Ubuntu通过samba winbind集成AD账号

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Ubuntu通过samba winbind集成AD账号相关的知识,希望对你有一定的参考价值。

Ubuntu通过samba winbind集成AD账号:

安装软件:

apt-get install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind

输入ming.com

vi /etc/nsswitch.conf

passwd: compat winbind
group: compat winbind
shadow: compat winbind

:wq

vi /etc/krb5.conf ([realms]下面其它的都可删掉)

[libdefaults]
default_realm = MING.COM (此处必须为大写)

[realms]
spreadtrum.com = {
kdc = 10.0.0.2:88
kdc = 10.0.0.3:88
default_domain = ming.com
}

:wq

kinit zhi.ming (能加域的普通AD账号即可)

输入账号密码

klist

vi /etc/samba/smb.conf

[global]

  workgroup = ming
  realm = ming.com
  netbios name = aa
  security = ADS
  dns forwarder = 10.0.0.1
  idmap config *:backend = tdb
  idmap config *:range = 50000-1000000

  template homedir = /home/%D/%U
  template shell = /bin/bash
  winbind use default domain = true
  winbind offline  logon = true
  winbind nss info  = rfc2307
  winbind enum users = yes
  winbind enum groups = yes
  vfs objects = acl_xattr
  map acl inherit = Yes
  store dos attributes = Yes

:wq

vi /etc/pam.d/common-account (自动创建家目录)

session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
:wq

vi /etc/pam.d/common-password

password [success=1 default=ignore] pam_winbind.so try_first_pass (将默认的use_authtok去掉)

:wq

service smbd restart

service nmbd restart

net ads join -U zhi.ming (能加域的普通AD账号即可)

输入AD账号密码

注:
/etc/hosts里的主机名及域名要和加的AD域一致(不一致会加不进去)

service winbind restart

wbinfo -u (查看AD里的账号信息)

wbinfo -g (查看AD里的group信息)

getent passwd | grep zhi.ming

id zhi.ming

su - zhi.ming

远程ssh:

ssh [email protected]

给sudo权限:

给个人:

vi /etc/sudoers

zhi.ming ALL=(ALL:ALL) NOPASSWD:ALL

:wq

给group(未成):

%MINGdomain users ALL=(ALL:ALL) NOPASSWD:ALL

支持图形化登陆:

vi /usr/share/lightdm/lightdm.conf/50-ubuntu.conf

greeter-show-manual-login=true
greeter-hide-users=true

:wq

登陆时为mingzhi.ming (即前要加域名)

注:

1、账号的uid和gid根据访问的先后顺利从50000开始排序(/etc/samba/smb.conf定义的),无法在AD里自定义
2、所有账号均可登录,无法通过/etc/passwd进行限制

通过AD域账号访问samba共享:

共享homes:

vi /etc/samba/smb.conf

[homes]
comment = Home Directories
browseable = no
writable = yes
valid users = %S

 :wq

 # service smbd restart

 访问:\ipzhi.ming    (此时不需要输用户名密码直接就可以访问自己家目录,访问不了别人的)

 共享特定目录:

 # vi /etc/samba/smb.conf

 [share]
comment = share
path = /space/share
browseable = yes
writable = yes
valid users = MINGzhi.ming
    :wq

    访问:\ipshare     (此时不需要输用户名密码直接就可以访问)

以上是关于Ubuntu通过samba winbind集成AD账号的主要内容,如果未能解决你的问题,请参考以下文章

samba集成AD域控(ubuntu-16.04)

Samba 系列(十五):用 SSSD 和 Realm 集成 Ubuntu 到 Samba4 AD DC

Linux AD 身份统一验证(SSO)

Samba服务

SAMBA服务简介

网络文件系统-Samba