Ubuntu20.04通过realmd+sssd+samba+winbind实现samba集成AD访问共享:
apt-get install realmd sssd sssd-tools
realm discover aa.ming.com (aa.ming.com为DC)
sssd模式(会自动安装sssd、sssd-tools,也可提前装好):
realm join -v aa.ming.com -U xxx.xxx
vi /etc/nsswitch.conf
passwd: files sss
group: files sss
shadow: files sss
netgroup: files sss
:wq
vi /etc/sssd/sssd.conf
[sssd]
domains = ming.com
config_file_version = 2
services = nss, pam
[domain/ming.com]
default_shell = /bin/bash
ad_server = aa.ming.com
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = MING.COM
realmd_tags = manages-system joined-with-samba
id_provider = ad
fallback_homedir = /home/%u (默认为/home/%u@%d)
ad_domain = ming.com
use_fully_qualified_names = False (默认为True,改为False,不带域名)
ldap_id_mapping = False (默认为True)
access_provider = simple (默认为ad)
simple_allow_users = xxx.xxx (手动添加,只允许特定用户登陆)
filter_users_in_groups = False (手动添加,不去查找group id)
enumerate = True (这个参数会遍历AD的user和group,导致认证变慢,不过这个参数对quota很有用,不开quota识别不到用户名)
:wq
systemctl restart sssd
如果有缓存干扰,可以删除/var/lib/sss/db/cache_xxx.ldb,会再自动生成
退域命令:
realm leave -v ming.com -U xxx.xxx
验证:
getent passwd xxx.xxx
或
id xxx.xxx (uid为AD上UNIX属性自定义的值)
或
ssh xxx.xxx@ip
samba共享:
apt-get install samba
vi /etc/samba/smb.conf
[global] (手动添加)
workgroup = ming
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
security = ads
realm = ming.com
[homes]
comment = Home Directories
browseable = no
writable = yes
create mask = 0700
directory mask = 0700
valid users = %S
:wq
systemctl restart smbd
net ads join -U xxx.xxx%xxxxx (%后的xxxxx是指密码)
这时\\ip会提示无法访问(not accessible)
解决:
apt-get install winbind
此时访问\\ip就是好的
