This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
сервис_samba [2011/02/07 10:04] val |
сервис_samba [2013/12/04 08:30] (current) val |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== Сервис SAMBA ====== | ====== Сервис SAMBA ====== | ||
- | [[Использование UNIX как контроллера домена]] | + | * [[Файловый сервер SAMBA]] |
- | + | * [[Контроллер домена SAMBA]] | |
- | [[NTLM аутентификация в Microsoft AD]] | + | * [[Контроллер домена SAMBA 4]] |
- | + | * [[Антивирусная защита SAMBA]] | |
- | [[NTLM авторизация в Microsoft AD]] | + | |
- | + | ||
- | ====== Файловые сервисы UNIX для пользователей Windows ====== | + | |
- | + | ||
- | ===== Установка ===== | + | |
- | + | ||
- | ==== FreeBSD ==== | + | |
- | <code> | + | |
- | [gate:~] # pkg_add -r samba3 | + | |
- | [gate:~] # cat /etc/rc.conf | + | |
- | … | + | |
- | nmbd_enable="YES" | + | |
- | smbd_enable="YES" | + | |
- | winbindd_enable="NO" | + | |
- | … | + | |
- | + | ||
- | [gate:~] # rehash | + | |
- | + | ||
- | [gate:~] # сd /usr/local/etc/ | + | |
- | </code> | + | |
- | + | ||
- | ==== Ubuntu ==== | + | |
- | <code> | + | |
- | root@gate:~# apt-get install samba | + | |
- | + | ||
- | root@gate:~# cd /etc/samba/ | + | |
- | </code> | + | |
- | + | ||
- | ===== Публичный каталог доступный на чтение ===== | + | |
- | ==== FreeBSD/Ubuntu ==== | + | |
- | + | ||
- | <code> | + | |
- | [global] | + | |
- | workgroup = CORPX | + | |
- | security = user | + | |
- | map to guest = Bad User | + | |
- | [share] | + | |
- | path = /usr/share | + | |
- | guest ok = Yes | + | |
- | </code><code> | + | |
- | gate# testparm | + | |
- | </code> | + | |
- | + | ||
- | ===== Публичный каталог доступный на запись ===== | + | |
- | ==== FreeBSD/Ubuntu ==== | + | |
- | <code> | + | |
- | gate# mkdir /var/samba | + | |
- | + | ||
- | gate# cat smb.conf | + | |
- | </code><code> | + | |
- | [global] | + | |
- | workgroup = CORPX | + | |
- | security = share | + | |
- | hosts allow = 192.168.X. | + | |
- | [share] | + | |
- | path = /var/samba | + | |
- | guest ok = yes | + | |
- | read only = no | + | |
- | </code><code> | + | |
- | gate# chmod 777 /var/samba | + | |
- | </code> | + | |
- | или | + | |
- | <code> | + | |
- | [global] | + | |
- | workgroup = CORPX | + | |
- | security = user | + | |
- | hosts allow = 192.168.X. | + | |
- | map to guest = Bad User | + | |
- | [share] | + | |
- | path = /var/samba | + | |
- | guest ok = yes | + | |
- | read only = no | + | |
- | force user = nobody | + | |
- | </code><code> | + | |
- | gate# chown -R nobody /var/samba | + | |
- | </code><code> | + | |
- | gate# testparm | + | |
- | </code> | + | |
- | + | ||
- | ===== Идентификация доступа к файловому серверу на основе копии базы данных учетных записей (smbd должен быть запущен) ===== | + | |
- | <code> | + | |
- | gate# adduser user1 | + | |
- | ... | + | |
- | gate# adduser userN | + | |
- | + | ||
- | gate# smbpasswd -a user1 | + | |
- | ... | + | |
- | gate# smbpasswd -a userN | + | |
- | + | ||
- | gate# pdbedit -w -L | + | |
- | + | ||
- | gate# cat smb.conf | + | |
- | </code><code> | + | |
- | [global] | + | |
- | workgroup = CORPX | + | |
- | security = user | + | |
- | [share] | + | |
- | path = /var/samba | + | |
- | # valid users = user1, ... ,userN | + | |
- | valid users = @wheel | + | |
- | force user = nobody | + | |
- | read only = No | + | |
- | </code><code> | + | |
- | gate# mkdir /var/samba | + | |
- | + | ||
- | gate# chown -R nobody /var/samba | + | |
- | </code> | + | |
- | Или для всех пользователей с домашними каталогами | + | |
- | <code> | + | |
- | [global] | + | |
- | workgroup = CORPX | + | |
- | security = user | + | |
- | [homes] | + | |
- | read only = no | + | |
- | </code> | + | |
- | + | ||
- | ===== GSSAPI аутентификация для сервиса CIFS ===== | + | |
- | + | ||
- | !!! В FreeBSD samba должна быть скомпилирована с поддержкой ADS !!! | + | |
- | + | ||
- | ==== Регистрация принципалов ==== | + | |
- | + | ||
- | === FreeBSD HEIMDAL === | + | |
- | <code> | + | |
- | server# kadmin -l | + | |
- | kadmin> add -r cifs/gate.corpX.un | + | |
- | kadmin> add -r cifs/gate.CORPX.UN | + | |
- | + | ||
- | kadmin> ext -k gatecifs.keytab cifs/gate.corpX.un | + | |
- | kadmin> ext -k gatecifs.keytab cifs/gate.CORPX.UN | + | |
- | </code> | + | |
- | + | ||
- | === Ubuntu MIT === | + | |
- | <code> | + | |
- | server# kadmin.local | + | |
- | kadmin.local: addprinc -randkey cifs/gate.corpX.un | + | |
- | kadmin.local: addprinc -e rc4-hmac:normal -randkey cifs/gate.CORPX.UN | + | |
- | + | ||
- | kadmin.local: ktadd -k gatecifs.keytab cifs/gate.corpX.un | + | |
- | kadmin.local: ktadd -k gatecifs.keytab cifs/gate.CORPX.UN | + | |
- | </code> | + | |
- | + | ||
- | === FreeBSD/Ubuntu === | + | |
- | <code> | + | |
- | server# scp gatecifs.keytab student@gate: | + | |
- | </code> | + | |
- | + | ||
- | + | ||
- | ==== Active Directory ==== | + | |
- | + | ||
- | === Добавляем пользователя в AD === | + | |
- | <code> | + | |
- | Login: gatecifs | + | |
- | Password: Pa$$w0rd | + | |
- | </code> | + | |
- | Пароль не меняется и не устаревает | + | |
- | + | ||
- | === Создаем ключ сервиса http связывая его с фиктивным пользователем AD === | + | |
- | + | ||
- | Устанавливаем Microsoft Windows Support Tools | + | |
- | + | ||
- | Название сервиса HTTP обязательно заглавными буквами | + | |
- | <code> | + | |
- | C:\>ktpass -princ cifs/gate.corpX.un@CORPX.UN -mapuser gatecifs -pass 'Pa$$w0rd' -out gatecifs.keytab | + | |
- | </code> | + | |
- | + | ||
- | === Копируем ключ сервиса http сервер squid === | + | |
- | <code> | + | |
- | C:\>pscp gatecifs.keytab student@gate: | + | |
- | </code> | + | |
- | + | ||
- | ==== Копируем ключи в системный keytab ==== | + | |
- | + | ||
- | === FreeBSD, Ubuntu (8.04) === | + | |
- | <code> | + | |
- | gate# ktutil copy ~student/gatecifs.keytab /etc/krb5.keytab | + | |
- | + | ||
- | gate# ktutil list | + | |
- | </code> | + | |
- | + | ||
- | === Ubuntu (10.04) === | + | |
- | <code> | + | |
- | root@gate:~# ktutil | + | |
- | ktutil: rkt /usr/student/gatecifs.keytab | + | |
- | ktutil: list | + | |
- | ktutil: wkt /etc/krb5.keytab | + | |
- | ktutil: quit | + | |
- | + | ||
- | root@gate:~# klist -k /etc/krb5.keytab | + | |
- | </code> | + | |
- | + | ||
- | ==== Перенос ключей принципалов на сервер ==== | + | |
- | + | ||
- | + | ||
- | ==== Настройка samba сервера ==== | + | |
- | <code> | + | |
- | [gate.corpX.un:~] # cat /usr/local/etc/smb.conf | + | |
- | [global] | + | |
- | # CHOOSE ONE FROM | + | |
- | # kerberos method = system keytab #Ubuntu | + | |
- | # use kerberos keytab = yes #FreeBSD | + | |
- | realm = CORPX.UN | + | |
- | security = ads | + | |
- | [homes] | + | |
- | read only = no | + | |
- | [share] | + | |
- | path = /var/samba | + | |
- | valid users = @group1 | + | |
- | read only = no | + | |
- | force user = nobody | + | |
- | </code> | + | |
- | + | ||
- | ===== Идентификация доступа к файловому серверу на основе регистрации в AD ===== | + | |
- | + | ||
- | [[NTLM авторизация в Microsoft AD]] | + | |
- | + | ||
- | <code> | + | |
- | gate# cat smb.conf | + | |
- | ... | + | |
- | [homes] | + | |
- | read only = no | + | |
- | [share] | + | |
- | path = /var/samba | + | |
- | # valid users = CORPX\user1, CORPX\Administrator | + | |
- | valid users = "@CORPX\domain users" | + | |
- | read only = no | + | |
- | force user = nobody | + | |
- | </code> | + |