一、samba相关软件安装
yum install krb5-workstation krb5-devel pam_krb5 samba samba-client samba-winbind-clients -y
二、配置
1.更改主机名
vim /etc/hostname
修改为:testsamba
vim /etc/hosts
修改行为:
127.0.0.1 testsamba.southbaytech.co testsamba
2.更改系统dns
vim /etc/sysconfig/network-scripts/ifcfg-eth0
其中dns修改为:
dns1=172.21.100.11 #ip地址为dns的AD域
3.禁用防火墙和Selinux
chkconfig firewalld off
sed -i 's@SELINUX=enforcing@SELINUX=disabled@' /etc/selinux/config
4.设置开机启动winbind,samba
chkconfig winbind on
chkconfig smb on
5.创建samba目录
mkdir /home/share
chmod 777 /home/share
6.修改krb5配置
vim /etc/krb5.conf
修改为如下配置
[libdefaults]
dns_lookup_realm = true
default_realm = SOUTHBAYTECH.CO
[realms]
SOUTHBAYTECH.CO = {
kdc = 172.21.100.11:88
admin_server = 172.21.100.11:749
}
[domain_realm]
.southbaytech.co = SOUTHBAYTECH.CO
southbaytech.co = SOUTHBAYTECH.CO
7.修改nss配置
vim /etc/nsswitch.conf
修改为:
passwd: files winbind
shadow: files winbind
group: files winbind
8.修改samba配置
vim /etc/samba/smb.conf
修改为:
[global]
# ----------------------- Network-Related Options -------------------------
workgroup = SOUTHBAYTECH
netbios name = testsamba
# ----------------------- Standalone Server Options ------------------------
#security = user
#passdb backend = tdbsam
# ----------------------- Domain Members Options ------------------------
security = ads
realm = SOUTHBAYTECH.CO
password server = 172.21.100.11
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
template homedir = /home/%U
winbind use default domain = true
winbind offline logon = true
winbind enum groups = yes
winbind enum users = yes
winbind separator = /
#============================ Share Definitions ==============================
[share]
comment = Home Directories
path = /home/share
browseable = yes (是否显示共享文件夹,默认yes)
#writable = yes (是否可写,yes表示所有用户默认有写权限,write list无效;反之read list 无效)
available = yes
force group = nogroup
create mask = 0777
directory mask = 0777
read list = asd (读权限)
write list = asd (写权限)
valid users = asd (有访问此共享文件夹权限的用户,默认表示所有用户都有访问权限)
9.重启服务器
reboot
10.将服务器加入域
kinit tab_ding@SOUTHBAYTECH.CO (测试是否可以加入域)
net ads join -U tab_ding@SOUTHBAYTECH.CO(需要管理员权限)
注:如果出现无法加入域的情况,请检查服务器时间和AD域时间是否相差太多或者AD域中已存在该主机
11.重启winbind服务
service winbind restart
其他命令
net ads leave -U administrator (离开域)
wbinfo -t (测试RPC调用是否正常)
net ads testjoin (测试是否正常加入域)
wbinfo -u (域内用户)
wbinfo -g (域内组
三、配置日志(centos7)
1.创建日志目录
mkdir -p /home/log/samba
2.配置samba
vim /etc/samba/smb.conf
添加如下配置:
[global]
vfs object = full_audit
#设置审计日志格式
full_audit:prefix = %u|%I|%S
#审计失败日志
full_audit:failure = connect
#审计成功日志
full_audit:success = mkdir rmdir rename unlink kernel_flock
#审计日志设备
full_audit:facility = local5
#审计日志安全等级
full_audit:priority = info
3. 配置syslog
其中*.info;mail.none;authpriv.none;cron.none /var/log/messages 为原来存在,新加local5.none
vim /etc/rsyslog.conf
修改为:
*.info;mail.none;authpriv.none;cron.none;local5.none /var/log/messages
local5.info -/home/log/samba/smb.log
4.重启服务
systemctl restart rsyslog
systemctl restart smb
四、配置回收站(centos7)
1.创建回收站目录
mkdir /home/share/.delete
chmod 777 -R /home/share/.delete
2.配置samba
在共享模块share中添加以下内容:
vfs objects = recycle #开启回收站
recycle:repository = /home/share/.delete/%U #回收站路径
recycle:keeptree = yes #保持原路径
recycle:versions = yes #开启版本控制
recycle:minsize = 100 #排除小于100字节的文件回收
recycle:maxsize = 1000000 #排除大于100万字节的文件回收
recycle:exclude_dir = tmp #排除tmp目录回收
recycle:exclude = *.log #排除.log结尾的文件进入回收站
3.重启服务
systemctl restart smb
