Centos7下samba服务搭建及通过活动目录AD控制帐号

一、samba相关软件安装

yum install krb5-workstation krb5-devel pam_krb5 samba samba-client samba-winbind-clients -y

二、配置

1.更改主机名

vim /etc/hostname
修改为:testsamba
vim /etc/hosts
修改行为:
127.0.0.1   testsamba.southbaytech.co   testsamba

2.更改系统dns

vim /etc/sysconfig/network-scripts/ifcfg-eth0
其中dns修改为:
dns1=172.21.100.11   #ip地址为dns的AD域

3.禁用防火墙和Selinux

chkconfig firewalld off
sed -i 's@SELINUX=enforcing@SELINUX=disabled@' /etc/selinux/config

4.设置开机启动winbind,samba

chkconfig winbind on
chkconfig smb on

5.创建samba目录

mkdir /home/share
chmod 777 /home/share

6.修改krb5配置

vim /etc/krb5.conf
修改为如下配置
[libdefaults]
dns_lookup_realm = true
default_realm = SOUTHBAYTECH.CO
[realms]
 SOUTHBAYTECH.CO = {
  kdc = 172.21.100.11:88
  admin_server = 172.21.100.11:749
 }
[domain_realm]
 .southbaytech.co = SOUTHBAYTECH.CO
 southbaytech.co = SOUTHBAYTECH.CO

7.修改nss配置

vim /etc/nsswitch.conf
修改为:
passwd:     files winbind
shadow:     files winbind
group:      files winbind

8.修改samba配置

vim /etc/samba/smb.conf
修改为:
[global]
# ----------------------- Network-Related Options -------------------------
    workgroup = SOUTHBAYTECH
    netbios name = testsamba
# ----------------------- Standalone Server Options ------------------------
    #security = user
    #passdb backend = tdbsam
# ----------------------- Domain Members Options ------------------------
    security = ads
    realm = SOUTHBAYTECH.CO
    password server = 172.21.100.11
    idmap uid = 16777216-33554431
    idmap gid = 16777216-33554431
    template shell = /bin/bash
    template homedir = /home/%U
    winbind use default domain = true
    winbind offline logon = true
    winbind enum groups = yes
    winbind enum users = yes
    winbind separator = /
#============================ Share Definitions ==============================
[share]
    comment = Home Directories
    path = /home/share
    browseable = yes        (是否显示共享文件夹,默认yes)
    #writable = yes      (是否可写,yes表示所有用户默认有写权限,write list无效;反之read list 无效)
    available = yes
    force group = nogroup
    create mask = 0777
    directory mask = 0777
    read list = asd       (读权限)
    write list = asd      (写权限)
    valid users = asd     (有访问此共享文件夹权限的用户,默认表示所有用户都有访问权限)

9.重启服务器

reboot

10.将服务器加入域

kinit tab_ding@SOUTHBAYTECH.CO (测试是否可以加入域)
net ads join -U tab_ding@SOUTHBAYTECH.CO(需要管理员权限)

注:如果出现无法加入域的情况,请检查服务器时间和AD域时间是否相差太多或者AD域中已存在该主机

11.重启winbind服务

service winbind restart

其他命令

net ads leave -U administrator (离开域)
wbinfo -t (测试RPC调用是否正常)
net ads testjoin (测试是否正常加入域)
wbinfo -u (域内用户)
wbinfo -g (域内组

三、配置日志(centos7)

1.创建日志目录

mkdir -p /home/log/samba

2.配置samba

vim /etc/samba/smb.conf
添加如下配置:
[global]
vfs object = full_audit
#设置审计日志格式
full_audit:prefix = %u|%I|%S
#审计失败日志
full_audit:failure = connect
#审计成功日志
full_audit:success = mkdir rmdir rename unlink kernel_flock
#审计日志设备
full_audit:facility = local5
#审计日志安全等级
full_audit:priority = info

3. 配置syslog

其中*.info;mail.none;authpriv.none;cron.none /var/log/messages 为原来存在,新加local5.none

vim /etc/rsyslog.conf
修改为:
*.info;mail.none;authpriv.none;cron.none;local5.none    /var/log/messages
local5.info                                           -/home/log/samba/smb.log

4.重启服务

systemctl restart rsyslog
systemctl restart smb

四、配置回收站(centos7)

1.创建回收站目录

mkdir /home/share/.delete
chmod 777 -R /home/share/.delete

2.配置samba

在共享模块share中添加以下内容:

vfs objects =  recycle                       #开启回收站        
recycle:repository = /home/share/.delete/%U  #回收站路径
recycle:keeptree = yes                       #保持原路径
recycle:versions = yes                       #开启版本控制
recycle:minsize = 100                        #排除小于100字节的文件回收
recycle:maxsize = 1000000                    #排除大于100万字节的文件回收
recycle:exclude_dir = tmp                    #排除tmp目录回收
recycle:exclude = *.log                      #排除.log结尾的文件进入回收站

3.重启服务

systemctl restart smb