
Although it cannot act as an Active Directory Primary Domain Controller (PDC), a Samba server can be configured to appear as a Windows NT4-style domain controller. A major advantage of this configuration is the ability to centralize user and machine credentials. Samba can also use multiple backends to store the user information.
See sektsioon kirjeldab Samba primaarseks domeenikontrolleriks seadistamist, kasutades vaikimisi smbpasswd taustarakendust.
Paigalda Samba ja libpam-smbpass , et sünkroniseerida kasutajakontosid, sisestades käsureale järgneva:
sudo apt-get install samba libpam-smbpass
Next, configure Samba by editing
/etc/samba/smb.conf
. The security mode should be set to user, and the workgroup should relate to the organization properly:workgroup = EXAMPLE ... security = user
In the commented “Domains” section, add or uncomment the following:
domain logons = yes logon path = \\%N\%U\profile logon drive = H: logon home = \\%N\%U logon script = logon.cmd add machine script = sudo /usr/sbin/useradd -N -g machines -c Machine -d /var/lib/samba -s /bin/false %u
domain logons: provides the netlogon service causing Samba to act as a domain controller.
logon path: places the user's Windows profile into their home directory. It is also possible to configure a [profiles] share placing all profiles under a single directory.
logimise ketas: iseloomustab kodukataloogi loogilist asukohta.
logimise kodu: iseloomustab kodukataloogi asukohta.
logon script: determines the script to be run locally once a user has logged in. The script needs to be placed in the [netlogon] share.
add machine script: a script that will automatically create the Machine Trust Account needed for a workstation to join the domain.
Selles näites on vaja luua masinate gruppi, kasutades addgroup utiliiti. Vaata Põhitõed üksikasjalikuma info saamiseks.
Note
If Roaming Profiles will not be used, leave the logon home and logon path options commented.
Uncomment the [homes] share to allow the logon home to be mapped:
[homes] comment = Home Directories browseable = no read only = no create mask = 0700 directory mask = 0700 valid users = %S
Kui see on seadistatud kui domeenikontroller, siis [netlogon] jagamine peab olema seadistatud. Jagamise lubamiseks, eemalda kommentaar:
[netlogon] comment = Network Logon Service path = /srv/samba/netlogon guest ok = yes read only = yes share modes = no
Note
The original netlogon share path is
/home/samba/netlogon
, but according to the Filesystem Hierarchy Standard (FHS), /srv is the correct location for site-specific data provided by the system.Now create the
netlogon
directory, and an empty (for now)logon.cmd
script file:sudo mkdir -p /srv/samba/netlogon sudo touch /srv/samba/netlogon/logon.cmd
Iga normaalse Windowsi logimise skripti käsud saab sisestada
logon.cmd
sse, et kohandada klientide keskkonda.With root being disabled by default, in order to join a workstation to the domain, a system group must be mapped to the Windows Domain Admins group. Using the net utility, from a terminal enter:
sudo net groupmap add ntgroup="Domain Admins" unixgroup=sysadmin rid=512 type=d
Note
Change sysadmin to the preferred group. The user used to join the domain needs to be a member of the sysadmin group, as well as a member of the system admin group. The admin group allows sudo use.
Taaskäivita viimaks Samba, et lubada uut domeenikontrollerit:
sudo /etc/init.d/samba restart
Nüüd on võimalik liituda Windowsi klientidel domeeniga samal viisil, kui liituti NT4 domeeniga Windowsi serveris.
With a Primary Domain Controller (PDC) on the network, it is best to have a Backup Domain Controller (BDC) as well. This will allow clients to authenticate in case the PDC becomes unavailable.
When configuring Samba as a BDC, there must be a way to sync account information with the PDC. There are multiple ways of accomplishing this, such as scp, rsync, or by using LDAP as the passdb backend.
Using LDAP is the most robust way to sync account information, because both domain controllers can use the same information in real time. However, setting up a LDAP server may be overly complicated for a small number of user and computer accounts. See Samba LDAP page for details.
Paigalda esmalt samba ja libpam-smbpass. Terminali sisesta järgnev:
sudo apt-get install samba libpam-smbpass
Now, edit
/etc/samba/smb.conf
and uncomment the following in the [global]:workgroup = EXAMPLE ... security = user
Eemalda või lisa kommentaar kommenteeritud Domeenides :
domain logons = yes domain master = no
Make sure a user has rights to read the files in
/var/lib/samba
. For example, to allow users in the admin group to scp the files, enter:sudo chgrp -R admin /var/lib/samba
Next, sync the user accounts, using scp to copy the
/var/lib/samba
directory from the PDC:sudo scp -r username@pdc:/var/lib/samba /var/lib
Note
Replace username with a valid username and pdc with the hostname or IP Address of the actual PDC.
Viimaks taaskäivita samba:
sudo /etc/init.d/samba restart
Test that the Backup Domain controller is working by stopping the Samba daemon on the PDC, then trying to login to a Windows client joined to the domain.
If the logon home option has been configured as a directory on the PDC, and the PDC becomes unavailable, access to the user's Home drive will also be unavailable. For this reason, it is best to configure the logon home to reside on a separate file server from the PDC and BDC.
Samba põhjalikke seadistusjuhendeid vaata Samba HOWTO Collection
Juhend on saadaval ka trükitud vormingus.
O'Reilly's Using Samba is also a good reference.
Chapter 4 of the Samba HOWTO Collection explains setting up a Primary Domain Controller.
Chapter 5 of the Samba HOWTO Collection explains setting up a Backup Domain Controller.