目前在進行linux與windows的異質平台整合,看過了許多設定範例,但還是依然無法使用samba與windows AD來整合:
使用的版本:
CentOS 5.5
samba-common-3.0.33-3.29.el5_5.1
samba-client-3.0.33-3.29.el5_5.1
samba-3.0.33-3.29.el5_5.1
krb5-libs-1.6.1-36.el5_5.6
krb5-server-1.6.1-36.el5_5.6
krb5-workstation-1.6.1-36.el5_5.6
相關設定檔如下:
=================smb.conf
[root@localhost samba]# testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
[global]
workgroup = TEST
realm = TEST.COM.TW
netbios name = SAMBA
server string = Samba Server Version %v
security = ADS
password server = ad.test.com.tw
idmap uid = 10000-30000
idmap gid = 10000-30000
winbind cache time = 0
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
註:我的需求僅是linux能功透過windows AD來驗證而已,故不需homedir與shell
================= krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = test.com.tw
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
TEST.COM.TW = {
kdc = ad.test.com.tw
admin_server = ad.test.com.tw
default_domain = test.com.tw
}
[domain_realm]
.test.com.tw = TEST.COM.TW
test.com.tw = TEST.COM.TW
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
我的 krb5.conf 是這樣寫:
<pre class="c" name="code">[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = LAB.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
LAB.LOCAL = {
kdc = 192.168.15.51:88
admin_server = 192.168.15.51:749
default_domain = LAB.LOCAL
}
[domain_realm]
.lab.local = LAB.LOCAL
lab.local = LAB.LOCAL
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
先前 realm 裡面用 FQDN 失敗, 但我沒有時間去查 DNS 的問題, 後來直接改用 IP.
但是我根本沒有 /var/kerberos/krb5kdc/kdc.conf 這個檔案, 所以等於沒有作用.
smb.conf 則比您多了一個:
<pre class="c" name="code">encrypt passwords = yes
以上方式可以在 2003 環境使用, samba 3.0.10~3.0.33 皆可...