samba做業

Chapter 2. Installing Samba on a Unix System
2.1. Binary Packages
察看版本：
$ smbd –V
查詢Samba是否安裝
$ rpm -qa | grep samba
察看一個二進制文件依賴哪些庫：
$ ldd /usr/local/samba/sbin/smbd


2.2. Compiling from Source
Download the source distribution from the Samba web site, unpack it, and then run the ./configure, make, and make install commands.

$ gunzip samba-latest.tar.gz
$ tar xvf samba-latest.tar
The configure script is located in the samba-3.0.x/source/ directory.
$ ./configure | more

One method is to add the directory (e.g., /opt/openldap/lib) to the global library search path. On some platforms, this can be done at run time by appending the new directory to the LD_LIBRARY_PATH search list：
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/openldap/lib
Other, more permanent solutions, differ from platform to platform. For example, Linux's /etc/ld.so.conf file and Solaris' crle tool have already been mentioned.
The other solution is to encode the library search path in the binary itself during the compilation process, usually done by instructing the compiler to pass additional flags onto the linker. The following script shows how this would be done if Heimdal Kerberos were installed in /opt/heimdal and OpenLDAP were installed in /opt/openldap

2.3. Compiling and Installing Samba
$ make
$ make install    //root user
export MANPATH=$MANPATH:/usr/local/samba/man

2.4. Enabling the Samba Web Administration Tool (SWAT)
For SWAT to work, entries must be added for it in the /etc/services and /etc/inetd.conf (or /etc/xinetd.d/swat) configuration files. To add the entries, follow these three steps:
1. Check your /etc/services file, and add the following line to the end if a line like it does not already appear.
swat   901/tcp
2. If an entry exists and has assigned port 901 to a service other than SWAT, you can select any unused port. However, you will need to adapt any references to port 901 in our examples to your local configuration.
3. Make sure that an inetd-style daemon is running. inetd and xinetd are "Internet super daemons" that handle starting daemons on demand, instead of letting them sit around in memory consuming system resources. Most Unix systems use inetd, but some utilize the more secure xinetd service. Most Linux distribution now use xinetd by default. You can use the ps command to see which of the two your system is running.

If your system is using xinetd , add a file named swat in your /etc/xinetd.d directory and make sure it is readable by the account used to run the xinetd metadaemon (usually root). The file should contain the following:
# description: swat is the Samba Web Administration Tool, which
#       allows an administrator to configure Samba using a web
#       browser interface, with the URL http://localhost:901
service swat
{
        socket_type             = stream
        wait                    = no
        protocol                = tcp
        only_from               = localhost
        user                    = root
        log_on_failure          += USERID
        server                  = /usr/local/samba/sbin/swat
        port                    = 901
        disable                 = no
}
Then xinetd needs to be sent a signal[*] to make it reread its configuration files:
$ kill -HUP -a xinetd    //若是想要更改配置而不需中止並從新啓動服務，請使用該命令。在對配置文件做必要的更改後，發出該命令以動態更新服務配置。

2.5. A Basic Samba Configuration File
By default, Samba 3.0 enables the encrypt passwords option. For the sake of clarity, and because you may not be familiar with all of Samba's default settings, we add the following line to our smb.conf in the [global] section.
encrypt passwords = yes

enter the username/password combinations of the Samba users into Samba's encrypted password database:
$ smbpasswd -a lizard    //add user
The parser, testparm, examines an smb.conf file for syntax errors and reports any it finds along with a list of the services enabled on your machine
$ testparm -s /usr/local/samba/lib/smb.conf | more

2.6. Firewall Configuration    看得不是很懂

2.7. Starting the Samba Daemons
If you're in a hurry, you can start the Samba daemons by hand. As root, enter the following commands:
$ /usr/local/samba/sbin/smbd -D
$ /usr/local/samba/sbin/nmbd -D
A convenient way to make sure that everything is working as we think it should is to use the smbclient program to examine what the server is offering to the network.
$ smbclient -L localhost -N

3.1.3. Name Resolution
If you require a WINS server for your network, Samba can happily perform that function if you specify the following line in the [global] section of the server's smb.conf:
wins support = yes



不用編譯的直接用rpm包安裝:
rpm –ivh samba-****.rpm    #安裝Samba

service smb start      #啓動Samba服務

vim /etc/samba/smb.conf
[global]

[test]                      #在Windows網上鄰居中看到的共享目錄的名字
    comment = SambaServer          #在Windows網上鄰居中看到的共享目錄的備註信息
    path = /       #共享目錄在系統中的位置
    read only = no
#保存配置

smbpasswd –a fnst    #將用戶fnst添加入到Samba用戶數據庫as root
而後就能夠直接使用了!!

Samba 3.0 cannot at this time act as a domain controller for an Active Directory domain.















1、安裝前準備
一、使用Samba服務器須要防火牆開放如下端口
    UDP 137 UDP 138 TCP 139 TCP 445
#配置防火牆端口
[root@roothomes ~] vi /etc/sysconfig/iptables   
-A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
#重啓防火牆，使規則生效
[root@roothomes ~] /etc/rc.d/init.d/iptables restart     

二、關閉CentOS6系統的 SELinux
[root@roothomes ~] vi /etc/selinux/config
#SELINUX=enforcing     #註釋掉
#SELINUXTYPE=targeted  #註釋掉
SELINUX=disabled       #增長
#:wq  保存。
#重啓系統
[root@roothomes ~] shutdown -r now  或者 init 6

2、安裝Samba
一、檢查Samba服務包是否已安裝
[root@roothomes ~] rpm -qa | grep samba
    samba-3.5.4-68.el6.x86_64
    samba-common-3.5.4-68.el6.x86_64
    samba-client-3.5.4-68.el6.x86_64
    samba4-libs-4.0.0-23.alpha11.el6.x86_64
    samba-winbind-clients-3.5.4-68.el6.x86_64

   說明samba已經安裝，若是沒有安裝，運行下面命令安裝 [root@roothomes ~] yum install samba
   
二、配置samba
[root@roothomes ~] chkconfig smb on　 #設置 Samba開機自動啓動
[root@roothomes ~] service smb start      #啓動Samba服務
[root@roothomes ~] /etc/init.d/smb restart  #重啓
[root@roothomes ~] /etc/init.d/smb stop    #中止
[root@roothomes ~] cp /etc/samba/smb.conf  /etc/samba/bak_smb.conf_bak  #備份
[root@roothomes ~] cp /etc/samba/bak_smb.conf_bak  /etc/samba/smb.conf  #恢復
[root@roothomes ~] vi /etc/samba/smb.conf
[global]                           #找到這一行（全局設置標籤），在此行下面添加以下行：
    workgroup = WORKGROUP          #工做組名稱改成 Windows 網絡所定義的工做組名
    server string = Samba Server   #設置samba服務器的主機名稱
    security = user                #設置samba服務器安全級別爲user，即以帳號和口令訪問
    netbios name = SambaServer     #設置Samba服務器訪問別名
#在配置文件的末尾添加如下自定義內容
[SambaServer]                      #在Windows網上鄰居中看到的共享目錄的名字
    comment = SambaServer          #在Windows網上鄰居中看到的共享目錄的備註信息
    path = /home/SambaServer       #共享目錄在系統中的位置
    public = no                    #不公開目錄
    writable = yes                 #共享目錄能夠讀寫
    valid users=SambaServer        #只容許SambaServer用戶訪問
#保存配置

三、添加訪問linux共享目錄的帳號SambaServer
   用戶家目錄爲/home/SambaServer, 用戶登陸終端設爲/bin/false(即便之不能登陸系統)
[root@roothomes ~] mkdir -p /home/SambaServer #創建SambaServer文件夾
[root@roothomes ~] cd /home/SambaServer
[root@roothomes ~] touch  samba.txt   #建立測試文件samba.txt
[root@roothomes ~] useradd SambaServer -d /home/SambaServer -s /bin/false
[root@roothomes ~] chown SambaServer:SambaServer /home/SambaServer -R

四、將用戶SambaServer添加入到Samba用戶數據庫，並設置登陸共享目錄的密碼爲：123456
[root@roothomes ~] smbpasswd -a SambaServer
   New SMB password:　 輸入該用戶用於登陸Samba的密碼
   Retype new SMB password:　 再次確認輸入該密碼
   Added user SambaServer.
#備註:這裏設置的密碼是SambaServer用戶登陸該機的Samba共享的密碼，非登錄OS的密碼;
五、重啓Samba服務器
[root@roothomes ~] /etc/init.d/smb restart
六、瀏覽共享信息
在Windows客戶端輸入 \\ip  或者 \\SambaServer  #服務器別名
   回車以後，會跳出來登陸框，輸入帳號SambaServer ,密碼123456 , 便可訪問共享目錄



問題：
若是沒法訪問共享目錄的內容，請把防火牆中止；
[root@roothomes ~] service iptables stop




1.宏

在基本配置裏有提到一些參數的能夠尾隨%u、%m，這是samba裏定義的宏，宏用百分號後面跟一字符表示，在具體運做的時候就用實際的參數來代替。經常使用的宏有：

%S = 當前服務名；

%P = 當前服務的根路徑；

%u = 當前服務的用戶名；

%g = 給定%u的所在的主工做組名；

%H = 給定的%u的宿主目錄；

%v = Samba 版本號；

%h = 運行Samba的機器的主機名；

%m = 客戶機的NETBIOS名；

%L = 服務器的 NetBIOS 名；

%T = 當前的日期和時間；



5.1. Security Modes
認證是受權的先決條件.
這章主要講如何配置samba, 使之能用一堆本地帳戶驗證請求(Authentication and Authorization)
5.1.1. Guest Access with security = user
如今咱們考慮一種很是簡單的狀況, 服務器必須向用戶開放入口而不須要建立我的帳號.一個用戶要進入samba服務器上的一個共享文件, 服務器上若是沒有這個用戶那就默認拒絕鏈接以示登陸失敗. 何種失敗的響應由map to guest參數決定




9.5. 移植 an NT 4.0 Domain to Samba
以前咱們說過Samba 3.0 不支持Windows NT 4.0 SAM(安全帳戶管理器) 複製協議. 從這個意義上來講確實是這樣的,你不能配置Samba 接受來自Windows主域控制器的增量變化集 (反之亦然). 然而, 開發者已經執行充足的協議以容許以前提到的SAM synchronization. 當備份域控制器第一次上線時Windows服務器就作的這個. 它經過域SAM向PDC請求完整的用戶和組集來同步本地SAM. 經過這種利用Windows NT 4.0 PDC請求初始同步操做, Samba 能夠得到一份完整的用戶和組的詳細帳戶和密碼列表, 從而爲migrating from the Windows domain controller to a Samba-based domain提供了一種方法.
把NT 4.0 domain從Windows移植到Samba的基本操做是:
1.    Ensure that all Samba daemons are stopped.
2.    Configure the Samba host's smb.conf as a BDC for the domain, including the user management family of scripts.
3.    Synchronize the Samba's machine SID stored in secrets.tdb with the domain SID.
4.    Create a BDC account on the Windows PDC for the Samba server.
5.    Join the domain.
6.    Issue the SAM synchronization request.
7.    Reconfigure Samba as a PDC.
8.    Shut down the Windows PDC.
9.    Start smbd and nmbd on the Samba server.
移植最主要的工做是生成一個用戶管理腳本工做集. 這些都是必需的,這樣Samba才能在passdb中建立用戶帳戶或組以前生成一個新的Unix用戶或組. 然而, 許多Unix帳戶工具限制了新用戶名或組名的格式是一個主要的障礙. 例如, 若是組名包含空格的話Linux命令 groupadd會失效:
# groupadd "Domain Admins"
groupadd: Invalid group name 'Domain Admins'.

一個解決辦法是繞過操做系統的工具而手動建立Unix組. 至少在Linux上, 組名中有空格被拒絕是工具的問題,而不是/etc/group or the libnss_files.so.2 library的限制. 如下從/etc/group之中的摘錄闡釋了這些group names:
Domain Admins:!:1000:
Domain Users:!:1001:
Domain Guests:!:1002:
Account Operators:!:1003:
Server Operators:!:1004:
Backup Operators:!:1005:
Print Operators:!:1006:

但是若是你想建立大量的組, 這樣的手動建立可能太單調乏味. 這種狀況下, 定製在Samba中稱爲用戶管理的腳本去接收有效的Windows用戶和組名.
接下來的問題是passdb後端的使用. 咱們的建議是開始使用tdbsam. 理由是顯而易見的. tdbsam 比LDAP後端更容易配置而且比smbpasswd文件魯棒性更好.此外, 在執行移植實驗時it is easier to remove tdb files than to rebuild an LDAP DIT. 你老是能使用下面這條命令後將Samba下的用戶和組從tdb backend轉換到LDAP directory service:
# pdbedit -i tdbsam -e ldapsam:ldap://ldap.example.com/

在咱們心中有了這些建議後, 讓咱們舉個定義下面這個smb.conf的例子,即將是Samba PDC. 這時候全部的參數相似. 咱們要移植的Windows NT domain叫作DOA. 記住當咱們配置備份域控制器時使domain master這項不能. The [netlogon] share 在移植過程當中並非必需的, 然而咱們一旦把Samba服務器換成PDC倒是必要的. 最後, we have omitted any support for roaming user profiles, because this feature is independent of transferring accounts. We will, however, revisit some specific issues surrounding the user environment profile after completing the migration.
[global]
    netbios name = CAT
    workgroup = DOA
    security = user
    encrypt passwords = yes
    passdb backend = tdbsam

    domain logons = yes
    domain master = no

    add user script = /usr/sbin/useradd -m '%u'
    delete user script = /usr/sbin/userdel '%u'
    rename user script = /usr/sbin/usermod -l '%unew' '%uold'
    add group script = /usr/sbin/groupadd '%g'
    delete group script = /usr/sbin/groupdel '%g'
    add user to group script = /usr/sbin/groupmod -A '%u' '%g'
    delete user from group script = /usr/sbin/groupmod -D '%u' '%g'
    set primary group script = /usr/sbin/usermod -g '%g' '%u'

[netlogon]
    path = /data/netlogon
    read only = yes
    write list = +"Domain Admins"

在smb.conf 初步建立後, 接下來就是要用domain SID(安全標識符?)來同步Samba's machine SID. 能夠經過運行net rpc getsid命令command. 由於你是直接寫入到secrets.tdb, 因此要以root運行這些命令. 例如, medic 是DOA 域下的PDC名.
# net rpc getsid -S medic
Storing SID S-1-5-21-406022937-1377575209-526660263 for Domain DOA in secrets.tdb

Samba's machine SID必定要手動設置以和使用net setlocalsid命令相一致. 若是命令成功, 會直接返回一個沒有額外輸出的提示信息.
# net setlocalsid S-1-5-21-406022937-1377575209-526660263

接下來的兩部, 建立BDC帳戶和加入到域中, 爲了防止攻擊者劫持機器帳戶應該緊接着執行. 理想狀況下這些應該在獨立和安全的網絡上作, 但當咱們移植a production domain時並不老是可能的. 當咱們實驗時, 認爲移植Windows BDC到一個獨立的網絡後升級成爲PDC.
Figure 9-11 shows the Server Manager (srvmgr.exe) application and the Add Computer to Domain dialog boxes. Use these to create a BDC account for the Samba host.
Figure 9-11. Using Server Manager to create a BDC account for the Samba host CAT
 
接下來使用net rpc join命令加入域. 在下一章關於加入Windows (and Samba)域咱們會提供更詳細的說明. 目前這條命令足以使工做完成:
# net rpc join
Joined domain DOA.

你終於準備好了要把DOA域下的用戶和組移植到Samba's passdb. 假設以前在/etc/group中建立的全部組名都包含空格. 運行net rpc vampire來開始移植過程. The -S option is used to define the name of the Windows NT 4.0 PDC to contact. 移植完後, 最好在server's Unix accounts and in Samba's passdb裏確認下新用戶和組.
# net rpc vampire -S medic
Fetching DOMAIN database
Creating unix group: 'testgroup'
Creating unix group: 'testgroup2'
Creating account: Administrator
Creating account: Guest
Creating account: foo
Creating account: foo2
Creating account: foo3
Creating account: user1
Creating account: NURSE$
Creating account: CAT$
Group members of Domain Admins: Administrator,
Group members of Domain Users: Administrator(primary),foo2(primary),
  user1(primary),foo3(primary),NURSE$(primary),CAT$(primary),
Group members of Domain Guests: nobody,
Group members of testgroup: foo(primary),
Group members of testgroup2: foo,
Creating unix group: 'LocalTestGrp'
Fetching BUILTIN database
skipping SAM_DOMAIN_INFO delta for 'Builtin' (is not my domain)
Creating unix group: 'Administrators'
Creating unix group: 'Guests'
Creating unix group: 'Replicator'
Creating unix group: 'Users'

最後一步就是關閉Windows PDC後啓動新的Samba PDC. Before starting smbd and nmbd, 確保參數項domain master生效so that Samba registers the DOA<0x1b> name and the Windows客戶端識別新的PDC.
Here are a few pieces of advice. Migrating a domain is tricky business麻煩的事. You should expect to run through several test migrations before disabling the Windows PDC. Also consider any additional services such as file and printer shares, web servers, or other applications offered by the Windows PDC. These must be migrated individually. The good news is that you have to successfully complete the migration process only once.


9.6. Domain Trusts域信任
Samba 3.0 是第一個支持Windows NT 4.0單向信任的版本, 能夠用來將Samba domains鏈接到NT and Active Directory domains. 在本章開始一個信任關係和以前描述的加入一個域的過程很是類似. The trusted domain creates a domain trust account that has a purpose analogous to a machine trust account. The trusting domain then establishes the relationship by joining the trust. We'll next walk you through an example of configuring a Samba domain to trust an AD domain.
First, you must have a fully configured Samba domain. Samba restricts the right to create domain trusts to members of the Domain Admins group, so it is necessary to configure an appropriate group mapping entry for this if you have not already done so. You also must either create the necessary Unix user account for the domain trust using the name of the trusting domain followed by a $ character (e.g., books$), or configure a working add machine script in smb.conf.
Use the net rpc trustdom command to create the domain trust account on the Samba PDC. The add subcommand accepts the name of the domain (BOOKS) followed by the new trust account password (sambapw):
$ net rpc trustdom add BOOKS sambapw -S stork -U cindy
Password: <enter cindy's password>

If all goes well, you are returned immediately to a shell prompt. You can verify that the account was created using pdbedit. The I account flag is used to mark this as a domain trust account. (Note that the following output has been wrapped for better readability.)
# pdbedit -L -w books$
BOOKS$:10018:A01531C54AE6F75CAAD3B435B51404EE:
  45F9E3989DD87751210C054A9B3A134E:[I          ]:LCT-44DA55A9:

Now establish the trust account from the Windows domain controller. Figure 9-12 shows the books.plainjoe.org domain properties, as displayed by the Windows 2000 Active Directory Domains and Trusts MMC plug-in. The top section of this dialog is used to connect to a trusted domain. There are no existing domain trust relationships in the screenshot.
Figure 9-12. Trust relationships for the books.plainjoe.org AD domain
 

Now select Add from the top section and enter the name of the Samba domain (ORA) along with the password specified in the net rpc trustdom add command. You should be greeted with a dialog box similar to the one in Figure 9-13, indicating that the trust has been established and verified.
Figure 9-13. Confirming a successfully established trust between Samba and AD
 

You can use smbclient to test the trust relationship by connecting to a share on any member server in the BOOKS domain as a user from the ORA domain:
$ smbclient //windc/public -U cindy -W ORA
Password: <enter cindy's password>
Domain=[BOOKS] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
smb: \>

Next, it is time to create the trust relationship in the other direction. This time, create the trust account on the Windows DC using the lower half of the Trusts dialog box shown in Figure 9-12.
You will initially receive a message that Windows cannot verify the trust. This is because you have not established the trust on the Samba DC yet. To do so, run the net rpc trustdom establish command, giving the trusted domain name as the sole parameter. This must be done as root so that the net tool can write the new password to secrets.tdb.
# net rpc trustdom establish BOOKS
Password: <enter trust password here>
Trust to domain BOOKS established

You should now be able to return to the Windows DC and verify the trust.
You can view the list of current trusts using the net rpc trustdom list command. This command does not display any information about the status of the trust, only that Samba has a trust account entry or password for the listed domain.
# net rpc trustdom list -U cindy
Password: <enter cindy's password>
Trusted domains list:
BOOKS               S-1-5-21-4200961138-2496335650-1239021823
Trusting domains list:
BOOKS               S-1-5-21-4200961138-2496335650-1239021823

In order to connect to the Samba server using an account from the BOOKS domain, the server requires some method to deal with users and groups from the trusted domain. The best way to do this is with Winbind. Conceptually, these trusted users and groups on a Samba PDC are no different from domain users and groups on a Samba member server. To set up Winbind on a Samba DC, follow the same steps you would for a Samba member server (described in Chapter 10) with the exception of maintaining the security = user setting instead of one of the domain mode security settings. On a DC, Winbind allocates uids and gids only for accounts outside of its own domain.
Table 9-5 completes our discussion of domain trusts with an overview of the net rpc trustdom commands.
Table 9-5. net rpc trustdom commands
Command    Options    Description
add    DOMAIN password    Create a domain trust account for a trusting domain using the specified password.
del    DOMAIN    Remove a domain trust account.
establish    DOMAIN    Establish a trust relationship with a trusted domain.
revoke    DOMAIN    Disconnect a trust relationship with a trusted domain.
list    none    List the currently configured domain trust relationships.






Chapter 10. Domain Member Servers 域成員服務器
Windows域是基於域控制器提供的集中認證服務. 一箇中等大小的域擁有數量有限的域控制器, 可是可能擁有數百file and print servers.在一個大的域中服務器的數量能夠超過這個量的十倍或更多.
In many networks, Samba利用這些域認證服務和Windows並肩. 1998年的第一次引入, 做爲一個加入到Windows域的成員服務器, Samba做爲一個成員服務器加入到Windows域的這一支持幫助了管理員把Unix服務器與Windows客戶端整合到了一塊兒. 2003年, Samba 3.0經過支持Kerberos authentication and LDAP directory services升級了這項特性, 產生改進的與Microsoft Active Directory domains的整合.
Chapter 5以討論authentication認證 and authorization受權的概念開始的. 這些任務不只適用於本地用戶也適用於domain member servers. For all but除了 the smallest domain, 手動同步Unix hosts and Windows domains之間用戶和組帳戶信息能消耗你至關大一部分時間. 本章的重點在於經過利用保存在Windows domain controllers 中的認證和受權數據配置Samba成員服務器從而減小工做. We address the steps necessary for Samba to join and participate in both Windows NT 4.0 and Active Directory domains, 包括怎樣配置必需的額外依賴軟件, 如the Kerberos client libraries, time synchronization, and the DNS client resolver. 咱們也檢查 Winbind's account management features and 有利於member servers.
10.1. Joining a Domain 加入域
把一個新機器添加到域很像添加一個新用戶. In the case of a human user, 新帳戶先在域控制器上建立. 而後告知用戶他的登陸名和證書. 用戶記住密碼以便於進入可用的網絡服務such as email or printing. 一臺電腦加入到域的同時也創建了一個只有域控制器和它本身知道的隨機密碼. 客戶端把該密碼存放在本地註冊表中或其餘本地數據庫.
We described the process used to authenticate a connection request to a share on a standalone server in Chapter 1. If necessary, 如今是複習 "Connecting to a CIFS File Share"這節的好時as a refresher on session setup requests關於會話創建請求的一個複習資料. 獨立服務器對檢查域認證提供一個優秀的起點, 由於鏈接過程的基本要素和獨立服務器和成員服務器徹底同樣. 主要的差異就是如何讓服務器最終使客戶端發的證書生效.
Samba 3.0 and Windows NT 4.0 域控制器用Remote Procedure Call (RPC)機制, 經過這個機制成員服務器能夠創建一種安全的通訊方法而後發出DC認證用戶會話的請求. Figure 10-1簡單說明了這個概念. 客戶端\\FOX鏈接文件服務器\\HOUND, 文件服務器反過來請求域控制器\\RABBIT認證用戶rose的會話請求. The NetRequestChallenge( ) and NetAuth2( ) RPCs used the password stored as part of the domain join process to establish the identity of \\HOUND. The third RPC, NetSamLogon( ) , 是表明用戶的認證請求. 在收到域控制器的回覆NetSamLogon( )後, 文件服務器要麼應答成功要麼返回一段錯誤的代碼, 好比Logon Failure or Password Expired, specified by the DC.
Figure 10-1. Connecting to a domain file server using NTLM and RPC
 

加入AD域時, Windows 2000 and later clients可以使用Kerberos 5 (Krb5) 的認證服務.[*] We say "capable," 由於AD域仍然支持NTLM authentication and剛剛描述的RPC mechanisms. 對Kerberos的更多討論超出了本書的範疇. Two excellent sources of information on the subject are Kerberos: The Definitive Guide, by Jason Garman (O'Reilly), and Network Security: Private Communication in a Public World, by Charlie Kaufman et al. (Prentice Hall). The former discusses implementation issues for Kerberos administrators and the latter is an in-depth examination of Kerberos and other security protocols.
[*] Active Directory domains do not support Kerberos v4.
Figure 10-2 闡述了用戶用Kerberos認證鏈接文件文件服務器時發生的事. 一樣, the client machine \\FOX connects to the server \\HOUND, 只是此次域控制器不須要認證會話請求. 文件服務器在本地解密the Kerberos ticket, 所以用戶以前就被DC認證過了.
Figure 10-2. Connecting to a file server in an Active Directory domain
 

  10.2 Domain and ADS Security Modes
Samba提供了兩種域操做模式, security = domain and security = ads. 兩種都支持容許samba利用域控制器提供的中心認證服務. Both modes support the NTLM and NTLMv2 authentication protocols. 而後ads還支持Kerberos authentication, 可是domain不支持. 一個不錯的經驗法則是選擇ads模式if you are joined to an AD domain, regardless of whether the domain runs in mixed or native mode.
若是你打算將Samba配置成security = ads模式, 記得用Chapter 2給的命令確認你的samba能支持Kerberos, LDAP, and Active Directory. There are no such external software dependencies for enabling domain security; this mode is always provided.
10.2.1 security = domain
Joining a Samba host using security = domain 包含兩個步驟:
1. Define the domain and member server settings for your environment in smb.conf.
2. Establish the machine account credentials by joining the domain.
第一個要設置的參數是security項. Start by defining domain mode security in the [global] section of smb.conf:
[global]
security = domain
Supporting password encryption is a requirement for member servers, 因此即便默認是yes的你也要顯示的設置下:
encrypt password = yes
最後, 指定你的服務器所屬域的名字. Samba, like Windows, 重用workgroup這個參數來當作域. Here, we are joining the GLASS Windows NT 4.0 domain:
workgroup = GLASS
一旦smb.conf配置好後, 在域中使用net命令創建服務器證書. You need a user account that is properly authorized to join your server to the domain.* 不肯定的時候, an account that is a member of the Domain Admins group will always work. Next, run the net join command from 根用戶shell to join the domain, using the -U option to 定義鏈接用戶名字:
$ net join -U Administrator
Administrator's password: <enter password for Administrator>
<...intermediate output deleted...>
Joined domain GLASS.
If you are greeted by the 「Joined domain ...」 message, net成功創建了機器帳戶證書而且如今你的服務器是域中的一部分了. If not, 這裏列了三個廣泛的錯誤.
First, if you receive the following message, make sure that you entered the correct
user name and password:
Could not connect to server XXX
The username or password was not correct.
Second, if you entered the correct credentials but the account does not possess the sufficient rights to join the server to domain, you will receive this error message:
error setting trust account password: NT_STATUS_ACCESS_DENIED
Unable to join domain XXX.
The third common error is the inability to locate a DC for the domain specified in smb.conf. This error is signaled by the following message:
Unable to find a suitable server
This situation is frequently caused by a mistyped name, so verify your smb.conf settings before proceeding. If your configuration is correct, it could be that this error is caused by a name service failure. We cover how Samba attempts to locate domain controllers shortly. If you are joining a Samba domain, you may encounter the additional following error:
Creation of workstation account failed
This error is normally caused by some failure in the add machine script. Or possibly the script succeeded, but smbd is unable to locate the Unix account it created, a situation frequently caused by running the Name Service Cache Daemon (nscd) on the Samba DC. To resolve this problem, ensure that the DC’s /etc/nsswitch.conf file is set up correctly, that the add machine script did in fact create the trust account, and that nscd is using up-to-date information.
你能夠經過下面這條命令來覈實你的服務器可信帳戶:
$ net rpc testjoin
Join to 'GLASS' is OK
10.2.2 security = ads
從用戶的角度, 把一個服務器配置成ads security 和domain security是徹底同樣的. 從管理員的角度,經過爲鏈接域附加的一些配置步驟,the ads method顯示地提供了Kerberos這一額外支持. Instead of the two steps described for security = domain, 此次須要四個步驟來完成:
1. Define the domain and member server settings for your environment in smb.conf. 同以前
2. Synchronize the server’s clock with the domain controller.
3. Configure the Kerberos client library and DNS resolver settings.
4. Establish the machine account credentials by joining the domain.同以前
10.2.2.1 Basic Samba settings samba基本設置
Once again, we start with configuring the server’s smb.conf file. Our initial file defines ads security and includes the required encrypted password support:
[global]
security = ads
encrypt passwords = yes
接下來包含AD domain的範圍. In Active Directory domains, the Kerberos realm和域的大寫DNS名同樣.* So the AD domain blue.plainjoe.org is defined as:
realm = BLUE.PLAINJOE.ORG
The workgroup參數爲域名的縮寫, 通常和the realm name的第一部分同樣. However, this setup is not guaranteed. If you define the wrong value, the net tool complains when it joins the domain and reminds you to set the correct value. In our example, the short domain name is the first component of the realm name, so we specify the workgroup as follows:
workgroup = BLUE
10.2.2.2 Time synchronization 時間同步
時間同步的Kerberos authentication的先決條件/前提. 所以, Microsoft chooses to make all AD domain controllers act as time servers. Non-Microsoft clients can synchronize their system clocks with an AD DCs by using version 4 of the Simple Network Time Protocol (SNTP). The ntpdate tool, included in
the NTP distribution from http://www.ntp.org, can synchronize the server’s local clock with an AD DC. Most systems already have some form of the NTP tools included.
Kerberos Terminology 101術語
For the purposes of our discussion, understanding some basic terminology can be
helpful to map Kerberos concepts onto Active Directory functionality:
Principal
A user or computer in a Kerberos authentication database (e.g., a user or computer
object in AD).
Principal：在Kerberos中，Principal是參加認證的基本實體。通常來講有兩種，一種用來表示Kerberos數據庫中的用戶， 另外一種用來表明某一特定主機，也就是說Principal是用來表示客戶端和服務端身份的實體, Principal的格式採用ASN.1標準,即Abstract Syntax Notation One，來準肯定義)，Principal是由三個部分組成：名字（name），實例（instance），REALM（域）。好比一個標準的 Kerberos的用戶是：name/instance@REALM 。
  Name：第一部分。在表明客戶方的狀況，它是一個用戶名；在表明主機的狀況，它是寫成host。  
  Instance：第二部分。對name的進一步描述，例如name所在的主機名或name的類型等,可省略。它與第一部分之間用‘ / ’分隔，可是做爲主機的描述時寫成host/Instance。  
   Realm：第三部分。是Kerberos在管理上的劃分，在 KDC中所負責的一個域數據庫稱做爲Realm。這個數據庫中存放有該網絡範圍內的全部Principal和它們的密鑰，數據庫的內容被Kerberos 的認證服務器AS和票據受權服務器TGS所使用。Realm一般是永遠是大寫的字符,而且在大多數Kerberos系統的配置中，通常Realm和該網絡環境的DNS域是一致的。與第二部分之間用‘@’分隔，缺省爲本地的Realm。好比，Principal " cnhawk/hawk.the9.com@THE9.COM " 表示Realm " THE9.COM "中主機hawk.the9.com上的用戶cnhawk，而Principal " host/hawk.the9.com @THE9.COM " 則一般用來表示Realm " THE9.COM"中主機hawk.the9.com。
Credential： Ticket和與它相聯繫的會話密鑰合在一塊兒稱爲Credential。之因此有這個概念是由於它們是客戶端在向服務器證實本身的身份時必需的兩樣東西．在一個Ticket的生存期內客戶端會將這兩樣東西以Credential爲單位保存在一個Cache文件中。
Ticket： 一個Ticket是一個用於安全的傳遞用戶身份所須要的信息的集合。它不只包含該用戶的身份，並且包含其它一些相關的信息。通常來講，它主要包括客戶方Principal，目的服務方Principal，客戶方IP地址，時間戳（分發該Ticket的時間），該Ticket的生存期，以及會話密鑰等內容。它的格式亦用ASN.1來準肯定義。
Authenticator: 在客戶端向服務端進行認證時，伴隨Ticket一塊兒發送的另一個部分，它的做用是證實發送Ticket 的用戶就是擁有Ticket的用戶，即防止重放攻擊。它的主要內容是一個時間戳（客戶端發送Ticket的時間），在rfc1510中有它的完整的ASN.1定義。
AS(Authentication Server)： 爲用戶分發TGT(Ticket Granting Ticket)的服務器。
TGT(Ticket Granting Ticket)： 用戶向TGS(Ticket Granting Server)證實本身身份的Ticket.
TGS(Ticket Granting Server)： 爲用戶分發到最終目的Ticket的服務器，用戶使用這個Ticket向本身要求提供服務的服務器證實本身的身份。在實現上，AS和TGS其實是由同一程序完成的，由於它們的實現機制並無太大的差異，只是在加密所發出的Ticket時所使用的密鑰不一樣（AS使用用戶的密鑰，而TGS使用會話密鑰）。
KDC(Key Distribution Center)：密鑰發放中心，一般將AS和TGS統稱爲KDC，有時也把AS 單獨稱爲KDC。
Realm
A collection of Kerberos principals. In AD, this is the same as the DNS domain.
Ticket Granting Ticket (TGT)
An encrypted blob of data issued to a principal, which can be used to requests tickets to other principals.
Service Ticket
An encrypted blob of data that can be used to access application services such as a mail, web, or file server.
Key Distribution Center (KDC)
The Kerberos database server.
Authentication Server (AS)
The service responsible for issuing TGTs.
Ticket Granting Service (TGS)
The service responsible for issuing service tickets.
Secret Key
The hashed version of a principal’s passphrase. This is also referred to as the longterm key, because it does not expire or change based on an individual session.
Session Key
A short-term key valid only for the life of a specific application session or Kerberos ticket. Windows 2000 and later systems use this key to encrypt certain communications between clients and servers.
In most implementations, Microsoft and Unix alike, the KDC, AS, and TGS are all implemented in the same service, although each has a logically separate function. An AD domain controller fulfills all three of these roles. Frequently, the term KDC is used to refer to the KDC+AS+TGS server.
爲了本身的服務器和域控制器時間一致To set your server's clock to match the time on the domain controller named bluedc1.blue.plainjoe.org, 以root身份運行如下命令:
$ ntpdate bludc1.blue.plainjoe.org
17 Jun 12:46:46 ntpdate[16773]: step time server 192.168.1.148 offset 8.734885 sec
If you receive the error message, "no server suitable for synchronization found," confirm that the hostname used is valid and reachable. If the name is correct, an administrator of the DC (possibly you) must verify the w32time.exe service. More information about Active Directory and time synchronization can be found by searching http://support.microsoft.com for the keyword "w32time.exe."
The ntpdate command can be run periodically as a cron job to prevent the Samba server's clock from drifting. Another option is to run the ntpd daemon and have it synchronize the local clock on a continuing basis. To use this method, specify the domain controllers using a server line in /etc/ntp.conf and then have the daemon started as part of the system boot process. More on configuring NTP clients can be found in the book Essential System Administration, by Æleen Frisch (O'Reilly).
10.2.2.3. Encryption types 加密形式
下一項是配置服the server's Kerberos client libraries, Samba用它來驗證用戶的鏈接. 儘管這個過程會因你所用的Krb5版本而有稍微的不一樣, 無論是Heimdal仍是MIT, 很是幸運的是二者的配置文件徹底兼容. By default, both distributions use the file /etc/krb5.conf to define client-side settings. The options of interest (是客戶端支持什麼樣的加密形式和客戶端由給定的realm怎麼找到KDC)are what encryption types the client supports and how it locates a KDC for a given realm.
Active Directory realms implement three Krb5 encryption types三種加密形式:
•    RC4-HMAC
•    DES-CBC-MD5
•    DES-CBC-CRC
AD domain controllers老是爲a principal has assigned keys選擇更強的加密算法. The most secure encryption type in our list is RC4-HMAC. Remember from Chapter 2 that this new encryption type is supported in open source Kerberos distributions beginning only with MIT krb5 1.3 and with Heimdal 0.6.1. Krb5 authentication still works on systems with older Kerberos libraries such as RedHat Enterprise Linux 3, but only DES keys will be available.
咱們限定客戶端庫只用微軟也支持的加密形式. 這是很是重要的, 由於默認的Unix Kerberos implementations是the Advanced Encryption Standard (AES) or triple-DES (3DES) methods, 他們目前並無被Windows domain controllers支持. There are several points during Krb5 communications where an encryption type mismatch can cause failure. If the Samba server cannot decrypt a user's ticket, that user cannot be authenticated. To be safe, we use a single list for obtaining TGTs, service tickets, and any session-key-based encryption that may be performed by adding three options (default_tgs_enctypes, default_tkt_enctypes, and preferred_enctypes) to the [libdefaults] section of krb5.conf.
[libdefaults]
    default_tgs_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
    default_tkt_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
    preferred_enctypes   = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
10.2.2.4. Realm/domain and KDC lookups
接下來咱們像配置smb.conf同樣定義the client library's default realm. 當the Krb5 libraries被給予一個不合格的principal name 時使用This realm. 例如, if asked to retrieve a TGT for the user Administrator, Krb5 uses the principal Administrator@BLUE.PLAINJOE.ORG. The default realm also goes in krb5.conf's [libdefaults] section:
    default_realm = BLUE.PLAINJOE.ORG

最終咱們要作一個選擇, the Krb5 libraries到底該怎樣去經過a realm找到KDC. The simplest means is to use the same DNS service as the AD domain. The reasoning behind this recommendation is that there is no need to duplicate information that Active Directory already maintains. If you find that KDC DNS lookups are not available on your platform or if you do not wish to use them, you must manually configure the KDC addresses in krb5.conf. We'll show both methods in the following sections.
10.2.2.4.1. Using DNS for KDCs lookups KDC查找方式一 用DNS
The goal of this configuration is to enable the Kerberos client libraries to find a KDC by generating a query to the DNS server. If you configure the use of DNS, a request to contact a KDC for a realm results in DNS SRV lookups for _kerberos._udp.<domain> or _kerberos._tcp.<domain>. For example, locating a KDC in the realm BLUE.PLAINJOE.ORG results in a DNS query for the SRV record _kerberos._udp.blue.plainjoe.org. Lookups for the corresponding TCP record result when the Krb5 replies are too large for UDP and must be retried over TCP.
The Heimdal Kerberos client implementation has always supported locating KDC via DNS SRV lookups. The MIT distribution has also possessed support for several releases, but did not enable the feature by default until the 1.4 release. DNS queries for KDCs can be enabled in older version of MIT Kerberos by defining the KRB5_DNS_LOOKUP and KRB5_DNS_LOOKUP_KDC preprocessor macros at compile time.
To configure the Kerberos libraries for DNS lookups, first configure /etc/resolv.conf to point to the DNS servers used by the AD clients and servers. Also be sure to set the DNS search suffix to the name of the AD domain. For our example, the DNS servers for the blue.plainjoe.org domain are at 192.168.1.101 and 192.168.2.101, which gives us the following resolv.conf file:
search blue.plainjoe.org
nameserver 192.168.1.101
nameserver 192.168.2.101

The only other step is to instruct the Krb5 libs to query DNS for the name and address of KDCs by enabling the dns_lookup_kdc option in the [libdefaults] section:
    dns_lookup_kdc = true

10.2.2.4.2. Manually configuring KDCs lookups KDC查找方式二 手動配置KDC地址
Although we recommend the use of AD for lookups whenever possible, as shown in the previous section, you can instead configure KDC addresses manually in krb5.conf. To do so, add a section for each realm that may be contacted in the [realms] section. Assuming that we have no trusted domains, a single entry for BLUE.PLAINJOE.ORG will suffice.
In this example, we have one KDC named bluedc1.blue.plainjoe.org. Multiple KDCs may be specified by including additional kdc lines in the realm's configuration.
[realms]
    BLUE.PLAINJOE.ORG = {
        kdc = bluedc1.blue.plainjoe.org
    }

10.2.2.5. Final steps 最後的步驟
在移一個客戶端到鏈接AD域的最後階段以前, 最好確認下the Kerberos client configuration正常工做. 最簡單的方法是使用kinit得到域用戶的TGT. Our example uses the built-in Administrator account:
$ kinit Administrator
Password for Administrator@BLUE.PLAINJOE.ORG: <password for Administrator>

The MIT variant of kinit does not provide any feedback unless the TGT request is unsuccessful. Heimdal's kinit indicates success by providing the maximum lifetime of the obtained TGT. Regardless of the Krb5 distribution used, it is possible to view the current ticket cache using the klist command:
$ klist
Default principal: Administrator@BLUE.PLAINJOE.ORG

Valid starting     Expires            Service principal
06/18/06 20:49:03  06/19/06 06:49:05  krbtgt/BLUE.PLAINJOE.ORG@BLUE.PLAINJOE.ORG
        renew until 06/19/06 20:49:03

The command output proves that we have obtained a TGT for Administrator by listing the ticket for the principal krbtgt/BLUE.PLAINJOE.ORG@BLUE.PLAINJOE.ORG, the standard principal name given to the Kerberos authentication server for our realm.
這兒有一些這階段常見的錯誤. The most common errors and potential solutions are:

Unable to locate a KDC for the requested realm
The client was unable to determine a KDC for the principal's realm. Verify that the default_realm value in krb5.conf is spelled correctly. If so, verify that either the kdc parameter is specified for the realm in the [realms] section or dns_lookup_dns is enabled in [libdefaults]. When using DNS SRV queries to locate a KDC, use either nslookup or the host utility to confirm that the SRV record for the _kerberos._udp hostname is resolvable in the domain.

KDC has no support for encryption type while getting initial credentials
Verify that the list of supported encryption types in /etc/krb5.conf includes RC4-HMAC. If you are using an older version of Kerberos libraries that do no support this encryption type, it is recommended that you upgrade your Kerberos libraries if possible. However, you may be able to work around the error by changing the Administrator's password once to generate the user's necessary DES Krb5 keys.

Preauthentication failed
Confirm that you are entering the correct password for the user's account.

Clock skew too great
By default, all AD domain controllers require that the clocks on both clients and servers are within five minutes of each other. Go back and resync the system's time to match that of the DC.
一旦你確認了Krb5 client installation 生效, the existing ticket cache should be cleared using the kdestroy command. 這條命令防止net命令忽略在命令行輸入的用戶憑據. Both the Heimdal and MIT implementation of this tool return directly to a command prompt upon success with no additional messages.
隨着初步步驟的完成, 到了該執行網絡鏈接的時候了. The command-line arguments are identical to the ones used to join using security = domain; once again, this command must be run as root:
$ net join -U Administrator
Administrator's password: <enter password for Administrator>
Using short domain name - BLUE
Joined 'OAK' to realm 'BLUE.PLAINJOE.ORG'

Any failures during the join process can usually be traced to Kerberos errors or net failures, both of which have been previously discussed. If you have misspelled or omitted the workgroup in smb.conf, the join process may succeed, but will inform you of an error. Make sure to correct this mistake in smb.conf:
The workgroup in smb.conf does not match the short
domain name obtained from the server.
Using the name [BLUE] from the server.
You should set "workgroup = BLUE" in smb.conf.
Using short domain name - BLUE

We can verify our machine account at any time in AD by running the following command:
$ net ads testjoin
Join is OK

10.2.2.6. Integrating Kerberized Unix services 整合kerberos unix服務
Even before its adoption by Microsoft, Kerberos always supported machine principals. For example, an SSH server may use the principal name host/machine.example.com, and an LDAP directory server may use ldap/machine.example.com. These are different principals even though they are hosted by the same machine. The secret keys for these service principals are stored in a keytab file (usually /etc/krb5.keytab). In AD domains, these secret keys are derived from the machine trust account password.
在smb.conf中若是use kerberos keytab項爲yessamba將管理服務器的keytab文件
[global]
    use kerberos keytab = yes

在鏈接域時這個參數是yes的話, the net join command 自動生成the keytab file. 若是你決定要再配置好成員服務器後使用keytab file, 你能夠建立a keytab file by using the net ads keytab command. The create subcommand generates initial entries for the host/machine principal. This command must be run as root, because it requires access to Samba's secrets.tdb file and must be able to write the keytab records to /etc/krb5.keytab:
$ net ads keytab create -P
New service principals能夠加入到域中的機器帳戶和使用net ads keytab add加入到the keytab file中. All that is needed is the principal (service) name, not the full principal/instance syntax. The -P option uses the machine account and prevents you from having to enter user credentials. For example, to add a keytab entry for the HTTP/machine.example.com service principal used by Apache kerberos modules, we would execute:
$ net ads keytab add HTTP -P
Processing principals to add...

This command adds a new servicePrincipalName to the server's account in AD and stores the new key in the local keytab file. Tables 10-1 and 10-2 summarize the keytab-related parameters and tools covered in this section.
Table 10-1. Keytab-related parameters
Parameter    Value    Description    Default    Scope
use kerberos keytab    boolean    Enables Samba's keytab management functionality.    no    Global

Table 10-2. net ads keytab management options
Command    Description
add    Adds a new service principal value for the server's machine account.
create    Generates a keytab file based on the existing service principal values associated with the server in AD.
flush    Removes all entries from the keytab file.

10.2.3. Locating a Domain Controller 查找域控制器
默認設置下, Samba嘗試自動找到任何鏈接到的域控制器. These auto lookups rely heavily on network name services. Remember that the order in which these services are queried is controlled by the name resolve order global option.
When configured for security = domain, NetBIOS name services用來解決the DOMAIN<0x1b> name當搜索PDC時和the DOMAIN<0x1c> name when any DC will do. Thus, 除非服務器只在它本身的子網和域控制器通訊, Samba必須配置成使用the WINS server (or servers) for the domain.
在AD域中, Samba能使用DNS, just as Windows 2000 and later clients do. If the DNS lookup沒能返回一個或多個域控制器名, Samba may fall back to NetBIOS name queries, much as it did when using domain mode security, assuming that the disable netbios parameter has not been enabled.
你能夠經過設置password server項給samba用的DC添加更多的控制. 這個參數接受一系列用間隔符分開的域控制器 (空格或逗號). Names of these preferred DCs can be NetBIOS names, hostnames, or fully qualified DNS names, but they must be resolvable to an address. For instance, to restrict Samba to using the domain controllers named dc1 and dc2, add the following line to the server's smb.conf file:
    password server = dc1 dc2

Samba先嚐試鏈接dc1主機, 只有在第一個服務器不能鏈接時菜鏈接dc2. 只要dc1可用就不使用dc2. Adding the wildcard character (*) to the list instructs Samba to include any domain controllers found using its internal auto lookup support. This means you can use a local DC, but still fall back to any DC, should the preferred DC become unavailable.
NetBIOS: Rest in Peace
It is feasible to remove NetBIOS from your network, but only when operating in an AD environment. Even then, many administrators find it very difficult to remove all applications that have a dependency on some piece of this legacy protocol. However, if you are feeling adventurous, Microsoft operating systems, starting with Windows 2000, can be configured to drop all support for NetBIOS by relying on DNS for name services and using TCP and UDP for the transport protocols. In order to configure Samba to behave the same way, define the following group of parameters:
[global]
    smb ports = 445
    disable netbios = yes
    name resolve order = hosts
At this point, there is no reason to support network browsing, either, because it does not function properly without the presence of NetBIOS name services. So there is no reason to run the nmbd daemon at all, as it is responsible only for NetBIOS name registrations, acting as a WINS server, and participating in browsing elections.
A word of caution before moving on. It is frequently better to allow Samba to find a domain controller on its own. As with most parameter values, developers work extremely hard to make Samba robust and efficient. In some cases, it is necessary to manually specify the DC that your server will use, but it is recommended that you do this only as a last resort.
Table 10-3 concludes this section by giving a brief listing of the parameters recently covered.
Table 10-3. Domain controller location parameters
Parameter    Value    Description    Default    Scope
disable netbios    boolean    Controls Samba use of NetBIOS name services.    no    Global
password server    list    List of domain controllers Samba should prefer when operating as a member server.    *    Global

10.3. Matching Domain Users to Local Accounts 將域用戶匹配到本地帳戶
Remember from Chapter 5 that 每個進入Samba server的用戶必須和Unix uid相關. smbd goes through several steps in its attempt to find a matching Unix account. This is true for users who are authenticated locally as well as those validated by a remote domain controller.
The first step is to process the username map option, which may translate the current account name to another string. For standalone servers, this is done before the authentication request is processed, but for domain members, this transformation occurs after authentication. As a result, any domain names in map entries must be fully qualified.[*]
[*] This requirement was introduced in the 3.0.8 release.
合格的域名採起兩種形式. 當服務器使用security = ads而且沒有運行Winbind, 爲了能處理kerberos登陸添加完整的realm前綴條目變得十分有必要. Without winbindd (the Winbind daemon), Samba沒有辦法把realm names轉換成short names. NTLM login requests提供了域的short name, 因此咱們必需要包含一個格式爲DOMAIN\user的條目. The complete entry for the user leezard in the AD domain eden.plainjoe.org (with a short name of EDEN) would appear as:
lizard = EDEN.PLAINJOE.ORG\leezard EDEN\leezard
當winbindd 可用來 convert realm names into short names, or when only NTLM authentication is supported (i.e., security = domain), the previous entry should be simplified to:
lizard = EDEN\leezard

可是你很快就發現, 當使用winbindd時a username map可能徹底沒有必要了.
一旦任何相關的mapping records啓動, smbd 查詢操做系統中和登陸名相匹配的uid. 若是用戶名還是合格的全格式, Samba先搜索合格的名字而且若是搜索匹配失敗就轉向用戶名減去域名. 一旦找到uid, Samba就爲用戶標記一個包含uid和全部組成員的記號.
這個搜索程序意味着a local Unix user and a domain user擁有同樣的名字. 這樣在可信任域的用戶進入服務器時可能會產生混淆. Both EDEN\adam and FRUIT\adam map to the same Unix user, adam. 爲了防止受信任域的用戶得到權限進入到在域中同名用戶的文件, 建議在samba主機上設置成使域信任不可用:
[global]
    allow trusted domains = no

Returning to our search, 若是找不到相配的uid, smbd 有兩個選擇: 拒絕登錄或者轉換到遊客帳戶. The map to guest parameter, first presented in Chapter 5, has a special setting that is valid only on domain member servers. When set to the value bad uid, Samba silently maps a domain user to the guest account if no corresponding Unix account can be found. This behavior allows you to require domain users to be authenticated without being concerned with creating any local accounts. The original 3.0 releases removed this functionality, which was the default behavior in Samba 2.2. But it was later included again as part of the map to guest option in version 3.0.20.