note-it-samba-AD

https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/

Concept:
CIFS/SMB, NetBIOS(designed to support about 80 nodes at best,)
1983-SMB windows3.1–>workgroup–>NT-Domain –> CIFS
DFS: Distributed File System

AD:
域,树,林,根域
全局组 来自本域用于全林
通用组 来自全林用于全林
域本地组 来自全林用于本域
DC,只读DC(new from 2008R2)
GUID(128bit), userPrincipalName ,
site:one/more subnet link high speed ,域是逻辑分组,site是物理分组
全局编录和全局编录服务器(GC)
域功能级别,林功能级别
目录分区: schema directory partition,config dir partition ,domain directory partition ,app directory partition
userProfile:
“%systemDrive%\user, %system%\programData ,default setting ;”
local:
roaming(漫游),
信任: 双向传递(Implicit Trust)
FSMO(角色):
https://support.microsoft.com/en-us/help/324801/how-to-view-and-transfer-fsmo-roles-in-windows-server-2003

LDAP:
LDAP Naming Path: DN(distinguished name),cn ,DC,
SYSVOL
DN(distinguishedName):
CN(common name ) ,OU ,DC ,DC
demo.domain1.com :
demo is CN , DC = domain1 , DC = com

Init:
tdb: smbd -b | grep PRIVATE_DIR;smbd -b | grep LOCKDIR
SWAT The Samba Web Administration Tool.
smbclient -L yourhostname ; smbclient //yourhostname/aservice ; C:> net use m: \servername\service
wbinfo -u/-g ##Validate that domain user and group credentials can be correctly resolved
getent passwd username

ServerType & SecurityMode:
“Samba-3 offers excellent interoperability with MS NT4-style domains as well as natively with Microsoft Active Directory domains. “
Server Types:
Domain Controller
Primary Domain Controller (PDC): A primary domain controller (PDC) is a server that is responsible for maintaining the integrity of the security account database.
Backup Domain Controller (BDC): Backup domain controllers (BDCs) provide only domain logon and authentication services. Usually, BDCs will answer network logon requests more responsively than will a PDC.
ADS Domain Controller
Domain Member Server
Active Directory Domain Server
NT4 Style Domain Domain Server
Standalone Server

Samba Security Modes:
    SMB-->CIFS  In the SMB/CIFS networking world, there are only two types of security: user-level and share level.
    Samba implements share-level security only one way, but has four ways of implementing user-level security.  we call the Samba implementations of the security levels security modes,
    They are known as share, user, domain, ADS, and server modes. 

    share: 
        the client authenticates itself separately for each share,send passwd no username ,The client expects a password to be associated with each share, independent of the user.Many clients send a session setup request even if the server is in share-level security. They normally send a valid username but no password.
    user: based username/passwd and client name .
    domain: 
        When Samba is operating in security = domain mode, the Samba server has a domain security trust account (a machine account) and causes all authentication requests to be passed through to the domain controllers. In other words, this configuration makes the Samba server a domain member server, even when it is in fact acting as a domain controller. All machines that participate in domain security must have a machine account in the security database. 
        Within the domain security environment, the underlying security architecture uses user-level security. 
        The machine account consists of an account entry in the accounts database, the name of which is the NetBIOS name of the machine and of which the password is randomly generated and known to both the domain controllers and the member machine. 
    ADS:
    server: It is highly recommended not to use this feature. try to use another SMB server as its source for user authentication alone.

Domain Controller:
samba,dns,kerberos, ntp ,winbind ,Account Information Database(passdb backend) ,

passdb backend:
    Plaintext,smbpasswd,ldapsam_compat,tdbsam,ldapsam

manageTools: smbpasswd and pdbedit. 
    pdbedit:
        pdbedit -Lv met ##Listing User and Machine Accounts
        pdbedit -Lw     ## listed in the older smbpasswd format
        pdbedit -a vlaan ##Adding User Accounts vlaan
        pdbedit -x vlaan ##delete User Accounts vlaan

Domain Member:
dns,kerberos,ntp,smb.conf,MachieTrustAccount,join Domain:”net ads join -u administrator”, /etc/nsswitch.conf, winbindd,

IDMAP: 
    Resolution of SIDs to UIDs. Samba maps UNIX users and groups (identified by UIDs and GIDs) to Windows users and groups (identified by SIDs). These mappings are done by the idmap subsystem of Samba. 
    The use of IDMAP is important where the Samba server will be accessed by workstations or servers from more than one domain, in which case it is important to run winbind so it can handle the resolution (ID mapping) of foreign SIDs to local UNIX UIDs and GIDs. 
winbindd: 
    "ps axf" ,wbinfo --ping-dc ,wbinfo -u ,
LinuxMember_smb.conf:
            winbind enum users = yes
            winbind enum groups = yes
            template shell = /bin/bash
            template homedir = /home/%U
            winbind use default domain = true
            winbind offline logon = true
            winbind separator = _
            logon script = 

smb.conf:
testparm -v ,smbcontrol all reload-config


--Write by Marcustar,关关雎鸠,在河之洲
目录
Download 相册