CIFS/SMB， NetBIOS（designed to support about 80 nodes at best,）
1983-SMB windows3.1–>workgroup–>NT-Domain –> CIFS
DFS: Distributed File System
DC，只读DC（new from 2008R2）
GUID(128bit), userPrincipalName ,
site:one/more subnet link high speed ,域是逻辑分组，site是物理分组
目录分区： schema directory partition,config dir partition ,domain directory partition ,app directory partition
“%systemDrive%\user, %system%\programData ,default setting ;”
信任： 双向传递（Implicit Trust）
LDAP Naming Path： DN（distinguished name）,cn ,DC，
CN（common name ） ，OU ，DC ，DC
demo is CN , DC = domain1 , DC = com
tdb: smbd -b | grep PRIVATE_DIR；smbd -b | grep LOCKDIR
SWAT The Samba Web Administration Tool.
smbclient -L yourhostname ; smbclient //yourhostname/aservice ; C:> net use m: \servername\service
wbinfo -u/-g ##Validate that domain user and group credentials can be correctly resolved
getent passwd username
ServerType & SecurityMode:
“Samba-3 offers excellent interoperability with MS NT4-style domains as well as natively with Microsoft Active Directory domains. “
Primary Domain Controller (PDC): A primary domain controller (PDC) is a server that is responsible for maintaining the integrity of the security account database.
Backup Domain Controller (BDC): Backup domain controllers (BDCs) provide only domain logon and authentication services. Usually, BDCs will answer network logon requests more responsively than will a PDC.
ADS Domain Controller
Domain Member Server
Active Directory Domain Server
NT4 Style Domain Domain Server
Samba Security Modes： SMB-->CIFS In the SMB/CIFS networking world, there are only two types of security: user-level and share level. Samba implements share-level security only one way, but has four ways of implementing user-level security. we call the Samba implementations of the security levels security modes, They are known as share, user, domain, ADS, and server modes. share: the client authenticates itself separately for each share，send passwd no username ,The client expects a password to be associated with each share, independent of the user.Many clients send a session setup request even if the server is in share-level security. They normally send a valid username but no password. user: based username/passwd and client name . domain: When Samba is operating in security = domain mode, the Samba server has a domain security trust account (a machine account) and causes all authentication requests to be passed through to the domain controllers. In other words, this configuration makes the Samba server a domain member server, even when it is in fact acting as a domain controller. All machines that participate in domain security must have a machine account in the security database. Within the domain security environment, the underlying security architecture uses user-level security. The machine account consists of an account entry in the accounts database, the name of which is the NetBIOS name of the machine and of which the password is randomly generated and known to both the domain controllers and the member machine. ADS: server: It is highly recommended not to use this feature. try to use another SMB server as its source for user authentication alone.
samba,dns,kerberos, ntp ,winbind ,Account Information Database(passdb backend) ,
passdb backend: Plaintext,smbpasswd,ldapsam_compat,tdbsam,ldapsam manageTools: smbpasswd and pdbedit. pdbedit: pdbedit -Lv met ##Listing User and Machine Accounts pdbedit -Lw ## listed in the older smbpasswd format pdbedit -a vlaan ##Adding User Accounts vlaan pdbedit -x vlaan ##delete User Accounts vlaan
dns,kerberos,ntp,smb.conf,MachieTrustAccount,join Domain:”net ads join -u administrator”, /etc/nsswitch.conf, winbindd,
IDMAP: Resolution of SIDs to UIDs. Samba maps UNIX users and groups (identified by UIDs and GIDs) to Windows users and groups (identified by SIDs). These mappings are done by the idmap subsystem of Samba. The use of IDMAP is important where the Samba server will be accessed by workstations or servers from more than one domain, in which case it is important to run winbind so it can handle the resolution (ID mapping) of foreign SIDs to local UNIX UIDs and GIDs. winbindd: "ps axf" ,wbinfo --ping-dc ,wbinfo -u , LinuxMember_smb.conf: winbind enum users = yes winbind enum groups = yes template shell = /bin/bash template homedir = /home/%U winbind use default domain = true winbind offline logon = true winbind separator = _ logon script =
testparm -v ,smbcontrol all reload-config
--Write by Marcustar，关关雎鸠，在河之洲