我跟着这个网站的教程安装 SSSD(不带 WinBind)以加入 Windows Server 2008 域。这是一个巨大的成功。在此之前,我尝试使用 Zentyal 设置共享文件夹,但没有成功...Zentyal 总是显示错误...
我想使用GUI来完成这项工作,但是当我在Webmin Samba和Zentyal上失败时,我剩下的唯一选择就是用命令一一设置,并手动实现smb.conf。幸运的是,教程可以毫无问题地加入域,并且我可以设置 Samba 共享。
这是 smb.conf
[global]
workgroup = ADDOMAIN
server string = Samba Server Version %v
security = ads
# encrypt passwords = yes
# passdb backend = tdbsam
idmap config * : backend = tdb
realm = addomain.tld
access based share enum = yes
# this is just a member server
domain master = no
local master = no
preferred master = no
# in my test network I could not get AD authentication for smb shares to work
# without adding "kerberos method = secrets and keytab"
kerberos method = secrets and keytab
# Add the IPs / network ranges / subnets allowed acces to the server in general.
# this is not a nesessary entry but in general a good idea.
# hosts allow = 127. your local network info
# log files split per-machine:
log file = /var/log/samba/log.%m
# enable the following line to debug:
# log level = 3
# maximum size of 50KB per log file, then rotate:
max log size = 50
# Not interested in printers
load printers = no
cups options = raw
# This stops an annoying message from appearing in logs
printcap name = /dev/null
# File Shares under valid users I put a group if you create a group for samba in # active directory and add users to it those users will be able to access smb
# shares from this server over the network.
[guest]
comment = guest
path = /home/samba/guest
public = yes
readonly = no
writable = yes
guest ok = yes
[admin]
comment = admin
path = /home/samba/admin
public = no
readonly = no
writable = yes
guest ok = no
valid users = @"[email protected]"
有一个用户 ADDOMAIN\admintest (或[电子邮件受保护])登录 Windows PC 并尝试访问“Admin”共享文件夹,但无法授予访问权限。日志显示“NT_STATUS_ACCESS_DENIED”。但我确信该帐户在该组中。
为了确保 AD 和用户信息同步到我的 CentOS 7,我将有效用户从 更改为。用户可以访问共享文件夹。@"[email protected]""[email protected]"
然后我尝试解决的问题是,使用id命令。我已经修改了 sssd.conf 不需要使用完整限定名称。所以 ...
# id admintest
uid=821800500(admintest) gid=821800513(domain users) groups=821800513(domain users)
这简直太奇怪了。是的,这个帐户位于域用户中,但它仍然有一些其他属于的组,包括“admingp”。
然后我使用“getent”命令来显示组成员。
# getent group admingp
admingp:*:821808307:administrator,admintest,ben, ... (etc)
就是这样,admintest 在组中。因为它也在域用户组中,所以我再次尝试修改 smb.conf,有效用户更改为,猜猜是什么?共享文件夹可以访问。@"domain [email protected]"
所以我可以得出结论,smb.conf 没问题,AD 身份验证没问题。但正如您所注意到的,id admintest仅显示第一个匹配的组。其他的被跳过,所以我无法使用组权限设置共享文件夹。而且我那里有几十个组和几十个共享文件夹,我不能简单地一一实现它。
我最终测试了该id命令。 Linux 帐户“support”属于 2 个组。一是“支撑”本身,二是“轮子”。
# id support
uid=1000(support) gid=1000(support) groups=1000(support),10(wheel)
Linux 用户不受影响。那么……出了什么问题?我已在此处附上 sssd.conf。请看一看。
[sssd]
domains = addomain.tld
config_file_version = 2
services = nss, pam
[domain/addomain.tld]
ad_domain = addomain.tld
krb5_realm = ADDOMAIN.TLD
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
# use_fully_qualified_names = True
# fallback_homedir = /home/%u@%d
use_fully_qualified_names = False
fallback_homedir = /home/%u
enumerate = True
access_provider = simple
# access_provider = ldap
非常感谢。