# sed -i -e "s/^passwd:.*/passwd: files winbind/" /etc/nsswitch.conf
# sed -i -e "s/^group:.*/group: files winbind/" /etc/nsswitch.conf
创建 /usr/local/etc/smb4.conf
[global]
workgroup = SVROS
server string = Samba Server Version %v
security = ads
realm = SVROS.COM
domain master = no
local master = no
preferred master = no
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072
use sendfile = true
idmap config * : backend = tdb
idmap config * : range = 100000-299999
idmap config SVROS : backend = rid
idmap config SVROS : range = 10000-99999
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
winbind refresh tickets = yes
template homedir = /home/%D/%U
template shell = /bin/false
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2
log file = /var/log/samba4/log.%m
max log size = 50
#============================ Share Definitions ==============================
[testshare]
comment = Test share
path = /samba/testshare
read only = no
force group = "Domain Users"
directory mode = 0770
force directory mode = 0770
create mode = 0660
force create mode = 0660
上面“testshare”最后两行内容实际使用权限优化(可选)
create mode = 0750
force create mode = 0750
将 samba 加入到域
net ads join --no-dns-updates -U administrator
net ads testjoin
# Should report "Join is OK"
# On your DC, open the DNS MMC and add an "A" entry for your BSD server so clients can find it
kinit administrator
# Enter domain admin password, it should return to the prompt with no errors
klist
# Credentials cache: FILE:/tmp/krb5cc_0
# Principal: administrator@SVROS.COM
#
# Issued Expires Principal
# Dec 6 10:15:39 2021 Feb 4 20:15:39 2021 krbtgt
测试 Winbind
wbinfo -u
# Should return domain users
wbinfo -g
# Should return domain groups
getent passwd
# Should return domain users at the end of the list with 10000+ UIDs
getent group
# Should return domain groups at the end of the list with 10000+ GIDs