|
|
环境:
Version:RHEL 5.1
DNS and AD server is 172.16.50.5
Domain is SC.COM
AD和samba之间通过Kerberos来认证,通过winbind做同步,在linux上创建一个叫abc的目录作为共享目录
#vi /etc/resolv.conf
nameserver 172.16.50.5
#vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = SC.COM
dns_lookup_realm = false
dns_lookup_kdb = false
[realms]
SC.COM = {
kdc = 172.16.50.5:88
default_domain = SC.COM
}
[domain_realm]
.sc.com = SC.COM
sc.com = SC.COM
#vi /etc/samba/smb.conf
workgroup = SC
realm = SC.COM
security = ADS
password server = 172.16.50.5
idmap uid = 10000 - 20000
idmap gid = 10000 - 20000
template shell = /sbin/nologin
template homedir = /home/%D/%U
winbind separator = %
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
encrypt passwords = yes
[abc]
path = /abc
writeable = yes
; browseable = yes
guest ok = yes
#chmod 777 /abc
#vi /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
#service smb restart
#service winbind restart
#kinit administrator@SC.COM
检测显示正常
#net ads join -U Administrator
加入成功
#wbinfo -t
可以看到成功的信息
#wbinfo -u
能找到AD中的用户了
#gentent passwd
#gentent group
可以看到从0~500是linux系统用户,然后10000以后是AD用户了
测试:
在AD中创建一个新用户,然后在linux端用gentent passwd查看,发现新用户被同步添加,此过程并不需要重起samba和winbind服务.删除此用户亦是如此
但是,目前还有个没解决的问题,就是所有的AD用户对于abc卷都是可读可写可执行的,用AD的Administrator身份无法为这些AD用户修改abc的权限.
也就是说,我想要某几个用户对于abc目录是只读的,修改的时候系统提示我的Administrator为no access. |
|
IP卡
狗仔卡
发表于 2009-5-25 12:54:30
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡