这就是我所拥有的:
- DOMAIN.LOCAL 下的计算机组以及 Windows Server 中 Active Directory 提供的所有用户
- Debian 服务器
- Windows AD、DC服务器
我需要的:
- 将我的 DebianServer 中的文件夹共享给其他计算机,以便它们使用 Windows AD 提供的自己的用户进行身份验证
我已经做了什么:
- 我的 DebianServer 已经在 DOMAIN.LOCAL 中
- 我可以使用 Windows 上的所有 AD 用户登录 DebianServer
我不能做什么:
- 使用 DOMAIN.LOCAL 用户访问共享文件夹
重要文件:
/etc/nsswitch.conf
passwd: compat sss
group: compat sss
shadow: compat sss
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis sss
sudoers: files sss
/etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = DOMAIN.LOCAL
[domain/DOMAIN.LOCAL]
id_provider = ad
override_homedir = /home/%d/%u
access_provider = simple
/etc/krb5.conf
[libdefaults]
default_realm = DOMAIN.LOCAL
ticket_lifetime=24h
renew_lifetime=7d
dns_lookup_realm = false
dns_lookup_kdc = false
#estaba en TRUE arriba
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[realms]
DOMAIN.LOCAL = {
kdc=192.168.0.180:88
admin_server=192.168.0.180:464
default_domain=domain.local
}
[domain_realm]
.domain.local=DOMAIN.LOCAL
domain.local=DOMAIN.LOCAL
/etc/samba/smb.conf
[global]
workgroup = DOMAIN
security = ads
realm = DOMAIN.LOCAL
template homedir = /home/%D/%U
template shell = /bin/bash
client signing=yes
client use spnego=yes
kerberos method=secrets and keytab
[homes]
comment = Home Directories
browseable = no
read only = yes
create mask = 0700
directory mask = 0700
valid users = %S
[Compartido]
path=/home/DebianUser/Compartido
comment=compartido
browseable=yes
read only=no
valid users=@"DOMAIN.LOCAL\usersgroup"