使用场景：

某公司使用了两个网络，一个是研发部网络（没有上网权限），一个是职能网络（有上网权限），但两个网是相互访问不了（通过思科ACL访问控制列表实现）。现在公司有一个需求，研发人员也会用到职能网络下载一些资料，但无法传输到研发部网络，于是就在研发部网络设置了一台共享服务器，职能网络也设置一台共享服务器，这两台共享服务器是网络是相通的，研发人员在下载的资料放在职能网络的共享服务器指定的共享文件夹，会秒级同步到研发网络共享服务器的指定的共享文件夹。

环境：

Samba共享服务器：CentOS 7.5

IP地址：192.168.201.45

Windows Server AD域控服务器： windows server 2008 R2

IP地址： 192.168.201.13

提示：

Windows Server AD域控服务器安装配置本教程不作详细说明，如需要了解如何安装配置Windows Server AD域控服务器请查看作者博客：

https://www.cnblogs.com/zoulongbin/p/6013609.html

Linux samba 安装配置并加入AD****域

注意：windows server AD域控地址 TEST.COM建议用大写,否则配置文件会提示错误，加域不区分大小写。

1、配置阿里yum源和epel源

curl -o /etc/yum.repos.d/CentOS-Base.repo [http://mirrors.aliyun.com/repo/Centos-7.repo](http://mirrors.aliyun.com/repo/Centos-7.repo)

curl -o /etc/yum.repos.d/epel.repo [http://mirrors.aliyun.com/repo/epel-7.repo](http://mirrors.aliyun.com/repo/epel-7.repo)

yum makecache

yum repolist

2、关闭防火墙和SEinux

###关闭防火墙

systemctl stop firewalld

systemctl disable firewalld

systemctl status firewalld

###关闭SElinux

sed -i "s/^SELINUX = .*/SELINUX = disabled/g" /etc/selinux/config

setenforce 0

getenforce

3、samba服务器时间同步AD域控服务器

yum install -y ntpdate

ntpdate 192.168.201.13

echo "ntpdate 192.168.201.13" >> /etc/rc.local

chmod +x /etc/rc.d/rc.local

date

4、修改本机DNS为域控服务器并且本地解析域控的DNS服务器

[root@test001 ~]# vim /etc/resolv.conf

nameserver 192.168.201.13

[root@test001 ~]# echo "192.168.201.13 server13.test.com" >> /etc/hosts

[root@test001 ~]# tail -1 /etc/hosts

192.168.201.13 server13.test.com

5、yum安装相关samba/krb5等软件

yum install -y krb5-libs krb5-deve krb5-workstation pam_krb5

yum install -y samba samba-client samba-winbind-clients samba-winbind samba-common samba4-libs

6、配置kerberos协议（用于计算机网络身份识别）

echo '

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

[libdefaults]

default_realm = TEST.COM

dns_lookup_realm = false

dns_lookup_kdc = true

ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = yes

[realms]

TEST.COM = {

kdc = 192.168.201.13:88

admin_server = 192.168.201.13:749

default_domain = TEST.COM

}

[domain_realm]

.TEST.COM = TEST.COM

TEST.COM = TEST.COM

[appdefaults]

pam = {

debug = false

ticket_lifetime = 36000

renew_lifetime = 36000

forwardable = true

krb4_convert = false

}

' >/etc/krb5.conf

7、设置服务搜索顺序配置文件/etc/nsswithch.conf

echo "

passwd: files winbind

shadow: files winbind

group: files winbind

hosts: files dns

" >/etc/nsswitch.conf

8、启动samba winbind组件（让Linux系统通过 Winbind 程序来解析windows 域用户信息。）

systemctl restart winbind

systemctl enable winbind

systemctl status winbind

9、配置samba服务

[root@test001 ~]# mkdir -p /share/file01

[root@test001 ~]# chmod 777 /share/file01

echo  "

[global]

# = = = = = = = = = = = ==GlobalSettings = = = = = = = = = = = = = = = = =

#-----------------------NetworkRelated Options -------------------------

 workgroup =TEST

 server string = Samba Server Version %v

 netbios name = test001

# ----------------------- Domain Members Options ------------------------

 security = ads

 passdb backend = tdbsam

 realm = TEST.COM

 password server = 192.168.201.13

 encrypt passwords = yes

 idmap uid = 16777216-33554431

 idmap gid = 18777216-33554431

 template shell = /bin/bash

 template homedir = /home/%U

 winbind use default domain = true

 winbind offline logon = false

 winbind enum groups = yes

 winbind enum users = yes

 winbind separator = /

 vfs_object = full_audit

 full_audit:prefix = %u|%I|%m|%S

 full_audit:success = mkdir rename unlink rmdir write chmod chown

 full_audit:failure = none

 full_audit:facility = LOCAL5

 full_audit:priority = NOTICE

 admin log = yes

 log level = 2

 syslog = 2

 log file = /tmp/%m.log

[home]

 path = /home/%D/%U

 browsable = no

[printers]

 comment = All Printers

 path = /var/spool/samba

 printable = Yes

 browseable = No

[file01]

 path = /share/file01

 browsable = yes

 vfs object = full_audit

 read list = TEST/adtest

 write list = TEST/zou.hui

 create mask = 0777

 directory mask = 0777

" > /etc/samba/smb.conf

10、启动samba服务并开机自启动

systemctl restart smb

systemctl enabl smb

systemctl status smb

11、测试连接windows AD域控

[root@test001 ~]# kinit -V administrator@TEST.COM

Using default cache: /tmp/krb5cc_0

Using principal: administrator@TEST.COM

Password for administrator@TEST.COM:

Authenticated to Kerberos v5

[root@test001 ~]# klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: administrator@TEST.COM

Valid starting Expires      Service principal

01/20/2020 09:49:07 01/20/2020 19:49:07 krbtgt/TEST.COM@TEST.COM

 renew until 01/27/2020 09:49:01

12、测试成功后加域

[root@test001 ~]# net ads join -U administrator@TEST.COM

Enter administrator@TEST.COM's password:

Using short domain name -- TEST

Joined 'TEST001' to dns domain 'test.com'

No DNS domain configured for test001\. Unable to perform DNS Update.

DNS update failed: NT_STATUS_INVALID_PARAMETER

13、测试是否加域成功

###测试是否加入域

wbinfo -t

###读取域用户组信息

wbinfo -g

###读取域用户信息

Wbinfo -u

###检查加入的域

Wbinfo -m

14、退域

net ads leave -U administrator@TEST.COM