RHEL6.x 기반 samba4 + winbind 를 이용하여 windows AD 연동하기

RHEL6.x 기반 samba4 + winbind 를 이용하여 windows AD 연동하기

# vi /etc/yum.repos.d/centos.repo
[base-be]
name=CentOS-6 – Base
repo=os
baseurl=http://ftp.daum.net/centos/6/os/x86_64/
enabled=1
gpgcheck=1
gpgkey=http://ftp.daum.net/centos/6/os/x86_64/RPM-GPG-KEY-CentOS-6

[updates-be]
name=CentOS-6 – Updates
baseurl=http://ftp.daum.net/centos/6/updates/x86_64/
enable=1
gpgcheck=1

[centosplus-be]
name=CentOS-6 – Plus
baseurl=http://ftp.daum.net/centos/6/centosplus/x86_64/
enabled=1
gpgcheck=1

[extras-be]
name=CentOS-6 – Extras
baseurl=http://ftp.daum.net/centos/6/extras/x86_64/
enable=1
gpgcheck=1

[fasttrack-be]
name=CentOS-6 – Fasttrack
baseurl=http://ftp.daum.net/centos/6/fasttrack/x86_64/
enabled=1
gpgcheck=1

# yum repolist

# yum remove samba samba-client samba-winbind samba-winbind-cleint
# yum install ntpdate samba4 samba4-client samba4-winbind krb5-workstation policycoreutils-python samba4-winbind-clients

# vi /etc/resolv.conf
domain rntier272.ad
nameserver 192.168.201.50

# vi /etc/nsswitch.conf
passwd: files winbind
shadow: files
group: files winbind

# vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = rntier272.ad
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

[realms]
RNTIER272.AD = {
kdc = rntier272.ad
admin_server = rntier272.ad
}

[domain_realm]
.rntier272.ad = RNTIER272.AD
rntier272.ad = RNTIER272.AD

# kinit

# vi /etc/samba/smb.conf

[global]

follow symlinks = yes
wide links = yes

workgroup = RNTIER272
server string = RNTSMP01
security=ADS
realm = rntier272.ad
domain master = no
local master = no
preferred master = no
idmap config *:backend = tdb
idmap config *:range = 1000-9999
idmap config RNTIER272:backend = ad
idmap config RNTIER272:schema_mode = rfc2307
idmap config RNTIER272:range = 1000-9999
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
winbind separator = .
winbind nested groups = yes
template shell = /bin/bash
template homedir = /home/%U
store dos attributes = yes
inherit acls = Yes
inherit permissions = Yes
restrict anonymous = 2
winbind expand groups = 4
vfs objects = acl_xattr
ea support = yes
store dos attributes = yes
inherit acls = yes
inherit permissions = yes
map acl inherit = yes

# log files split per-machine:
log file = /var/log/samba/log.%m
# maximum size of 50KB per log file, then rotate:
max log size = 50

load printers = no
show add printer wizard = no
printcap name=/dev/null

[homes]
comment = Home Directories
browseable = no:
writable = yes
; valid users = %S
; valid users = MYDOMAIN\%S

# testparm -s
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)

# vi /etc/sysctl.conf
fs.file-max = 16384

# vi /etc/security/limits.conf
* soft nofile 16384
* hard nofile 32768

# mkdir /var/cache/samba

# net ads join -U administrator
#
# /etc/rc.d/init.d/winbind restart
# /etc/rc.d/init.d/smb restart
# /etc/rc.d/init.d/nmb restart

chkconfig –level 345 winbind on
chkconfig –level 345 smb on
chkconfig –level 345 nmb on

List your AD users
# wbinfo -u
# getent passwd

List your AD groups
# wbinfo -g
# getent group

[root@RNTSMP01 ~]# /etc/rc.d/init.d/winbind stop

Winbind 서비스를 종료함: [ OK ]
[root@RNTSMP01 ~]# /etc/rc.d/init.d/smb stop
SMB 서비스를 종료함: [ OK ]
[root@RNTSMP01 ~]# net cache flush
[root@RNTSMP01 ~]# rm -f /var/lib/samba/*.tdb
[root@RNTSMP01 ~]# rm -f /var/lib/samba/group_mapping.ldb
[root@RNTSMP01 ~]# /etc/rc.d/init.d/smb start
SMB서비스를 시작하고 있습니다: [ OK ]
[root@RNTSMP01 ~]# /etc/rc.d/init.d/winbind restart

Winbind 서비스를 종료함: [실패]
Winbind서비스를 시작하고 있습니다: [ OK ]