使samba 2.0 加入NT域

　　使samba 2.0 加入NT域 ----------------------------------- In order for a Samba-2 server to join an NT domain, you must first add the NetBIOS name of the Samba server to the NT domain on the PDC using Server Manager for Domains. This creates the machine account in the domain (PDC) SAM.Note that you should add the Samba server as a "Windows NT Workstation or Server", NOT as a Primary or backup domain controller. 为了使samba-2服务器加入到一个NT域中，你必须先使用域中PDC上的服务器管理器把 samba服务器的NetBIOS名加入到NT域中，并在主域控制器上的安全账号管理器数据库中创 建这个机器的账号。注意你应该把samba服务器作为“Windows NT工作站或服务器”加入 到域，而不是一个主域或备份域控制器。 Assume you have a Samba-2 server with a NetBIOS name of SERV1 and are joining an NT domain called DOM, which has a PDC with a NetBIOS name of DOMPDC and two backup domain controllers with NetBIOS names DOMBDC1 and DOMBDC2. 假定你有一个NetBIOS名是SERV1的samba-2服务器，并要加入名为DOM的NT域，域中有一个 NetBIOS名为DOMPDC的主域控制器和两个NetBIOS名为DOMBDC1及DOMBDC2的备份域控制器。 In order to join the domain, first stop all Samba daemons and run the command 为了加入这个域，首先要停止所有的samba守护程序并运行命令：smbpasswd -j DOM -r DOMPDC as we are joining the domain DOM and the PDC for that domain (the only machine that has write Access to the domain SAM database). If this is sUCcessful you will see the message: 把域DOM和域的主域控制器(对域的SAM数据库有写权限的机器)作参数来使samba服务器加 入DOM域。如果顺利你将在终端窗口中看到这样的信息： smbpasswd: Joined domain DOM. in your terminal window. See the smbpasswd man page for more details. 参见smbpasswd可以得到更多的详细信息。 This command goes through the machine account passWord change protocol, then writes the new (random) machine account password for this Samba server into the a file in the same Directory in which an smbpasswd file would be stored (normally : 这个命令通过机器账号改变协议，然后把一个新的(随机的)samba服务器机器账号写入与 存放smbpasswd文件相同目录(通常是：/usr/local/samba/private)下的一个文件中。 The filename looks like this: 文件名看起来象这样： . .mac
[1] [2] [3] 下一页 

The .mac suffix stands for machine account password file. So in our example above, the file would be called: .mac后缀代表机器账号口令文件。所以在以上的例子中，文件名应该是： DOM.SERV1.mac This file is created and owned by root and is not readable by any other user. It is the key to the domain-level security for your system, and should be treated as carefully as a shadow password file. 此文件由root建立并拥有，而其它用户不可读。对你系统采用的domain-level安全级来说 是个关键，应该象影子口令文件一样仔细对待。 Now, before restarting the Samba daemons you must edit your smb.conf file to tell Samba it should now use domain security. 好了，在重启samba守护程序之前你必须编辑smb.conf文件以通知samba使用域安全级。 Change (or add) your line in the [global] section of your smb.conf to read: 修改或者加入smb.conf文件中[global]段的"security ="行：security = domain Next change the line in the [global] section to read: 然后修改[global]段的"workgroup ="行：workgroup = DOM as this is the name of the domain we are joining. 标出我们要加入的域的名称。 You must also have the parameter "encrypt passwords" set to "yes" in order for your users to authenticate to the NT PDC. 你也必须在参数"encrypt passwords"中设定"yes"以便用户可以在NT主域控制器上进行认 证。 Finally, add (or modify) a: line in the [global] section to read: 最后加入或修改[global]段的"password server ="行：password server = DOMPDC DOMBDC1 DOMBDC2 These are the primary and backup domain controllers Samba will attempt to contact in order to authenticate users. Samba will try to contact each of these servers in order, so you may want to rearrange this list in order to spread out the authentication load among domain controllers. 这些参数是samba为了用户认证而尝试联系的主或者备份域控制器。samba将试着按次序联 系每个服务器，所以你可以按次序重新排列这个列表以便在这些域控制器之间均衡认证工 作的负载。 Alternatively, if you want smbd to automatically determine the list of Domain controllers to use for authentication, you may set this line to be : 如果你想让smbd自动检测域控制器的列表以便进行用户认证，可以设置这样的可选项： password server = * This method, which is new in Samba 2.0.6 and above, allows Samba to use exactly the same mechanism that NT does. This method either broadcasts or uses a WINS database in order to find domain controllers to authenticate against. 这个在samba 2.0.6及以上版本出现的方法，允许samba采用与NT同样精确的方式，用广播 或者使用WINS数据库来查找域控制器作反向验证。
上一页 [1] [2] [3] 下一页 

Finally, restart your Samba daemons and get ready for clients to begin using domain security! 最后，重启你的samba守护程序并准备好客户以域安全级来使用！ Why is this better than security = server? 为什么域安全级比服务器安全级更好 ------------------------------------------ Currently, domain security in Samba doesn't free you from having to create local Unix users to represent the users attaching to your server. This means that if domain user DOMfred attaches to your domain security Samba server, there needs to be a local Unix user fred to represent that user in the Unix filesystem. This is very similar to the older Samba security mode "security=server", where Samba would pass through the authentication request to a Windows NT server in the same way as a Windows 95 or Windows 98 server would. 通常，在samba中采用域安全级对你来说并不是件轻松的事儿，你必须建立了本地unix用 户来访问你的服务器。这意味着如果域用户DOMfred访问你采用域安全级的samba服务器 时，需要成为一个能访问unix文件系统的本地unix用户。这个情况和先前的samba安全模 式"security=server"非常相似，samba能在NT服务器上通过认证请求，同样也可以作为 windows 95和windows 98的服务器。 The advantage to domain-level security is that the authentication in domain-level security is passed down the authenticated RPC channel in exactly the same way that an NT server would do it. This means Samba servers now participate in domain trust relationships in exactly the same way NT servers do (i.e., you can add Samba servers into a resource domain and have the authentication passed on from a resource domain PDC to an account domain PDC. 域安全级的优势在于通过此级的认证是在已得到认证的RPC通道上继承而来的，而NT服务 器就是以这样同样精确的方法来操作的。这意味着samba服务器可以NT服务器同样精确的 方法参与域委托关系(例如，你可以把samba服务器加入到资源域中并能在一个资源域PDC 上通过认证从而取得域PDC中的账号)。 In addition, with "security=server" every Samba daemon on a server has to keep a connection open to the authenticating server for as long as that daemon lasts. This can drain the connection resources on a Microsoft NT

（出处：http://www.sheup.com）

上一页 [1] [2] [3] 

PDC. 域安全级的优势在于通过此级的认证是在已得到认证的RPC通道上继承而来的，而NT服务 器就是以这样同样精确的方法来操作的。这意味着samba服务器可以NT服务器同样精确的 方法参与域委托关系(例如，你可以把samba服务器加入到资源域中并能在一个资源域PDC 上通过认证从而取得域PDC中的账号)。 In addition, with "security=server" every Samba daemon on a server has to keep a connection open to the authenticating server for as long as that daemon lasts. This can drain the connection resources on a Microsoft NT

（出处：http://www.sheup.com）

上一页 [1] [2] [3] [4] 

daemon lasts. This can drain the connection resources on a Microsoft NT

（出处：http://www.sheup.com/）

上一页 [1] [2] [3] [4] [5]