Instance analysis-Samba Domain Function

In a company's existing windowspdc environment, add a Linux File Server and use the username account in windowspdc to access the file server. each user has its own home directory.
In this project, the Samba server can be run on the server level because the windowspdc server is used to authenticate users.
However, there is another problem: windowspdc's existing user accounts are different from those of Linux users, while Samba accounts must be based on system accounts, this means that we need to create all accounts on windowspdc with the same name on the Linux system, and then convert these accounts into Samba accounts one by one.
Is
To reduce the workload of user account configuration on Samba server, we can consider using username in the smb. conf configuration file
Map parameter. This parameter can be used to set a file for user name ing. The default/etc/samba/smbusers of this file -- we now have access to a new
Samba configuration file. This file is equivalent to setting an alias for the samba user account. The alias is the same as that for the windowspdc account. For example, windowspdc has an account
In Linux, the system account is set to root, and the user account to Samba is still root. In the ing file, we can
The alias of the root user account is administrator.
Okay, the problem is solved. You can configure it below. The windowspdc domain name is tail, and the host name is
Is pig. The user accounts include administrator, user1, user2, and user3. First, we create several user accounts in the Linux system and win2000 domain.
System User Account root, smbuser1, smbuser2, and smbuser3 corresponding to the number, and then convert them into Samba user accounts one by one.
Map in the/etc/samba/smbusers file. The ing format is:
Real Samba account = Account alias
Make sure the following information is available:
Root = Administrator
Smbuser1 = user1
Smbuser2 = user2
Smbuser3 = user3
Note: Write the SMB User Name on the left and the Win2000 domain user name on the right.
Modify the smb. conf configuration file:
[Global]
Workgroup = tail
NetBIOS name = redflag
Security = Server
Password Server = pig. Tail # Name of the server NetBIOS verified by the account when Samba is running at the server or domain level
Username map =/etc/samba/smbusers # account ing File
Then, create the main directory of each user
[Homes]
Comment = user's home directories
Browseable = No
Valid users = % s
Writable = Yes
In this way, the most basic functions are met. If you still need directories with other permissions, you can continue to add them.

Operation
The server-level solution does not apply to windowspdc with a large number of users and frequent increase or decrease of accounts. Even when creating a Samba file server, we are not afraid of being tedious,
Account ing is established one by one. However, in future server maintenance, user account management cannot be synchronized. Once an account is added or deleted,
The maintenance in the sambaserver and ing files still brings great workload and inconvenience to the Administrator.
Synchronize windowspdc accounts
The winbind service is provided for Versions later than samba3.0. This service supports connecting windowspdc and "grabbing" the group and account of widnowspdc, converts these accounts into Linux accounts and Samba accounts.
The domain name of windowspdc is tail and the host name is pig. The Samba server's sharing name is redflag.
Let's take a look at the specific configuration process:
Modify the nsswitch. conf file
Modify the/etc/nsswitch. conf file to make winbind a source of authentication information for passwd and group.
Passwd: Files winbind
Shadow: Files
GROUP: Files winbind
Modify the smb. conf file
Next, let's take a look at the modifications in the smb. conf file.
[Global]
Workgroup = tail
NetBIOS name = redflag
Server String = Samba Server
Security = domain
Password Server = pig. Tail
Preferred master = No
Domain Master = No
Domain logons = No
Idmap uid = 10000-20000 # idmap UID and idmap GID are the idnumber range used by winbind to set Win2000 domain users, Group map users, and groups. If there are many users, you can increase the difference between the two values.
Idmap gid = 10000-20000
Template shell =/bin/bash # specify the shell after the user logs on, and give the user a shell to log on in Linux.
Template homedir =/home/% d/% u # specify the home directory after the user logs on, and set it to/home/Domain Name/user name.
Winbind separator =%# the separator between the domain name and the user name when obtaining the account, such as tail % work
Winbind use default domain = yes # if it is set to yes, the delimiter between the domain name and the user name is blocked during display. Otherwise, when you log on to the Linux system, enter a user name like tail % work.
Basically, you need to modify the content in the smb. conf file.
Add to the widnowspdc domain
Samba3.0
The above version provides the net join command to join the windowspdc domain. Now we need to use it to add the Samba server to windowspdc:
Net
RPC join-s pig. Tail-u Administrator
Enter the domain administrator password, that is, the administrator password in windowspdc.
The system will prompt you to add the correct information, similar to the following:
Joined tail domain
Then start the service:
# Service SMB start

# Service winbind start

View the collected windowspdc user account information and group account information
Use the wbinfo command to view the information of users and groups in the domain captured by the PDC through the winbindd service.
# Wbinfo-u

The following shows the PDC user information captured by winbind:
Administrator
Guest
Huaijinyang
Jack
Krbtgt
Laohuai
User1
User2
User3
User4
User5
Work and then execute:
# Wbinfo-G

We can see information about the PDC group captured by winbind as follows:
Builtin % System Operators
Builtin % replicators
Builtin % guests
Builtin % Power Users
Builtin % print Operators
Builtin % Administrators
Builtin % account operators
Builtin % Backup Operators
Builtin % users
Domain Admins
Domain Users
Domain guests
Domain computers
Domain Controllers
CERT publishers
Schema admins
Enterprise admins
Group Policy creator owners
Dnsupdateproxy
Zzz

Check whether the PDC user (group) is converted to the local user (Group) UID and giu:
# Getent passwd

Displays the status of converting a PDC user into a uid of a system user, and displays the following information:
Administrator: X: 10000: 10000:/home/tail/Administrator:/bin/bash
Guest: X: 10001: 10000:/home/tail/Guest:/bin/bash
Huaijinyang: X: 10002: 10000: Huai:/home/tail/huaijinyang:/bin/bash
JACK: X: 10003: 10000: JACK:/home/tail/JACK:/bin/bash
Krbtgt: X: 10004: 10000:/home/tail/krbtgt:/bin/bash
Laohuai: X: 10010: 10000: laohuai:/home/tail/laohuai:/bin/bash
User1: X: 10005: 10000: user1:/home/tail/user1:/bin/bash
User2: X: 10006: 10000: user2:/home/tail/user2:/bin/bash
User3: X: 10007: 10000: user3:/home/tail/user3:/bin/bash
User4: X: 10008: 10000: user4:/home/tail/user4:/bin/bash
User5: X: 10011: 10000: user5:/home/tail/user5:/bin/bash
Work: X: 10009: 10000: Work:/home/tail/work:/bin/bash
The UID of the PDC user administrator starts from 10000.

# Getent Group

Shows the gid of the system group to which the PDC group is converted. The following information is displayed:
Domain Administrator: X: 10003: Administrator
Domain Users: X: 10000: Administrator, guest, krbtgt, work, Jack, user1, user2, user3, user4, huaijinyang, user5, laohuai
Domain guests: X: 10005: Guest
Domain computers: X: 10006: call-center $, hjy $, localhost $, Lisboa $, huaijinyang $, smb1 $, rfas41 $, Lux $
Domain Controllers: X: 10007: Pig $
CERT Publishers: X: 10008:
Schema admin: X: 10002: Administrator
Enterprise Administrator: X: 10004: Administrator
Group Policy creator owners: X: 10001: Administrator
Dnsupdateproxy: X: 10009:
Zzz: X: 10010:
Builtin % system operators: X: 10011:
Builtin % replicators: X: 10012:
Builtin % guests: X: 10013:
Builtin % Power Users: X: 10014:
Builtin % print operators: X: 10015:
Builtin % administrators: X: 10016:
Builtin % account operators: X: 10017:
Builtin % Backup Operators: X: 10018:
Builtin % users: X: 10019:
The UID of the PDC Users Group starts from 10000.
You can see this information, indicating that the configuration is complete and the winbind service is working properly.

Create the main directory of the logon User Account
The template homedir path is specified in the samba configuration file.
# Mkdir/home/tail

Widnowspdc account logon authentication
We have achieved automatic synchronization of windowspdc accounts through winbind. Next we will create a logon home directory for each user account.

Configure PAM Authentication for log on to the PDC user
Back up the original PAM Authentication File

# Mkdir/home/backup
# Cp/etc/PAM. d/login/home/backup
# Cp/etc/PAM. d/system-auth

Modify the login file
The last sentence of this file is
Session Optional pam_lele.so
Add
Session required pam_mkhomedir.so skel =/etc/skel umask = 0022

Modify the system-auth file
VI/etc/PAM. d/system-auth
1. Find the statement starting with "auth" and calling "pam_unix.so", as follows:
Auth sufficient/lib/security/$ ISA/pam_unix.so likeauth nullok
Add the string "use_first_pass" at the end of this sentence, as follows:
Auth sufficient/lib/security/$ ISA/pam_unix.so likeauth nullok use_first_pass
Then add the following statement before the sentence:
Auth sufficient/lib/security/pam_winbind.so

As follows:
Auth sufficient/lib/security/pam_winbind.so
Auth sufficient/lib/security/$ ISA/pam_unix.so likeauth nullok use_first_pass

2. Find the statement starting with "Account" and calling "pam_unix.so", as shown below:
Account required/lib/security/$ ISA/pam_unix.so
Add the string "use_first_pass" at the end of this sentence, as follows:
Account required/lib/security/$ ISA/pam_unix.so use_first_pass
Then add the following statement before the sentence:
Account sufficient/lib/security/pam_winbind.so

As follows:
Account sufficient/lib/security/pam_winbind.so
Account required/lib/security/$ ISA/pam_unix.so use_first_pass

Test logon with PDC users
Log on to a terminal in Linux as a PDC user. The $ prompt is displayed, indicating that the configuration is complete.
The logon here is required, because the main directory of the PDC user in the/home directory is the same as that in the domain name directory. For example:
/Home/tail/user1
This directory exists and retains the [homes] segment in the/etc/smb. conf file. It also determines whether the PDC user can log on to his/her main directory when logging on to the file server.
Retain/etc/smb. in the [homes] section of the conf file, you can see the main directory of the user when logging on with the PDC user account. If you have special requirements for the file server, you can continue to configure fields of the corresponding Samba attribute.