samba使用ldap信息进行登录和使用

1. 需求

在linux上部署samba服务，因为linux主机使用的ldap认证，需要多这些ldap用户进行文件系统共享。

比如用户数据以：/public/groupname/username的形式部署在全局共享文件系统上

2. 部署openldap服务

略

3. 部署samba服务

yum -y install samba*

在centos7.9上，会部署以下软件

samba-common-4.10.16-25.el7_9.noarch
samba-client-4.10.16-25.el7_9.x86_64
samba-dc-4.10.16-25.el7_9.x86_64
samba-test-4.10.16-25.el7_9.x86_64
samba-devel-4.10.16-25.el7_9.x86_64
samba-libs-4.10.16-25.el7_9.x86_64
samba-4.10.16-25.el7_9.x86_64
samba-common-libs-4.10.16-25.el7_9.x86_64
samba-client-libs-4.10.16-25.el7_9.x86_64
samba-dc-libs-4.10.16-25.el7_9.x86_64
samba-winbind-4.10.16-25.el7_9.x86_64
samba-test-libs-4.10.16-25.el7_9.x86_64
samba-python-test-4.10.16-25.el7_9.x86_64
samba-vfs-glusterfs-4.10.16-25.el7_9.x86_64
samba-winbind-clients-4.10.16-25.el7_9.x86_64
samba-winbind-krb5-locator-4.10.16-25.el7_9.x86_64
samba-common-tools-4.10.16-25.el7_9.x86_64
samba-winbind-modules-4.10.16-25.el7_9.x86_64
samba-python-4.10.16-25.el7_9.x86_64
samba-pidl-4.10.16-25.el7_9.noarch
samba-krb5-printing-4.10.16-25.el7_9.x86_64

因为ldap并不支持原生的samba，需要把samba下的samba.ldif拷贝到/etc/openldap/schema/samba.ldif

cp /usr/share/doc/samba-4.10.16/LDAP/samba.ldif /etc/openldap/schema/samba.ldif

假如已经部署好了ldap服务，执行：ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/samba.ldif添加

配置/etc/samba/smb.conf，如下

[global]
    security = user
    passdb backend = ldapsam:ldap://node012
    ldap admin dn = cn=admin,dc=liwl,dc=cn
    ldap suffix = dc=liwl,dc=cn
    ldap user suffix = ou=People,dc=liwl,dc=cn
    ldap group suffix = ou=Group,dc=liwl,dc=cn
    ldap passwd sync = yes
    ldap ssl = no
    idmap config * : backend = ldap://node012
    #bind interfaces only = yes
    #interfaces = 0.0.0.0 ens33
[data]
    comment = share
    path = /public/%G/%U
    #public = yes
    valid users = %U
    browseable = No
    read only = No

如果ldap使用了tls加密：

[global]
    security = user
    passdb backend = ldapsam:ldap://node011
    ldap admin dn = cn=admin,dc=liwl,dc=cn
    ldap suffix = dc=liwl,dc=cn
    ldap user suffix = ou=People,dc=liwl,dc=cn
    ldap group suffix = ou=Group,dc=liwl,dc=cn
    ldap passwd sync = yes
    ldap ssl = start tls
    tls enabled = yes
    tls certfile = /etc/openldap/cacerts/node011.crt
    max open files = 10000
    max smbd processes = 4000
     idmap config * : backend = ldap:ldap://node011
     #log level = 5
     #client use kerberos = off
[data]
    comment = share
    path = /public/%G/%U
    #public = yes
    valid users = %U
    browseable = No
    read only = No

启动systemclt start smb（这个启动之前需要smbpasswd -W，把域管理密码转换成tdb格式）

创建smaba的密码：pdbedit -a -u liwl，输入密码（这个密码是登录samba的密码）

连接测试：smbclient -U liwl //samba_server_ip/public，输入密码即可

调试模式：smb.conf 里面写log level = 5，smbclient -d 5