As we mentioned in front of how the Samba server acts as a LAN's file server to meet the usual work needs, everyone is best to look at the document before viewing this document. "
Samba3.0 server commission debugging "
Http://www.5ilinux.com/samba.html), everyone only appreciates the document, then use Samba to implement PDC, it is difficult to die.
In fact, the Samba2.2 version is already very good to support Samba to do PDC (main domain controller), but only over 3.0 support is better, until the latest version 3.0, I have supported AD, and support Microsoft Kerberos. New features such as certification, full rewriting and configurable certification subsystems.
Ok, let's start today's task, we just achieve the establishment of a simple domain controller PDC, as for the features of the AD and Kerberos, you support yourself, I don't understand it :)
1. Install Samba, this is very simple, if you are Fedora, you can install Samba's RPM package directly from the CD.
RPM-IVH Samba-3.0.0-15.i386.rpm
You can also download the latest packages directly to the official website of Samba (http://www.samba.org)
Or download the latest tar bag, http: //us1.samba.org/samba/ftp/samba-3.0.0.tar.gz
It is best to compile according to the following method.
TAR ZVXF Samba-3.0.0.tar.gz
CD Samba-3.0.0
./configure / - prefix = / usr / - bindir = / usr / bin / - sbindir = / usr / sbin / - libexecdir = / usr / libexec / - dataDir = / usr / share / samba / -sysconfdir = / ETC / Samba / - localStatedir = / usr / local / samba / var / - libdir = / usr / lib / - with-lockdir = / var / locks / samba / - with-swatdir = / USR / Share / Samba / Swat / - with-codepagedir = / etc / samba / codepages / - with-configdir = / etc / samba / - with-smbwrapper / - with-automount / - with-smbmount / --with-Pam / - with-Pam_smbpass / - with-winbind
Make
Make Intall
OK! After installation, the following is our focus, modify /etc/samba/smb.conf, everyone is best to modify on the basis.
[global]
Workgroup = bmitnetbios name = proxyserver string = Samba PDC Running% vsocket options = tcp_nodelay iptos_lowdelay so_sndbuf = 8192 so_rcvbuf = 8192
# 这里 这里 = = 代 代 规 规 规 规 规 名 名 名 名 名 名 名 名 名 名 名 名 名 名 名 名 名 名 名 名 名 名 名 名 名 名 名 名 名 名 名 名 名 名 名 名 名 名 名 名 名Option Sets Control TCP / IP Performance. The settings displayed can work well with Linux-based systems.
OS Level = 64preferred master = yeslocal master = yesdomain master = yes
#domain master option is a "switch" that will become the main domain controller. (LOCAL MASTER BROWSER) is a server that maintains a list of local area networks is called a local master browser.
Security = usencrypt passwords = yesdomain logons = yeslog file = /var/log/samba/log.%MLOG level = 2max log size = 50HOSTS allow = 127.0.0.1 192.168.1.0/255.255.255.0
# Here we still use the USER authentication method, don't hang in the so-called Domain, as for Hosts Allow, you can write those network segments according to your needs, or the sure is not written.
Logon home = //%L/%U/.profilelogon drive = h: logon path = //% l / profiles /% ulogon script = Netlogon.bat
# Or more is roaming settings and login scripts, logon path = //% l / profiles /% u, will share with the [PROFILES] we need to say below.
[homes] comment = Home DirectoriesBrowSeable = noriteable = yes
[PROFILES] PATH = / Home / Samba / ProfilesWriteable = YESBROWSEABLE = NOCREATE MASK = 0600DIRECTORY MASK = 0700
[Netlogon] Comment = network logon servicePath = / home / netlogonread only = yesbrowseable = norite list = root
The above is about the shared wrist, where the profile is used to store the setting file for each login user so that the user can log in later, and NetLogon is used to store the login script, so the permission to write , Assuming that only root users can have permissions here.
As for other sharing, you can refer to "Samba3.0 Server Batter Combat" (http://www.5ilinux.com/samba.html) This article sharing settings, I will not repeat it.
Then add the user and machine account to the domain controller.
First create the following groups and create two necessary directories, and set the correct ownership.
GroupAdd Admin
GroupAdd Machines
MKDIR -M 0775 / HOME / NETLOGON
Chown root.admins / home / Netlogon
MKDIR / Home / Samba / Home / Samba / Profiles
Chown 1757 / HOME / Samba / Profiles
Setting the correct permissions and ownership of the above directory is a key step to protect the server :)
Handmade add a machine account
For example, my client's machine name is IBM240, then we can do this.
UserAdd -g Machines -D / dev / null -c "machine id" -s / bin / false ibm240 $
Passwd -l IBM240 $
Enter a password two times;
Don't forget to mark the dollar symbol; this is required, it will now add the machine to / etc / samba / smbpasswd now to create the Linux account of the trust account.
SMBPASSWD -A -M IBM240
Of course, you can also let the system automatically add a machine account, with the following method, but everyone is best to try to add, and then the test system is automatically added after success.
Automatic add as long as [global] is added
Add user script = / usr / sbin / usradd -d / dev / null -g machine -s / bin / false -m% u
Add user account
First add a root account, add root to the SMB account
SMBPasswd -c root
This step is very important, because the later joining domain is to use the administrator's account to join the domain, otherwise it seems that it does not access the domain smoothly.
Then add ordinary users
UserAdd Frank
Passwd frank
SMBPASSWD -A FRANK
In order to facilitate future management, the best SMB user password is the same as the UNIX system password, so we can also use Samba's password synchronization function.
# The following option statement will allow users to change their Samba passwords from the Windows client, which updates their UNIX passwords to match the new Samba items. But if the UNIX password is changed, the same technique cannot be reversed; the Samba password must be changed manually. Also in [global], beginners can do not do this.
Unix password sync = yespasswd program = / usr / bin / passwd% uPasswd chat = * new * unix * password *% N / N * Retype * new * unix * password *% N / N * Enter * new * unix * password * % N / N * Retype * New * Unix * Password *% n / n * passwd: * all * authentication * tokens * updated * successfully *
# The only thing worth mentioning in the above statement is the passwd chat option, whether it is displayed here, you have to enter it into a row. Also pay attention to some options use "password", and some use "passwd".
The configuration of the Samba PDC is completed. The only thing left is to join the client to the domain. Remember to restart the Samba service!
The client settings, here the conditions are limited, I only trials the Windows2000 client to join the domain, as for WinXP and Win98 join everyone to experiment.
(Win200 machine is best restarted, you can avoid some unnecessary issues) and then go to the Control Panel -> Network -> Network Narrator, if the machine is currently configured under the working group option, select the domain radio button and enter the domain name Bmit. Now, log in to the domain by using the username root and the corresponding password. The "Secret" between the server and the client machine is required. From this time, any certified users can log in from this machine. There should be a message that you welcome to the XX domain
Congratulations, you have successfully configured Samba into PDC
It is said that XP joins Samba is a bit complicated. I have never trial. If you are interested, you are interested in samba's hometown to see the document. It seems to set the security option, and modify the registration, so trouble, fortunately, I don't have XP. :)
Related reference documentation
Samba3.0 server actual combat debug http://www.5ilinux.com/samba.html
Samba as a PDC http://www-900.ibm.com/developerWorks/cn/cnedu.nsf/linux-onlinecourse-bytitle/60281E1423A2B876C8256D04001C9374?OpenDocument Author: Zhang Microwave
November 17, 2003, Evening in Beijing
