Recently we're doing AD domain management unit of the computer.
File for the roaming user, authenticated by Samba Allocation field and ad space restriction.
Reference a lot of information, we are summarized as follows:
DC: windows server 2016 (installation configuration domain controller) slightly ...
samba: Centos 7 server 1810 (designated IP, wherein the DC DNS1 address as the address i, DNS2 specified DNS server address is available.)
Domain Name: xyz.local
dc computer name: dc
linux computer name: file
A: preparation
1. Partitioning
Because disk quotas can only be enabled on a separate partition, so I added a special partition is mounted to the home directory, which points to note.
https://www.cnblogs.com/jackadam/p/8213712.html
Press introduction of this article, hanging in the new partition, or a new hard drive.
General servers are run on virtualized servers, so add a new virtual hard disk, the same way add a hard disk.
2. Prepare linux
We use the samba ads join the domain model and provides a shared, then you need to install some software to achieve this function.
yum -y install pam_krb5* krb5-libs* krb5-workstation* krb5-devel* krb5-auth samba samba-winbind* samba-client* samba-swat* bind-utils quota
One of the major series have samba, krb5 series, winbind series, bind-utils is a network tool, quota disk quota tool
Two: samba added AD domain (domain of NT4)
Configuring DNS
This is not Configuring DNS server address is configured DNS search domains.
vi /etc/sysconfig/network-scripts/ifcfg-ens33
Add a line at the end:
SEARCH="your_domain_name"
This embodiment is
SEARCH=“xyz.local"
Restart linux, or use the command systemctl restart network to restart the network.
2. Verify DNS
Use the following command to view the DNS configuration parameters
cat /etc/resolv.conf
There should be at least two lines:
search xyz.local nameserver 10.99.**.**
The first line is the search field, the second line is the dns server address points to DC, if you have the available DNS address, may be on the third line, the fourth line.
3. Review (configuration) hostname
Use the command to view the host name
hostname
If you need to modify the host name can use the following command
hostnamectl set-hostname newname
newname is the new host name.
4. Test DNS
You can ping dc and can automatically resolve to dc.xyz.local
ping dc ping dc.xyz.local
5. Add the domain using the command line
authconfig --enablewinbind --enablekrb5 --enablewinbindauth --krb5realm=XYZ.LOCAL --krb5kdc=dc.xyz.local --enablekrb5kdcdns --enablekrb5realmdns --smbsecurity=ads --smbrealm=xyz.local --smbservers=dc.xyz.local --winbindtemplateshell=/bin/bash --winbindjoin=administrator --enablewinbindusedefaultdomain --disablewinbindoffline --smbworkgroup=XYZ --enablemkhomedir --update
When prompted, enter the domain administrator password to join the domain.
But it suggested that there is an error
[root@file ~]authconfig --enablewinbind --enablekrb5 --enablewinbindauth --krb5realm=ZZCLD.LOCAL --krb5kdc=dc1.zzcld.local --enablekrb5kdcdns --enablekrb5realmdns --smbsecurity=ads --smbrealm=zzcld.local --smbservers=dc1.zzcld.local --winbindtemplateshell=/bin/bash --winbindjoin=administrator --enablewinbindusedefaultdomain --disablewinbindoffline --smbworkgroup=ZZCLD --enablemkhomedir --update [/usr/bin/net join -w XYZ -S dc.xyz.local -U administrator] Enter administrator's password: Using short domain name --XYZ Joined 'FILE' to dns domain 'xyz.local' No DNS domain configured for file. Unable to perform DNS Update. DNS update failed: NT_STATUS_INVALID_PARAMTER
Although there is an error, but it looks like DNS registration fails.
DC registers itself inside a DNS resolution just fine.
6. Test domain identity
wbinfo -t can view the trust relationship.
Configuration 7. Manual completion
we /etc/samba/smb.conf
Add the following two lines in which Global
Winbind enum users = yes Winbind enum groups = yes
Add the following line at home among
path = /home/%U
This is among authconfig not set, after several days of testing, there really is not set, resulting in shared directories are displayed, but can not be opened.
Three: Testing logon domain
Log in linux using putty, using a domain user to log in, and automatically creates the user's home directory.
We recommend the use of administrator login automatically create the user's home directory, in preparation for the subsequent disk quotas.
Four: Configure Disk Quotas
1. Edit fstab
In the following format fill / etc / fstab, XFS format is Format
/dev/mapper/storage-storage /storage xfs defaults 0 0
change into:
/dev/mapper/storage-storage /storage xfs defaults,usrquota,grpquota
Restart linux, the settings take effect.
2. Set disk with 'amount
We use XFS formatted disk, so the disk quota commands are different.
xfs_quota -x -c "limit -u bsoft=950M bhard=1024M administrator" /home xfs_quota -x -c "report -ubin" /home
The first line is set administrator's disk quota.
The second line is to look at the disk quota.
3. Set the disk quota settings as a template for new users
We have just --enablemkhomedir parameters configured to log the user's home directory to create ssh. But when the samba log does not automatically create the user's home directory.
So we use the samba root preexec parameters to perform the samba logon script. To ensure that the home directory is automatically created when users access the server samba share only.
First, write mkhome.sh
vi /root/mkhome.sh #!/bin/bash user=$1 group=$2 home=/home/$1 if [ ! -d $home ]; then mkdir -p $home chown $user $home chgrp $gropu $home chmod 744 $home edquota -p administrator -u $user fi
Then edit the smb.conf
VI /etc/samba/smb.conf ; home added inside path = / home / the U-¥ the root preexec = /root/mkhome.sh
Mkhome.sh set permissions to 700
chmod 700 /root/mkhome.sh
Restart samba
systemctl restart smb
4. Verify the configuration
In other windows computer, log domain (just non-administrator), then access the samba server.
You see with your name in a shared directory.
Go there to read and write privileges.
View disk quota samba server. Although the user ID can not see who it is, but you can see the disk quota is the same as the administrator and 1G.
Five: Postscript
Reference a lot of articles, not list them.
But there are remaining issues:
1. Why net ads join prompts DNS registration fails?
Linux is because the use of specified IP? Still some places not configured.
2. If the first were ssh login, then the egg is not automatically generated directory disk quotas?
Seemingly not, because the default home directory should not create a user to configure disk quotas.
3. Manually update the 3-line configuration, it can also be used to configure authconfig into it?
The need to continue to study.
4.samba how the cluster configuration?
This study should continue.
Important References:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
https://blog.51cto.com/rainbird/197794
https://blog.51cto.com/rainbird/197509