по мотивам:
http://ricktbaker.com/2017/11/08/ubuntu-16-with-active-directory-connectivity/
https://bx.vladlink.ru/company/personal/user/1369/tasks/task/view/276702/?IFRAME=Y&IFRAME_TYPE=SIDE_SLIDER#
https://help.ubuntu.ru/wiki/%D0%B2%D0%B2%D0%BE%D0%B4_%D0%B2_%D0%B4%D0%BE%D0%BC%D0%B5%D0%BD_windows
+
полезно по теме:
http://www.lissyara.su/articles/freebsd/programms/samba+nt_acl/
Мои конфиги на основе ubuntu 16.04:
/etc/samba/smb.conf
/etc/krb5.conf
/etc/network/interfaces
dns-nameservers ipDC_1 ipDC_2
dns-search SUBDOMAIN.COMPANY.ORG
________________________________________________
/etc/pam.d/common-session-noninteractive
session required pam_mkhomedir.so skel=/etc/skel umask=0022
______________________________________________
/etc/sssd/sssd.conf
[sssd]
domains = SUBDOMAIN.COMPANY.ORG
config_file_version = 2
services = nss, pam
[domain/SUBDOMAIN.COMPANY.ORG]
ad_domain = SUBDOMAIN.COMPANY.ORG
krb5_realm = SUBDOMAIN.COMPANY.ORG
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u
simple_allow_users = $
access_provider = ad
ad_gpo_access_control = permissive
http://ricktbaker.com/2017/11/08/ubuntu-16-with-active-directory-connectivity/
https://bx.vladlink.ru/company/personal/user/1369/tasks/task/view/276702/?IFRAME=Y&IFRAME_TYPE=SIDE_SLIDER#
https://help.ubuntu.ru/wiki/%D0%B2%D0%B2%D0%BE%D0%B4_%D0%B2_%D0%B4%D0%BE%D0%BC%D0%B5%D0%BD_windows
+
полезно по теме:
http://www.lissyara.su/articles/freebsd/programms/samba+nt_acl/
Мои конфиги на основе ubuntu 16.04:
/etc/samba/smb.conf
[global]#security = domainwinbind use default domain = nolog file = /var/log/samba/log.%mobey pam restrictions = yesmap to guest = bad userencrypt passwords = truedns proxy = nonetbios name = smb-shareserver string = %h server (Samba, Ubuntu)unix password sync = yesworkgroup = SUBDOMAIN## os level = 20security = ADSsyslog = 4panic action = /usr/share/samba/panic-action %dusershare allow guests = yesmax log size = 1000pam password change = yesrealm = SUBDOMAIN.COMPANY.ORGidmap config * : range = 10000-20000idmap config * : backend = tdbtemplate shell = /bin/bashtemplate homedir = /data/%D/%Uwinbind enum groups = yeswinbind enum users = yeswinbind refresh tickets = yesacl compatibility = automap acl inherit = yes###domain master = nolocal master = nopreferred master = noos level = 0domain logons = no#### usershare path = /var/lib/samba/usershares[OE]comment = OE Directoriespath = "/data/homes/Отдел эксплуатации"write list = @"SUBDOMAIN\grus_отдел эксплуатации" @"SUBDOMAIN\администраторы домена"#alid users = "SUBDOMAIN\администраторы домена" "SUBDOMAIN\grus_отдел эксплуатации"admin users = @"SUBDOMAIN\grus_отдел эксплуатации" @"SUBDOMAIN\администраторы домена"write list = @"SUBDOMAIN\grus_отдел эксплуатации" @"SUBDOMAIN\администраторы домена"read only = nobrowseable = yesinherit acls = yesinherit owner = yesinherit permissions = yesmap acl inherit = yesnt acl support = yes
__________________________________________________________________## valid users = SUBDOMAIN\%U## inherit acls = yes## inherit owner = yes## inherit permissions = yes## map acl inherit = yes## nt acl support = yes## hide unreadable = yes[Full]browseable = yescomment = Full data for Domain Adminsread only = yes## valid users = SUBDOMAIN\%Upath = /datainherit acls = yesinherit owner = yesinherit permissions = yesmap acl inherit = yesnt acl support = yeswrite list = @"SUBDOMAIN\администраторы домена"admin users = @"SUBDOMAIN\администраторы домена"hide unreadable = yes[homes]comment = Home Directoriesbrowseable = nopath = /data/%D/%Uread only = nocreate mask = 0700directory mask = 0700valid users = SUBDOMAIN\%S
/etc/krb5.conf
[libdefaults]
ticket_lifetime = 24000
default_realm = SUBDOMAIN.COMPANY.ORG
default_tgs_entypes = rc4-hmac des-cbc-md5
default_tkt__enctypes = rc4-hmac des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-md5
dns_lookup_realm = true
dns_lookup_kdc = true
dns_fallback = yes
[realms]
COMPANY.ORG = {
kdc = SUBDOMAIN-CORE1.COMPANY.ORG
kdc = SUBDOMAIN-CORE2.COMPANY.ORG
default_domain = SUBDOMAIN-CORE1.COMPANY.ORG
}
[domain_realm]
.COMPANY.ORG= SUBDOMAIN-CORE1.COMPANY.ORG
COMPANY.ORG = SUBDOMAIN-CORE1.COMPANY.ORG
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log___________________________________________________
/etc/network/interfaces
dns-nameservers ipDC_1 ipDC_2
dns-search SUBDOMAIN.COMPANY.ORG
________________________________________________
/etc/pam.d/common-session-noninteractive
session required pam_mkhomedir.so skel=/etc/skel umask=0022
______________________________________________
/etc/sssd/sssd.conf
[sssd]
domains = SUBDOMAIN.COMPANY.ORG
config_file_version = 2
services = nss, pam
[domain/SUBDOMAIN.COMPANY.ORG]
ad_domain = SUBDOMAIN.COMPANY.ORG
krb5_realm = SUBDOMAIN.COMPANY.ORG
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u
simple_allow_users = $
access_provider = ad
ad_gpo_access_control = permissive
Комментариев нет:
Отправить комментарий