In fact, as early as samba2.2, samba can be well supported as the master Domain Controller of PDC), but by 3.0, domain support is better. So far, the latest version 3.0 has supported AD, it also supports new features such as Microsoft Kerberos authentication, full rewriting, and configurable authentication subsystems.
Now, let's start today's task. Today we just implement the establishment of a simple domain controller PDC. As for the AD and Kerberos functions supported by this controller, we will study it by ourselves, I don't know much about it either :)
1. Install samba. If you are a fedora, you can directly install the samba rpm package from the CD.
Rpm-ivh samba-3.0.0-15.i386.rpm
You can also download the latest software package directly to the samba official website http://www.samba.org)
Or download the latest tar package, http://us1.samba.org/samba/ftp/samba-3.0.0.tar.gz
Then it is best to compile it according to the following method.
Tar zvxf samba-3.0.0.tar.gz
Cd samba-3.0.0
./Configure \
-- Prefix =/usr \
-- Bindir =/usr/bin \
-- Sbindir =/usr/sbin \
-- Libexecdir =/usr/libexec \
-- Datadir =/usr/share/samba \
-- Sysconfdir =/etc/samba \
-- Localstatedir =/usr/local/samba/var \
-- Libdir =/usr/lib \
-- With-lockdir =/var/locks/samba \
-- With-swatdir =/usr/share/samba/swat \
-- With-codepagedir =/etc/samba/codepages \
-- With-configdir =/etc/samba \
-- With-smbwrapper \
-- With-automount \
-- With-smbmount \
-- With-pam \
With-pam_smbpass \
-- With-winbind
Make
Make intall
OK! After the installation, the following is our focus. Modify/etc/samba/smb. conf. You 'd better modify it based on the original one.
[Global]
Workgroup = bmit
Netbios name = proxy
Server string = Samba PDC running % v
Socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF = 8192 SO_RCVBUF = 8192
# Here, workgroup = bmit indicates the bmit domain. Of course, if bmit.com is used, it is more standard, but it is better to directly bmit for the convenience of client input, netbios name = proxy indicates the netbios name of the server, and the socket options Option sets to control the TCP/IP performance. The displayed settings can work well with the Linux-based system.
OS level = 64
Preferred master = yes
Local master = yes
Domain master = yes
# The domain master option is a "Switch", and Samba will become the master domain controller. Local master browser) is the server that maintains the list of local area network machines.
Security = user
Encrypt passwords = yes
Domain logons = yes
Log file =/var/log/samba/log. % m
Log level = 2
Max log size = 50
Hosts allow = 127.0.0.1 192.168.1.0/255.255.255.0
# Here we still use the user authentication method. Do not stick to the so-called domain. As for hosts allow, you can write those network segments as needed to access your server, or simply leave them empty.
Logon home =\\ % L \ % U \. profile
Logon drive = H:
Logon path =\\ % L \ profiles \ % U
Logon script = netlogon. bat
# The above is the roaming settings and logon script. logon path =\\ % L \ profiles \ % U will share the [profiles] to the corresponding link below.
[Homes]
Comment = Home Directories
Browseable = no
Writeable = yes
[Profiles]
Path =/home/samba/profiles
Writeable = yes
Browseable = no
Create mask = 0600
Directory mask = 0700
[Netlogon]
Comment = Network Logon Service
Path =/home/netlogon
Read only = yes
Browseable = no
Write list = root
The above is about the shared wrist, where profile is used to store the setting file of each login user, so that the user can log on later to read the previous desktop settings from the server, netlogon is used to store the login script, therefore, you must restrict the write permission. Assume that only the root user can have the permission.
As for other sharing, you can refer to the "Samba3.0 server practice debugging" (http://www.5ilinux.com/samba.html) This article sharing settings, I will not repeat it
Then, add the user and machine account to the domain controller.
Create the following groups and create two necessary directories, and set the correct ownership.
Groupadd admin
Groupadd machines
Mkdir-m 0775/home/netlogon
Chown root. admins/home/netlogon
Mkdir/home/samba/profiles
Chown 1757/home/samba/profiles.
Setting the correct permissions and ownership for the above directories is a key step to protect the server :)
Manually add a machine account
For example, if the machine name of my client is ibm240, we can do this.
Useradd-g machines-d/dev/null-c "machine id"-s/bin/false ibm240 $
Passwd-l ibm240 $
Enter the password twice;
Do not forget to mark the dollar sign; this is required and it marks this item as a trusted account
After creating a linux Account, we can now add this machine to/etc/samba/smbpasswd
Smbpasswd-a-m ibm240
Of course, you can also ask the system to automatically add a machine account. Use the following method, but you 'd better try to manually add it first, and then test the system to automatically add
Add automatically as long as you add in [global]
Add user script =/usr/sbin/useradd-d/dev/null-g machines-s/bin/false-M % u
Add User Account
First, add the root account to the smb account.
Smbpasswd-c root
This step is very important, because the subsequent access to the domain requires the permission to access the domain with the administrator account. Otherwise, it seems that the access to the domain is not successful for common users.
Then add a common user
Useradd frank
Passwd frank
Smbpasswd-a frank
To facilitate future management, we recommend that you use the same smb User Password as the unix system password, so that we can also use the password synchronization function of samba.
# The option statement below will allow users to change their Samba password from a Windows client, so that their UNIX password will be updated immediately to match the new Samba item. However, if you change the UNIX password, the same technology cannot work in reverse order. You must manually change the Samba password. It is also in [global]. Beginners can not do this job first.
Unix password sync = yes
Passwd program =/usr/bin/passwd % u
Passwd chat = * New * UNIX * password * % n \ n * Retype * new * UNIX * password * % n \ n * Enter * new * UNIX * password * % n \ n * Retype * new * UNIX * password * % n \ n * passwd: * all * authentication * tokens * updated * successfully *
# The only thing worth mentioning in the above statement is the passwd chat option. Whatever it is displayed here, you must enter it as a line. Note that some options use "password", while others use "passwd ".
The configuration of Samba PDC is completed in this way. The only thing to do is to add the client to the domain. Restart the samba service!
Client settings. Due to restrictions, I only tried to add Windows clients to the domain. As for winxp and win98, I joined everyone to perform the test.
You are advised to restart the win200 server to avoid unnecessary problems.) then go to the control panel-> network ID. if the machine is currently configured under the workgroup option, select the single-choice domain button and enter the domain name bmit.
Now, log on to the domain using the username root and the corresponding password. You must initialize the "secret" between the server and the client machine ". From this point on, any authenticated user can log on from this machine.
There should be a message that welcomes you to the XX domain.
Congratulations, you have successfully configured samba to PDC.