如何将 centos 7 加入 samba 域？

Question 1

Krisko。首先，您必须安装 sssd 集成软件包：

yum install \
realmd \
sssd \
sssd-krb5 \
sssd-krb5-common \
sssd-common \
sssd-common-pac \
sssd-ad \
sssd-proxy \
sssd-tools \
python-sssdconfig \
samba \
samba-common \
authconfig \
authconfig-gtk

然后在您的用户（[域 UID]）具有完全访问权限的 AD 容器中创建机器帐户。

将机器添加到域：realm --verbose join [FQ域名] -U [域 UID]

调整 /etc/sssd/sssd.conf

[sssd]
domains = <FQ Domain name lowercase>
config_file_version = 2
services = nss, pam

[domain/bdp.pt]
ad_domain = <FQ Domain name lowercase>
krb5_realm = <FQ Domain name uppercase>
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
access_provider = simple
simple_allow_groups = <Comma separated list of AD groups allowed to login in the form <FQDomainLowercase>\<GroupName>>
simple_allow_users = <Same for users>

您可能需要调整 /etc/krb5.conf 的这两个部分

[realms]
 <FQDomainUpperCase> = {
 }

[domain_realm]
 <FQDomainLowerCase> = <FQDomainUpperCase>
 .<FQDomainLowerCase> = <FQDomainUpperCase>

那么这将不再是一台独立的机器，您可以对域用户进行身份验证。希望对您有所帮助。

Answer

Krisko。首先，您必须安装 sssd 集成软件包：

yum install \
realmd \
sssd \
sssd-krb5 \
sssd-krb5-common \
sssd-common \
sssd-common-pac \
sssd-ad \
sssd-proxy \
sssd-tools \
python-sssdconfig \
samba \
samba-common \
authconfig \
authconfig-gtk

然后在您的用户（[域 UID]）具有完全访问权限的 AD 容器中创建机器帐户。

将机器添加到域：realm --verbose join [FQ域名] -U [域 UID]

调整 /etc/sssd/sssd.conf

[sssd]
domains = <FQ Domain name lowercase>
config_file_version = 2
services = nss, pam

[domain/bdp.pt]
ad_domain = <FQ Domain name lowercase>
krb5_realm = <FQ Domain name uppercase>
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
access_provider = simple
simple_allow_groups = <Comma separated list of AD groups allowed to login in the form <FQDomainLowercase>\<GroupName>>
simple_allow_users = <Same for users>

您可能需要调整 /etc/krb5.conf 的这两个部分

[realms]
 <FQDomainUpperCase> = {
 }

[domain_realm]
 <FQDomainLowerCase> = <FQDomainUpperCase>
 .<FQDomainLowerCase> = <FQDomainUpperCase>

那么这将不再是一台独立的机器，您可以对域用户进行身份验证。希望对您有所帮助。

Question 2

确保主机之间可以 ping 通，然后ping server尝试ping server.domain.local。如果没有任何结果，请尝试在 kerberos 配置中明确指定 KDC，并在smb配置文件。

示例krb5配置文件文件：

/etc/krb5.conf
...
[realms]
         DOMAINNAME.COM = {
                 kdc = din-dc1.domainname.com
                 kdc = den-dc1.domainname.com
                 master_kdc = din-dc1.domainname.com
                 admin_server = din-dc1.domainname.com
         }

[domain_realm]
         .domainname.com = DOMAINNAME.COM
...

/etc/samba/smb.conf
...
[global]
         server string = Dinamo File Server

         workgroup = DOMAINNAME
         realm = DOMAINNAME.COM
         security = ADS
         password server = *
         #password server = din-dc1.domainname.com
         #password server = din-dc1.domainname.com, den-dc1.domainname.com

用于kinit确保 kerberos 正常工作！

Answer

确保主机之间可以 ping 通，然后ping server尝试ping server.domain.local。如果没有任何结果，请尝试在 kerberos 配置中明确指定 KDC，并在smb配置文件。

示例krb5配置文件文件：

/etc/krb5.conf
...
[realms]
         DOMAINNAME.COM = {
                 kdc = din-dc1.domainname.com
                 kdc = den-dc1.domainname.com
                 master_kdc = din-dc1.domainname.com
                 admin_server = din-dc1.domainname.com
         }

[domain_realm]
         .domainname.com = DOMAINNAME.COM
...

/etc/samba/smb.conf
...
[global]
         server string = Dinamo File Server

         workgroup = DOMAINNAME
         realm = DOMAINNAME.COM
         security = ADS
         password server = *
         #password server = din-dc1.domainname.com
         #password server = din-dc1.domainname.com, den-dc1.domainname.com

用于kinit确保 kerberos 正常工作！

如何将 centos 7 加入 samba 域？

答案1

答案2

相关内容