SAMBA3域控及文件服务解决方案

苏州XX电子有限公司SAMBA3域控及文件服务解决方案
Last update:2006.6.20 by Wang Xiantong
Email:xiantong at gmail dot com

配置文件 /opt/samba/lib/smb.conf:
[global]
workgroup = DOM
netbios name = fileserver
server string = Samba Server
os level = 65
preferred master = yes
domain master = Yes
local master = Yes
security = user
utmp = Yes
winbind use default domain = Yes
map acl inherit = Yes
domain logons = yes
logon path = \%Lprofiles%U
logon drive = Z:
logon home = \%L%U
logon script = logon.bat
encrypt passwords = Yes
wins support = Yes
passdb backend = tdbsam
username map =/opt/samba/smbusers
log level = 1
syslog = 0
log file = /opt/samba/var/log.%m
max log size = 50
smb ports = 139
interfaces = 192.168.1.101/255.255.255.0
hosts allow = 192.168.0. 192.168.1. localhost 192.168.20.
bind interfaces only = yes
name resolve order = wins bcast hosts
time server = Yes
#printcap name = CUPS
#show add printer wizard = No
admin users = @”Domain Admins”
add user script = /usr/sbin/useradd -s /bin/false -g “Domain Users” -m ‘%u’
delete user script = /usr/sbin/userdel -r ‘%u’
add group script = /usr/sbin/groupadd ‘%g’
delete group script = /usr/sbin/groupdel ‘%g’
add user to group script = /usr/sbin/usermod -G ‘%g’ ‘%u’
delete user from group script = /usr/sbin/deluser ‘%u’ ‘%g’
# add user to group script = /usr/bin/gpasswd -a ‘%u’ ‘%g’
# delete user from group script = /usr/bin/gpasswd -d ‘%u’ ‘%g’
add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null -g ‘Domain Computers’ ‘%u’
dns proxy = No

[netlogon]
path = /opt/samba/lib/netlogon
writeable = no
browsable = no

[profiles]
path = /opt/samba/profiles
browsable = no
writable = yes
create mask = 0600
directory mask = 0700

[homes]
comment = Home Directories
read only = No
browseable = No

#[printers]
#comment = All Printers
#path = /usr/spool/samba
#printable = Yes
#browseable = No

[Common Files]
comment = Common Files
path = /home/DOM/commfiles
read only = yes
valid users = @”Meterail Dept” @”Finance Dept” @”Engineering Dept” @”Quality Dept”
write list = @”Meterail Dept” @”Finance Dept”
read list = @”Engineering Dept” @”Quality Dept”
create mask = 0660
directory mask = 0771

配置文件 /opt/samba/smbusers
root = admin

新建[netlogon]目录
>#mkdir -p /opt/samba/lib/netlogon
配置文件/opt/samba/lib/netlogon/logon.bat
net use x: \192.168.1.2DATA
确保是dos格式，最直白的方法是在win下编辑完成上传到这个位置即可

新建[profiles]漫游目录
>#mkdir -p /opt/samba/profiles

新建[Common Files]共享
>#mkdir /home/DOM/commfiles
>#chown -R wxt:”Domain Users” /home/DOM/commfiles
>#chmod -R ug+rwx,o+rx-w /home/DOM/commfiles

添加管理员帐户
>#/opt/samba/bin/pdbedit -a root

用来初始化组的shell smbgroupInit.sh
#!/bin/sh
#smbgroupInit.sh is modified by Wang Xiantong

SMBBIN=/opt/samba/bin
SMBSBIN=/opt/samba/sbin
PATH=$SMBBIN:$SMBSBIN:$PATH

groupdel “Domain Admins”
groupdel “Domain Users”
groupdel “Domain Guests”
groupdel “Domain Computers”

groupadd -g 1512 “Domain Admins”
groupadd -g 1513 “Domain Users”
groupadd -g 1514 “Domain Guests”
groupadd -g 1515 “Domain Computers”

net groupmap delete ntgroup=”Domain Admins”
net groupmap delete ntgroup=”Domain Users”
net groupmap delete ntgroup=”Domain Guests”
net groupmap add ntgroup=”Domain Admins” unixgroup=”Domain Admins” rid=512 type=d
net groupmap add ntgroup=”Domain Users” unixgroup=”Domain Users” rid=513 type=d
net groupmap add ntgroup=”Domain Guests” unixgroup=”Domain Guests” rid=514 type=d
net groupmap add ntgroup=”Domain Computers” unixgroup=”Domain Computers” rid=515 type=d

groupdel “Sales Dept”
groupdel “Finance Dept”
groupdel “Engineering Dept”
groupdel “Quality Dept”
groupdel “Material Dept”
groupdel “Administrative Dept”

groupadd -g 2000 “Sales Dept”
groupadd -g 2001 “Finance Dept”
groupadd -g 2002 “Engineering Dept”
groupadd -g 2003 “Quality Dept”
groupadd -g 2004 “Material Dept”
groupadd -g 2005 “Administrative Dept”

net groupmap delete ntgroup=”Sales Dept”
net groupmap delete ntgroup=”Finance Dept”
net groupmap delete ntgroup=”Engineering Dept”
net groupmap delete ntgroup=”Quality Dept”
net groupmap delete ntgroup=”Material Dept”
net groupmap delete ntgroup=”Administrative Dept”

net groupmap add ntgroup=”Sales Dept” unixgroup=”Sales Dept” rid=2000 type=d
net groupmap add ntgroup=”Finance Dept” unixgroup=”Finance Dept” rid=2001 type=d
net groupmap add ntgroup=”Engineering Dept” unixgroup=”Engineering Dept” rid=2002 type=d
net groupmap add ntgroup=”Quality Dept” unixgroup=”Quality Dept” rid=2003 type=d
net groupmap add ntgroup=”Material Dept” unixgroup=”Material Dept” rid=2004 type=d
net groupmap add ntgroup=”Administrative Dept” unixgroup=”Administrative Dept” rid=2005 type=d

groupdel “Local Admins”
groupdel “Local Users”
groupdel “Local Guests”
groupdel “Local Power Users”

groupadd -g 1544 “Local Admins”
groupadd -g 1545 “Local Users”
groupadd -g 1546 “Local Guests”
groupadd -g 1547 “Local Power Users”

net groupmap delete ntgroup=”Local Admins”
net groupmap delete ntgroup=”Local Users”
net groupmap delete ntgroup=”Local Guests”
net groupmap delete ntgroup=”Local Power Users”
net groupmap add ntgroup=”Local Admins” unixgroup=”Local Admins” rid=544 type=l
net groupmap add ntgroup=”Local Users” unixgroup=”Local Users” rid=545 type=l
net groupmap add ntgroup=”Local Guests” unixgroup=”Local Guests” rid=546 type=l
net groupmap add ntgroup=”Local Power Users” unixgroup=”Local Power Users” rid=547 type=l

嵌套组
下 面的例子把全局组Domain Admins加到Local Admins本地组，把全局组Domain Users加到Local Users本地组，把全局组Domain Guests加到Local Guests本地组，把用户wxt加到全局组Domain Admins。
>#net rpc group addmem “Local Admins” “Domain Admins” -Uroot%passwd
>#net rpc group addmem “Local Users” “Domain Users” -Uroot%passwd
>#net rpc group addmem “Local Guests” “Domain Guests” -Uroot%passwd
>#net rpc group addmem “Domain Admins” wxt -Uroot%passwd

下面的例子显示本地组Local Guests的成员,从本地组Local Guests中删除全局组Domain Guests。
>#net rpc group members “Local Guests” -Uroot%passwd
>#net rpc group delmem “Local Guests” “Domain Guests” -Uroot%passwd

下面的把全局组加入到另一全局组将不能成功
>#net rpc group addmem “Domain Users” “Sales Dept” -Uroot%passwd
>#net rpc group addmem “Domain Users” “Finance Dept” -Uroot%passwd
>#net rpc group addmem “Domain Users” “Engineering Dept” -Uroot%passwd
>#net rpc group addmem “Domain Users” “Quality Dept” -Uroot%passwd

添加域信任帐户
第 一种方法，在windows nt/200x/xp pro 客户机上加入域，系统会利用smb.conf配置文件中的add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null -g ‘Domain Computers’ ‘%u’自动将该客户机加入到域。
2、另一种方法是手动建立(假定机器名为workstation),98/me系统要采用这个方式,XP HOME完全没有这个能力
>#/usr/sbin/useradd -g “Domain Computers” -s /bin/false -d /dev/null workstatian$
>#/usr/bin/passwd -l workstation$
>#/opt/samba/bin/pdbedit -a -m workstation

添加一般域帐户
第一种方法，利用net命令
>#./net rpc user add bbc mypass -Uroot%passwd
但是这种主法得到的User默认是禁用的，还得用pdbedit来改变user-flag
>#/opt/samba/bin/./pdbedit -r -c [X] bbc
>#/opt/samba/bin./pdbedit -r -c [] bbc
删除帐户
>#/opt/samba/bin/./net rpc user delete bbc
系统会利用smb.conf中配置自动建立，删除linux帐户
第二种方法
>#useradd -g “Domain Users” -s /bin/false -d /home/bbc bbc
>#/opt/samba/bin/pdbedit -a bbc

管理员
smb.conf 中参数对admin users = @”Domain Admins”指明所有的”Domain Admins”成员都可以用来管理域，比如添加帐户，组等操作。但是Domain Admins 组做为管理帐户之后，组内成员登入域将会出现无法使用profiles漫游的功能， 这是因为此时Domain Admins的成员登陆域时建立的profiles目录属主是root,而此用户实际不是root(0),profiles目录又是0600，只有目录属 主有操作权限，产生了矛盾。不知道是不是samba 的bug,我用的是samba-3.23c。
我这里的设想是”Domain Admins”会成为工作站administrators组的成员，”Domain Users”会成为工作站的”Users”组或”Power Users”组所成员，那么实际上Domain Admins的成员不能正常登入域。所以这里采取折中的方法,admin users = root bbc 让bbc root这两个帐户来管理samba PDC。chown 命令这里也能帮上忙，比如cp其它帐户的profile，然后chown给新帐户。
另smb.conf配置 文件中add user script = /usr/sbin/useradd -s /bin/false -g “Domain Users” -m ‘%u’,这一句指明用net rpc user add 所建立的用户unix 默认组是Domain Users,因此此时用net rpc group addmem “Domain Users” bbc -Uroot%passwd将不会成功，原因不言自明。

升级samba
下载最新的samba-3.0.25b
>#./configure –prefix=/opt/samba –with-automount –with-smbmount –with
-syslog –with-quotas –with-sys-quotas –with-utmp –with-acl-support –with-ai
o-support
>#make && make install