使samba 2.0 加入NT域

火星人 @ 2014-03-12 , reply:0


   使samba 2.0 加入NT域
-----------------------------------


In order for a Samba-2 server to join an NT domain, you must first add the
NetBIOS name of the Samba server to the NT domain on the PDC using Server
Manager for Domains. This creates the machine account in the domain (PDC)
SAM.Note that you should add the Samba server as a "Windows NT Workstation or
Server", NOT as a Primary or backup domain controller.

為了使samba-2伺服器加入到一個NT域中,你必須先使用域中PDC上的伺服器管理器把
samba伺服器的NetBIOS名加入到NT域中,並在主域控制器上的安全賬號管理器資料庫中創
建這個機器的賬號。注意你應該把samba伺服器作為「Windows NT工作站或伺服器」加入
到域,而不是一個主域或備份域控制器。

Assume you have a Samba-2 server with a NetBIOS name of SERV1 and are joining
an NT domain called DOM, which has a PDC with a NetBIOS name of DOMPDC and
two backup domain controllers with NetBIOS names DOMBDC1 and DOMBDC2.

假定你有一個NetBIOS名是SERV1的samba-2伺服器,並要加入名為DOM的NT域,域中有一個
NetBIOS名為DOMPDC的主域控制器和兩個NetBIOS名為DOMBDC1及DOMBDC2的備份域控制器。


In order to join the domain, first stop all Samba daemons and run the
command

為了加入這個域,首先要停止所有的samba守護程序並運行命令:smbpasswd -j DOM -r
DOMPDC

as we are joining the domain DOM and the PDC for that domain (the only
machine that has write access to the domain SAM database). If this is
successful you will see the message:

把域DOM和域的主域控制器(對域的SAM資料庫有寫許可權的機器)作參數來使samba伺服器加
入DOM域。如果順利你將在終端窗口中看到這樣的信息:

smbpasswd: Joined domain DOM.

in your terminal window. See the smbpasswd man page for more details.

參見smbpasswd可以得到更多的詳細信息。

This command goes through the machine account password change protocol, then
writes the new (random) machine account password for this Samba server into
the a file in the same directory in which an smbpasswd file would be stored
(normally :

這個命令通過機器賬號改變協議,然後把一個新的(隨機的)samba伺服器機器賬號寫入與
存放smbpasswd文件相同目錄(通常是:/usr/local/samba/private)下的一個文件中。

The filename looks like this:

文件名看起來象這樣:..mac

The .mac suffix stands for machine account password file. So in our example
above, the file would be called:

.mac後綴代表機器賬號口令文件。所以在以上的例子中,文件名應該是:
DOM.SERV1.mac

This file is created and owned by root and is not readable by any other user.
It is the key to the domain-level security for your system, and should be
treated as carefully as a shadow password file.

此文件由root建立並擁有,而其它用戶不可讀。對你系統採用的domain-level安全級來說
是個關鍵,應該象影子口令文件一樣仔細對待。

Now, before restarting the Samba daemons you must edit your smb.conf file to
tell Samba it should now use domain security.

好了,在重啟samba守護程序之前你必須編輯smb.conf文件以通知samba使用域安全級。

Change (or add) your

line in the [global] section of your smb.conf to read:

修改或者加入smb.conf文件中[global]段的"security ="行:security = domain

Next change the

line in the [global] section to read:

然後修改[global]段的"workgroup ="行:workgroup = DOM

as this is the name of the domain we are joining.

標出我們要加入的域的名稱。

You must also have the parameter "encrypt passwords" set to "yes" in order
for your users to authenticate to the NT PDC.

你也必須在參數"encrypt passwords"中設定"yes"以便用戶可以在NT主域控制器上進行認
證。

Finally, add (or modify) a:

line in the [global] section to read:

最後加入或修改[global]段的"password server ="行:password server = DOMPDC
DOMBDC1 DOMBDC2

These are the primary and backup domain controllers Samba will attempt to
contact in order to authenticate users. Samba will try to contact each of
these servers in order, so you may want to rearrange this list in order to
spread out the authentication load among domain controllers.

這些參數是samba為了用戶認證而嘗試聯繫的主或者備份域控制器。samba將試著按次序聯
系每個伺服器,所以你可以按次序重新排列這個列表以便在這些域控制器之間均衡認證工
作的負載。

Alternatively, if you want smbd to automatically determine the list of Domain
controllers to use for authentication, you may set this line to be :

如果你想讓smbd自動檢測域控制器的列表以便進行用戶認證,可以設置這樣的可選項:

password server = *

This method, which is new in Samba 2.0.6 and above, allows Samba to use
exactly the same mechanism that NT does. This method either broadcasts or
uses a WINS database in order to find domain controllers to authenticate
against.

這個在samba 2.0.6及以上版本出現的方法,允許samba採用與NT同樣精確的方式,用廣播
或者使用WINS資料庫來查找域控制器作反向驗證。

Finally, restart your Samba daemons and get ready for clients to begin using
domain security!

最後,重啟你的samba守護程序並準備好客戶以域安全級來使用!

Why is this better than security = server?
為什麼域安全級比伺服器安全級更好
------------------------------------------

Currently, domain security in Samba doesn't free you from having to create
local Unix users to represent the users attaching to your server. This means
that if domain user DOMfred attaches to your domain security Samba server,
there needs to be a local Unix user fred to represent that user in the Unix
filesystem. This is very similar to the older Samba security mode
"security=server", where Samba would pass through the authentication request
to a Windows NT server in the same way as a Windows 95 or Windows 98 server
would.

通常,在samba中採用域安全級對你來說並不是件輕鬆的事兒,你必須建立了本地unix用
戶來訪問你的伺服器。這意味著如果域用戶DOMfred訪問你採用域安全級的samba伺服器
時,需要成為一個能訪問unix文件系統的本地unix用戶。這個情況和先前的samba安全模
式"security=server"非常相似,samba能在NT伺服器上通過認證請求,同樣也可以作為
windows 95和windows 98的伺服器。

The advantage to domain-level security is that the authentication in
domain-level security is passed down the authenticated RPC channel in exactly
the same way that an NT server would do it. This means Samba servers now
participate in domain trust relationships in exactly the same way NT servers
do (i.e., you can add Samba servers into a resource domain and have the
authentication passed on from a resource domain PDC to an account domain
PDC.

域安全級的優勢在於通過此級的認證是在已得到認證的RPC通道上繼承而來的,而NT服務
器就是以這樣同樣精確的方法來操作的。這意味著samba伺服器可以NT伺服器同樣精確的
方法參與域委託關係(例如,你可以把samba伺服器加入到資源域中並能在一個資源域PDC
上通過認證從而取得域PDC中的賬號)。

In addition, with "security=server" every Samba daemon on a server has to
keep a connection open to the authenticating server for as long as that
daemon lasts. This can drain the connection resources on a Microsoft NT
server and cause it to run out of available connections. With "security
=domain", however, the Samba daemons connect to the PDC/BDC only for as long
as is necessary to authenticate the user, and then drop the connection, thus
conserving PDC connection resources.

另外,使用"security=server"參數的每個samba守護程序可以保持聯接已開放認證服務的
伺服器,只要守護程序支持。這樣做會耗盡NT伺服器上的聯接資源並導致可聯接資源被用
完。而使用"security =domain",samba守護程序只保持向PDC/BDC認證用戶時必需的聯接
,然後結束這個聯接,因而保存了PDC的聯接資源。

And finally, acting in the same manner as an NT server authenticating to a
PDC means that as part of the authentication reply, the Samba server gets the
user identification information such as the user SID, the list of NT groups
the user belongs to, etc. All this information will allow Samba to be
extended in the future into a mode the developers currently call appliance
mode. In this mode, no local Unix users will be necessary, and Samba will
generate Unix uids and gids from the information passed back from the PDC
when a user is authenticated, making a Samba server truly plug and play in an
NT domain environment. Watch for this code soon.

最後,通過用與NT伺服器認證相同的風格來運作而得到的認證回復部分,samba伺服器可
以獲得象用戶SID這樣的證明信息及用戶所屬的NT組列表等等。所有這些信息將使samba可
以在未來被擴展到開發者們通常稱為工具的模式。在這樣的模式中,不需要本地unix用戶
,並且當用戶認證時samba將以PDC傳回的信息來產生unix用戶賬號和組賬號,使samba服

務器真正在NT域環境中做到即插即用。請關注這樣的代碼信息。

NOTE: Much of the text of this document was first published in the Web
magazine "LinuxWorld" as the article "Doing the NIS/NT Samba".


注意:這份文檔中的很多文字首先在網路雜誌"LinuxWorld"上以文章"Doing the NIS/NT
Samba"公布




[火星人 via ] 使samba 2.0 加入NT域已經有544次圍觀

http://www.coctec.com/docs/net/show-post-68528.html