This is an old revision of the document!
# apt install samba # cd /etc/samba/
# pkg install samba44 # service samba_server rcvar # cat /etc/rc.conf
... samba_server_enable=yes smbd_enable=yes nmbd_enable=no winbindd_enable=no
# сd /usr/local/etc/
# cat /etc/samba/smb.conf
[global] security = user map to guest = Bad User [ast_records] force user = asterisk path = /var/spool/asterisk/monitor/ guest ok = Yes [distrs] force user = games path = /var/distrs guest ok = Yes
server# testparm server# mkdir /var/distrs && chown games /var/distrs
!!! Липовое окно аутентификации возникает в случае совпадения имени пользователя Windows с пользователем зарегистрированным в /etc/passwd
# cat /etc/samba/smb.conf
[global] unix charset = UTF-8 dos charset = cp866 workgroup = CORPX security = user # hosts allow = 192.168.100+X. 192.168.200+X. map to guest = Bad User [pub_share] path = /disk2/samba guest ok = yes read only = no force user = games # browseable = no
# mkdir -p /disk2/samba # chown games /disk2/samba
# testparm
Добавляем пользователей user1 и user2 на server (Управление учетными записями в Linux)
!!! smbd должен быть запущен!!!
server# smbpasswd -a user1 New SMB password: wpassword1 server# smbpasswd -a user2 # pdbedit -w -L # smbpasswd -x user1 # cat /etc/samba/smb.conf
[global] unix charset = UTF-8 dos charset = cp866 workgroup = CORPX security = user [homes] read only = no [corp_share] path = /disk2/samba valid users = user1 user2 games # valid users = @group1 games force user = games read only = No
server# mkdir -p /disk2/samba server# chown -R games /disk2/samba
!!! В FreeBSD samba должна быть скомпилирована с поддержкой ADS !!!
server# kadmin -l
kadmin> add -r cifs/gate.corpX.un kadmin> add -r cifs/gate.CORPX.UN kadmin> ext -k gatecifs.keytab cifs/gate.corpX.un kadmin> ext -k gatecifs.keytab cifs/gate.CORPX.UN
server# kadmin.local
kadmin.local: addprinc -randkey cifs/gate.corpX.un kadmin.local: addprinc -e rc4-hmac:normal -randkey cifs/gate.CORPX.UN kadmin.local: ktadd -k gatecifs.keytab cifs/gate.corpX.un kadmin.local: ktadd -k gatecifs.keytab cifs/gate.CORPX.UN
server# scp gatecifs.keytab gate:
Login: gatecifs Password: Pa$$w0rd
Пароль не меняется и не устаревает
Устанавливаем Microsoft Windows Support Tools
Название сервиса HTTP обязательно заглавными буквами
C:\>ktpass -princ cifs/gate.corpX.un@CORPX.UN -mapuser gatecifs -pass 'Pa$$w0rd' -out gatecifs.keytab
C:\>pscp gatecifs.keytab gate:
gate# ktutil copy /root/gatecifs.keytab /etc/krb5.keytab gate# ktutil list
root@gate:~# ktutil
ktutil: rkt /root/gatecifs.keytab ktutil: list ktutil: wkt /etc/krb5.keytab ktutil: quit root@gate:~# klist -k /etc/krb5.keytab
gate# cat /etc/samba/smb.conf
[global] ... security = user realm = CORPX.UN kerberos method = system keytab ...
Авторизация в режиме ADS (Сервис WINBIND)
Примечание: достаточно зарегистрировать SAMBA сервер в домене, принципал cifs не нужен
Авторизация в режиме DOMAIN (Сервис WINBIND)
gate# cat smb.conf
[global] ... [homes] read only = no [share] path = /var/samba ; valid users = CORPX\user1, CORPX\Administrator, CORPX\root ; valid users = "@CORPX\domain admins" games ; valid users = "@CORPX\domain users" games valid users = @group1 games read only = no force user = games
# cat /etc/pam.d/samba
... session required pam_mkhomedir.so
gate# cat smb.conf
[global] ... obey pam restrictions = yes
# cat smb.conf
[global] ... log level = 2 log file = /var/log/samba.log.%m max log size = 50 debug timestamp = yes ...
# cat /etc/samba/smb.conf
... vfs objects = full_audit full_audit:prefix = %U|%u|%I|%m|%S full_audit:success = unlink open full_audit:failure = none full_audit:priority = NOTICE ...
# service smbd restart # tail -f /var/log/syslog
# cat smb.conf
[global] ... server string = MS File Server ...