Windows AD域用户访问Linux samba服务

说明

test.com替换成你的AD服务器域名，注意有的配置中是大写，有些配置是小写

/etc/samba/smb.conf

workgroup = TEST
realm = TEST.COM
security = ADS
password server = 192.168.10.254
# password server是AD域控服务器IP
idmap uid = 10000 - 20000
idmap gid = 10000 - 20000
template shell = /sbin/nologin
winbind separator = /
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
encrypt passwords = yes

/etc/nsswitch.conf

passwd:     files winbind
group:      files winbind

/etc/krb5.conf

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = TEST.COM
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
TEST.COM = {
 kdc = 192.168.10.254:88
 # AD域控服务器IP
 default_domain = TEST.COM
}

[domain_realm]
.test.com = TEST.COM
test.com = TEST.COM

/etc/resolv.conf

nameserver: DNS服务器

nameserver 192.168.10.254

启动服务并加入域中

systemctl  restart smb
net ads join -U administrator
systemctl restart winbind

测试：

wbinfo -t       #看winbind是否正常运行
wbinfo -u      #看AD用户是否同步过来了

samba访问配置：

• 域用户直接写名称即可
• 域组@+名称

 [share]
     comment = Home Directories
     path=/share_dir
     browseable = yes
     writable = yes
     valid users = yyy  @test

域用户yyy，域组test中的所有用户均可使用其域账号访问该samba共享目录