File Server migration from Windows to Linux (perfect combination of Samba and AD)

Migration from Windows to Linux: File Server (perfect combination of Samba and AD)-Linux Enterprise Application-Linux server application information. The following is a detailed description. After searching for a lot of information on the Internet, we have finally completed that Samba user management is executed by the AD domain controller. That is to say, we have added the samba server to the AD domain to make it a member server in the AD, in this way, we can gradually migrate the Windows File Server to the linux (samba) File Server (my goal is to migrate WIN to linux! Haha, this is to improve the security and stability of the server. In the early stage, I used desktop OS and changed it to linux, but it is OK for me, for most non-professionals, or internal enterprise personnel, this is very difficult to achieve, so in the end, you can consider the capital and security aspects, switch the servers in the Enterprise into linux OS, this can be done. Of course, some people will also say that we should replace AD with Samba, but I have not tried it. I will try again later, now, in most enterprise environments, we can't leave win. I think it is the best way to add Samba to the domain. In the future, we can replace ISA with squid, exchange is changed to sendmail or qmail. In the end, we still need to use AD to achieve unified user management across the network, so we still have to go a long way! There are already experts on chinaunix To Do This. It seems I want to cheer up)

Samba supports two methods to dynamically add system user accounts.

1. Add User scripts

Adding a user script may be the simplest of the two methods, because it only requires one configuration option.

You can add the Samba configuration option to the user script in the [global] item of the/etc/samba/smb. conf file.

The following is an example:

# If you only want the accounts created but do not want the users to have a real

# Login shell or their own home directory on the server, use something like this:

# Add user script =/usr/sbin/useradd-g smbusers-s/bin/false-d/dev/null-M % u

# If you want to the domain users to have a real login shell and a home directory

# On the server, use something like this instead:

Add user script =/usr/sbin/useradd-g smbusers-s/bin/bash % u

For a connected user, if the user passes identity authentication and the account does not exist in/etc/passwd, the Add User script creates a system account for the user. Unless configured with another directory name, the user's home directory will be created as/home/ .

Ii. Use Windbind

For details, see Samba two methods to dynamically add system user accounts

My actual example: see http://romexp.blog.163.com/blog/static/3610065200762614516829

1. Implementation Environment

Fedora 7 + Squid 2.6 + Samba 3.0 + Krb5

2. install the software package

Both Samba and Krb5 install the latest version through yum.

3. Kerberos Configuration

By default, the Win2003 system uses Kerberos for authentication. For Kerberos authentication, the Krb5 software package must be installed. Configuration files and tests are simple. The Krb5 configuration file is/etc/krb5.conf. The configuration is as follows:

[Logging]

Default = FILE:/var/log/krb5libs. log

Kdc = FILE:/var/log/krb5kdc. log

Admin_server = FILE:/var/log/kadmind. log

[Libdefaults]

Default_realm = TEST. COM

Dns_lookup_realm = false

Dns_lookup_kdc = false

Ticket_lifetime = 24 h

Forwardable = yes

[Realms]

TEST. COM = {

Kdc = 192.168.1.200: 88

Admin_server = 192.168.1.200: 749

Default_domain = TEST. COM

}

[Domain_realm]

.Test.com = TEST. COM

Test.com = TEST. COM

[Appdefaults]

Pam = {

Debug = false

Ticket_lifetime = 36000

Renew_lifetime = 36000

Forwardable = true

Krb4_convert = false

}

I used the winbind method to synchronize the AD account:

The samba. conf configuration is as follows:

[Global]:

Workgroup = TEST

Netbios name = fedora

Server string = Samba Server

Security = domain

Password server = win2k3.test.com

Preferred master = no

Domain master = no

Domain logons = no

Idmap uid = 15000-20000

Idmap gid = 15000-20000

Winbind enum groups = yes

Winbind enum users = yes

Note: These two lines indicate whether to add an AD account in linux. Only when these two lines are added can the account and group on the AD be displayed only when getent passwd and gentent group are used.

Winbind separator =/

Winbind use default domain = yes

Template homedir =/homes/% D/% U Note: This is homes instead of home, and I have taken many detours here, of course, you can also set it in/home/% D/% U.

Template shell =/bin/bash

[Homes]

Comment = User's Home Directories

Path =/homes/% D/% U is the same as the preceding template homedir value.

Browseable = no

Valid users = % U

Note: Here, % U must be used instead of % S. The client user name required by % U is the login user name, while % S is the current shared name.

Writable = yes

A simple description of these settings is as follows:

-Idmap uid-specifies a uid range. The uid in this range is used to map UNIX users to windows user SID, and it must be ensured that the id range is not occupied by local or NIS users, after winbind is started, users cannot be added to this ID range.

-Idmap gid-specifies a gid range. The gid in this range is used to map the SID of a UNIX user to a windows Group. Make sure that the id range is not occupied by a local or NIS Group, after winbind is started, a new group cannot be added to this ID range.

-Winbind separator-specify a character as the separator. winbind uses this separator for the user or group name. With this configuration, the Domain user is represented as "MYDOMAIN + username", and the Domain group is represented as "MYDOMAIN + Domain Users"

-Winbind enum groups and winbind enum users-specify whether the winbind creates a domain group/user on the system. Generally, set this parameter to yes unless you want to disable this function for some reason.

-Template homedir-specifies the Home Directory generated by the domain user. In the above example, the variable is replaced, so that winbind sets the user's home directory to/homes/MYDOMAIN/username.

Note that if you want to have a main directory for a specific domain or all domain users in the samba directory, the Administrator must create it manually. Although template homedir controls where samba is located to find the main directory for the domain users, but it is not automatically created, so you need to manually create and Set permissions.

Then, the administrator needs to manually edit the/etc/nsswitch. conf file so that winbind can be used by users in the domain. This issue is discussed in other articles in the RedHat knowledge base. Http://www.redhat.com.cn/kbase/4760.php

Use net rpc join-S win2k3.test.com-U administrator to add the linux host to the domain

Restart samba

Service smb restart

Winbind also needs to be restarted.

Service winbind restart

Make sure that the Samba host account is correctly registered in the Active Directory.

Root # wbinfo? T

Checking the trust secret via rpc cils succeeded

Indicates that the host trust has been successfully established.

Use wbinfo? U can list the account information registered in AD. Wbinfo? G can return group information in AD.

Prepare NSS

The Nss is the Name Service Switch, which controls account verification. Edit/etc/nsswitch. conf as follows:

Passwd: files winbind

Group: files winbind

Check whether the PDC user (group) is converted to the local user (Group) UID and GIU:

Getent passwd

The GID of the PDC user to the System user is displayed. The following information is displayed:

Getent group

Now we can see that the AD account has been added to the linux system user list uid and gid

Conclusion: up to now, you can use the Active Directory user to perform samba, and the home directory can also access your home directory! For example, now I add user2 on AD and set

Password. After that, use mkdir/home/TEST/user2 in linux.

# Chown 'test \ user2': 'test \ domain users'/home/TEST/user2. Change the directory owner and log on to the user.

To set share folds, you can use the following code:

[User2 'Directory]

Comment = user2's Directory

Path =/homes/TEST/user2

; Browseable = no

Valid users = TEST/user2

Writable = yes

Create mode = 0777

Directory mode = 0777 this two methods still need to use chown to change the directory owner, but also research!

The above shows how to use winbind of samba to perfectly integrate AD and samba. I haven't studied and tested it using the user script method. I learned a lot from other people's technology to achieve this.

Of course, there may be a lot of bugs. please correct me more. This is also the first step for me to gradually replace the server with a linux OS!