry.bdb is not owned by "ldap" [WARNING]
Checking configuration files for slapd: [FAILED]
bdb_db_open: database "dc=ikala,dc=tv": alock package is unstable.
backend_startup_one: bi_db_open failed! (-1)
slap_startup failed (test would succeed using the -u switch)
stale lock files may be present in /var/lib/ldap [WARNING]
[root@dogcage var]# service ldap status
slapd is stopped
chown ldap:ldap -R /var/lib/ldap/
[root@dogcage var]# service ldap restart
Stopping slapd: [FAILED]
Checking configuration files for slapd: [WARNING]
bdb_db_open: database "dc=ikala,dc=tv": unclean shutdown detected; attempting recovery.
bdb_db_open: database "dc=ikala,dc=tv": recovery skipped in read-only mode. Run manual recovery if errors are encountered.
config file testing succeeded
Starting slapd: [ OK ]
[root@dogcage var]# service ldap status
slapd (pid 9048) is running...
[root@dogcage var]#
Subscribe to:
Posts (Atom)