User Tools
сервис_samba
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
сервис_samba [2011/06/23 15:02] val |
сервис_samba [2013/12/04 08:30] (current) val |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Сервис SAMBA ====== | ====== Сервис SAMBA ====== | ||
| - | [[Использование UNIX как контроллера домена]] | + | * [[Файловый сервер SAMBA]] |
| - | + | * [[Контроллер домена SAMBA]] | |
| - | [[NTLM аутентификация в Microsoft AD]] | + | * [[Контроллер домена SAMBA 4]] |
| - | + | * [[Антивирусная защита SAMBA]] | |
| - | [[NTLM авторизация в Microsoft AD]] | + | |
| - | + | ||
| - | ====== Файловые сервисы UNIX для пользователей Windows ====== | + | |
| - | + | ||
| - | ===== Установка ===== | + | |
| - | + | ||
| - | ==== FreeBSD ==== | + | |
| - | <code> | + | |
| - | [gate:~] # pkg_add -r samba3 | + | |
| - | [gate:~] # cat /etc/rc.conf | + | |
| - | … | + | |
| - | nmbd_enable="YES" | + | |
| - | smbd_enable="YES" | + | |
| - | winbindd_enable="NO" | + | |
| - | … | + | |
| - | + | ||
| - | [gate:~] # rehash | + | |
| - | + | ||
| - | [gate:~] # сd /usr/local/etc/ | + | |
| - | </code> | + | |
| - | + | ||
| - | ==== Ubuntu ==== | + | |
| - | <code> | + | |
| - | root@gate:~# apt-get install samba | + | |
| - | + | ||
| - | root@gate:~# cd /etc/samba/ | + | |
| - | </code> | + | |
| - | + | ||
| - | ===== Публичный каталог доступный на чтение ===== | + | |
| - | + | ||
| - | ==== FreeBSD/Ubuntu ==== | + | |
| - | + | ||
| - | <code> | + | |
| - | server# cat smb.conf | + | |
| - | </code><code> | + | |
| - | [global] | + | |
| - | unix charset = UTF-8 | + | |
| - | dos charset = cp866 | + | |
| - | workgroup = CORPX | + | |
| - | security = user | + | |
| - | map to guest = Bad User | + | |
| - | [share] | + | |
| - | path = /usr/share | + | |
| - | guest ok = Yes | + | |
| - | </code><code> | + | |
| - | server# testparm | + | |
| - | </code> | + | |
| - | + | ||
| - | ===== Публичный каталог доступный на запись ===== | + | |
| - | + | ||
| - | ==== FreeBSD/Ubuntu ==== | + | |
| - | <code> | + | |
| - | server# mkdir /var/samba | + | |
| - | + | ||
| - | server# cat smb.conf | + | |
| - | </code><code> | + | |
| - | [global] | + | |
| - | workgroup = CORPX | + | |
| - | security = user | + | |
| - | hosts allow = 192.168.X. | + | |
| - | map to guest = Bad User | + | |
| - | [share] | + | |
| - | path = /var/samba | + | |
| - | guest ok = yes | + | |
| - | read only = no | + | |
| - | force user = nobody | + | |
| - | </code><code> | + | |
| - | server# chown -R nobody /var/samba | + | |
| - | </code><code> | + | |
| - | server# testparm | + | |
| - | </code> | + | |
| - | + | ||
| - | ===== Идентификация доступа к файловому серверу на основе копии базы данных учетных записей (smbd должен быть запущен) ===== | + | |
| - | <code> | + | |
| - | gate# adduser user1 | + | |
| - | ... | + | |
| - | gate# adduser userN | + | |
| - | + | ||
| - | gate# smbpasswd -a user1 | + | |
| - | ... | + | |
| - | gate# smbpasswd -a userN | + | |
| - | + | ||
| - | gate# pdbedit -w -L | + | |
| - | + | ||
| - | gate# cat smb.conf | + | |
| - | </code><code> | + | |
| - | [global] | + | |
| - | workgroup = CORPX | + | |
| - | security = user | + | |
| - | [share] | + | |
| - | path = /var/samba | + | |
| - | # valid users = user1, ... ,userN | + | |
| - | valid users = @wheel | + | |
| - | force user = nobody | + | |
| - | read only = No | + | |
| - | </code><code> | + | |
| - | gate# mkdir /var/samba | + | |
| - | + | ||
| - | gate# chown -R nobody /var/samba | + | |
| - | </code> | + | |
| - | Или для всех пользователей с домашними каталогами | + | |
| - | <code> | + | |
| - | [global] | + | |
| - | workgroup = CORPX | + | |
| - | security = user | + | |
| - | [homes] | + | |
| - | read only = no | + | |
| - | </code> | + | |
| - | + | ||
| - | ===== GSSAPI аутентификация для сервиса CIFS ===== | + | |
| - | + | ||
| - | !!! В FreeBSD samba должна быть скомпилирована с поддержкой ADS !!! | + | |
| - | + | ||
| - | ==== Регистрация принципалов ==== | + | |
| - | + | ||
| - | === FreeBSD HEIMDAL === | + | |
| - | <code> | + | |
| - | server# kadmin -l | + | |
| - | kadmin> add -r cifs/gate.corpX.un | + | |
| - | kadmin> add -r cifs/gate.CORPX.UN | + | |
| - | + | ||
| - | kadmin> ext -k gatecifs.keytab cifs/gate.corpX.un | + | |
| - | kadmin> ext -k gatecifs.keytab cifs/gate.CORPX.UN | + | |
| - | </code> | + | |
| - | + | ||
| - | === Ubuntu MIT === | + | |
| - | <code> | + | |
| - | server# kadmin.local | + | |
| - | kadmin.local: addprinc -randkey cifs/gate.corpX.un | + | |
| - | kadmin.local: addprinc -e rc4-hmac:normal -randkey cifs/gate.CORPX.UN | + | |
| - | + | ||
| - | kadmin.local: ktadd -k gatecifs.keytab cifs/gate.corpX.un | + | |
| - | kadmin.local: ktadd -k gatecifs.keytab cifs/gate.CORPX.UN | + | |
| - | </code> | + | |
| - | + | ||
| - | === FreeBSD/Ubuntu === | + | |
| - | <code> | + | |
| - | server# scp gatecifs.keytab student@gate: | + | |
| - | </code> | + | |
| - | + | ||
| - | + | ||
| - | ==== Active Directory ==== | + | |
| - | + | ||
| - | === Добавляем пользователя в AD === | + | |
| - | <code> | + | |
| - | Login: gatecifs | + | |
| - | Password: Pa$$w0rd | + | |
| - | </code> | + | |
| - | Пароль не меняется и не устаревает | + | |
| - | + | ||
| - | === Создаем ключ сервиса http связывая его с фиктивным пользователем AD === | + | |
| - | + | ||
| - | Устанавливаем Microsoft Windows Support Tools | + | |
| - | + | ||
| - | Название сервиса HTTP обязательно заглавными буквами | + | |
| - | <code> | + | |
| - | C:\>ktpass -princ cifs/gate.corpX.un@CORPX.UN -mapuser gatecifs -pass 'Pa$$w0rd' -out gatecifs.keytab | + | |
| - | </code> | + | |
| - | + | ||
| - | === Копируем ключ сервиса http сервер squid === | + | |
| - | <code> | + | |
| - | C:\>pscp gatecifs.keytab student@gate: | + | |
| - | </code> | + | |
| - | + | ||
| - | ==== Копируем ключи в системный keytab ==== | + | |
| - | + | ||
| - | === FreeBSD, Ubuntu (8.04) === | + | |
| - | <code> | + | |
| - | gate# ktutil copy ~student/gatecifs.keytab /etc/krb5.keytab | + | |
| - | + | ||
| - | gate# ktutil list | + | |
| - | </code> | + | |
| - | + | ||
| - | === Ubuntu (10.04) === | + | |
| - | <code> | + | |
| - | root@gate:~# ktutil | + | |
| - | ktutil: rkt /usr/student/gatecifs.keytab | + | |
| - | ktutil: list | + | |
| - | ktutil: wkt /etc/krb5.keytab | + | |
| - | ktutil: quit | + | |
| - | + | ||
| - | root@gate:~# klist -k /etc/krb5.keytab | + | |
| - | </code> | + | |
| - | + | ||
| - | ==== Перенос ключей принципалов на сервер ==== | + | |
| - | + | ||
| - | + | ||
| - | ==== Настройка samba сервера ==== | + | |
| - | <code> | + | |
| - | [gate.corpX.un:~] # cat /usr/local/etc/smb.conf | + | |
| - | [global] | + | |
| - | # CHOOSE ONE FROM | + | |
| - | # kerberos method = system keytab #Ubuntu | + | |
| - | # use kerberos keytab = yes #FreeBSD | + | |
| - | realm = CORPX.UN | + | |
| - | security = ads | + | |
| - | [homes] | + | |
| - | read only = no | + | |
| - | [share] | + | |
| - | path = /var/samba | + | |
| - | valid users = @group1 | + | |
| - | read only = no | + | |
| - | force user = nobody | + | |
| - | </code> | + | |
| - | + | ||
| - | ===== Идентификация доступа к файловому серверу на основе регистрации в AD ===== | + | |
| - | + | ||
| - | [[NTLM авторизация в Microsoft AD]] | + | |
| - | + | ||
| - | <code> | + | |
| - | gate# cat smb.conf | + | |
| - | ... | + | |
| - | [homes] | + | |
| - | read only = no | + | |
| - | [share] | + | |
| - | path = /var/samba | + | |
| - | # valid users = CORPX\user1, CORPX\Administrator | + | |
| - | valid users = "@CORPX\domain users" | + | |
| - | read only = no | + | |
| - | force user = nobody | + | |
| - | </code> | + | |
сервис_samba.1308826976.txt.gz · Last modified: 2013/05/22 13:50 (external edit)
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
