编辑 /etc/ldap.conf
[root @test ~] # vi /etc/ldap.conf
host 127.0.0.1
将
base dc=example,dc=com
修改成
base dc=test,dc=com
将
#rootbinddn cn=manager,dc=example,dc=com
修改成
rootbinddn cn=Manager,dc=test,dc=com
添加
nss_base_passwd ou=Users,dc=nseasy,dc=net?one
nss_base_passwd ou=Computers,dc=nseasy,dc=net?one
nss_base_shadow ou=Users,dc=nseasy,dc=net?one
nss_base_group ou=Groups,dc=nseasy,dc=net?one
将
tls_cacertdir /etc/openldap/cacerts
修改成
#tls_cacertdir /etc/openldap/cacerts
编辑 /etc/nsswith.conf
[root @test ~] # vi /etc/nsswitch.conf
将
passwd: files
shadow: files
group: files
hosts: files dns wins
修改成
passwd: files ldap
shadow: files ldap
group: files ldap
编辑 /etc/pam.d/ 目录下的 login、samba、password、sshd文件,在其中增加 pam_ldap.so 部分(红色部分为添加部分)
[root @test ~] # vi /etc/pam.d/login
#%PAM-1
auth sufficient pam_ldap.so
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account sufficient pam_ldap.so
account required pam_stack.so service=system-auth
password sufficient pam_ldap.so use_first_pass use_authtok
password required pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_stack.so service=system-auth
session optional pam_console.so
# pam_selinux.so open should be the last session rule
session required pam_selinux.so multiple open
[root @test ~] # vi /etc/pam.d/passwd
#%PAM-1
auth sufficient pam_ldap.so
auth required pam_stack.so service=system-auth
account sufficient pam_ldap.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
[root @test ~] # vi /etc/pam.d/samba
#%PAM-1.0
auth sufficient pam_ldap.so
auth required pam_nologin.so
auth required pam_stack.so service=system-auth
account sufficient pam_ldap.so
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
[root @test ~] # vi /etc/pam.d/sshd
#%PAM-1.0
auth sufficient pam_ldap.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account sufficient pam_ldap.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
安装 Smbldap-tools。需要使用来自 IDEALX 的一个工具箱使 Samba 和 LDAP 服务器之间的许多重要交互自动化。这个工具箱包含一些脚本,Samba 会自动调用它们来添加用户、修改用户、添加机器,等等。这些脚本是用 Perl 编写的,也可以从命令行使用。由于smbldap-tools 需要使用相关的 PERL 模块,所以在安装 smbldap-tools 之前,需要先安装以下 perl 相关的模块。以下 perl 模块,可能系统中还没有安装,有的可以在RedHat EL4.0的安装碟找到,没有的可以到
www.rpmfind.net 根据安装包的名字查找相应安装包,下载安装
[root @test ~] # rpm -ivh perl-Crypt-SmbHash-0.12-1.2.el4.rf.noarch.rpm
[root @test ~] # rpm -ivh perl-Digest-SHA1-2.07-5.I386.rpm
[root @test ~] # rpm -ivh perl-Digest-MD4-1.5-1.2-el4.rf.i386.rpm
[root @test ~] # rpm -ivh perl-Jcode-2.06-1.el4.rf.noarch.rpm
[root @test ~] # rpm -ivh perl-Unicode-Char-0.02-1.el4.rf.noarch.rpm
[root @test ~] # rpm -ivh perl-Unicode-String-2.09-1.2.el4.rf.i386.rpm
[root @test ~] # rpm -ivh perl-Unicode-Map8-0.12-1.el4.rf.i386.rpm
[root @test ~] # rpm -ivh perl-Unicode-Map-0.112-1.el4.rf.i386.rpm
[root @test ~] # rpm -ivh perl-Unicode-MapUTF8-1.11-1.2.el4.rf.noarch.rpm
[root @test ~] # rpm -ivh perl-GSSAPI-0.24-1.el4.rf.i386.rpm
[root @test ~] # rpm -ivh perl-Digest-HMAC-1.01-13.noarch.rpm
[root @test ~] # rpm -ivh perl-Authen-SASL-2.10-1.el5.rf.noarch.rpm
[root @test ~] # rpm -ivh smbldap-tools-0.9.4-1.el4.rf.noarch.rpm
开始配置 Samba,如果你不确定你的系统中是否已经安装好 Samba ,可以用以下命令查看:
[root @test ~] # rpm -qa | grep samba
编辑 Samba 的配置文件
[root @test ~] # vi /etc/samba/smb.conf
############################## Global Parameters ############################
[global]
workgroup = test
netbios name = PDC
server string = Samba Server %v
log file = /var/log/samba/log.%m
security = user
encrypt passwords = Yes
obey pam restrictions = No
ldap passwd sync = Yes
log level = 3
syslog = 0
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = UTF-8
Unix charset = UTF-8
logon script = %U.bat
logon drive = H:
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
passdb backend = ldapsam:ldap://192.168.1.254/
ldap admin dn = cn=Manager,dc=test,dc=com
ldap suffix = dc=test,dc=com
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
Ldap idmap suffix = ou=Idmap
Idmap backedn = ldap:ldap://192.168.98.221
ldap ssl = off
ldap delete dn = Yes
add user script = /sbin/smbldap-useradd -m "%u"
add machine script = /sbin/smbldap-useradd -t 0 -w "%u"
add group script = /sbin/smbldap-groupadd -p "%g"
add user to group script = /sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /sbin/smbldap-usermod -g '%g' '%u'
Idmap uid = 10000-20000
Idmap gid = 10000-20000
############################## Homes parameters ############################
[homes]
comment = repertoire de %U, %u
browseable = no
writeable = yes
[netlogon]
path = /home/samba/netlogon/
browseable = No
read only = yes
[profiles]
comment =
path=/home/samba/profiles
read only = no
writable = yes
[public]
comment =
path = /home/samba/public
writable = yes
建立 Samba 中的共享文件夹并设置好相应的权限
[root @test ~] # mkdir -p /home/samba/netlogon
[root @test ~] # mkdir -p /home/samba/profiles
[root @test ~] # mkdir -p /home/samba/public
[root @test ~] # chmod -R 777 /home/samba
重启Samba 服务
[root @test ~] # service smb start
Samba 需要知道 rootdn 的密码,这样才能读写 LDAP 服务器中的模式。执行以下命令向 Samba 提供这个密码
添加Samba admin dn的ldap管理员密码(注意密码要和您openldap的rootdn密码要一致啊):
[root @test ~] # smbpasswd -w 123456
Setting stored password for "cn=Manager,dc=test,dc=com" in secrets.tdb
查看Samba PDC的SID编号,在文本终端中输入:
[root @test ~] # net getlocalsid
SID for domain PDC is: S-1-5-21-83670976-3719047316-649471027
将 SID 的值复制或者抄下来,后面需要用
[root @test ~] # vi /etc/smbldap-tools/smbldap_bind.conf
############################
# Credential Configuration #
############################
# Notes: you can specify two differents configuration if you use a
# master ldap for writing access and a slave ldap server for reading access
# By default, we will use the same DN (so it will work for standard Samba
# release)
#slaveDN="cn=Manager,dc=company,dc=com"
#slavePw="secret"
slaveDN="cn=Manager,dc=test,dc=com"
此处输入LDAP 管理员的密码,注意密码要和您openldap的rootdn密码要一致啊):
slavePw="123456"
#masterDN="cn=Manager,dc=company,dc=com"
#masterPw="secret"
masterDN="cn=Manager,dc=test,dc=com"
此处输入LDAP 管理员的密码,注意密码要和您openldap的rootdn密码要一致啊):
masterPw="123456"
[root @test ~] vi /etc/smbldap-tools/smbldap.conf
# $Source: $
# $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $
#
# smbldap-tools.conf : Q & D configuration file for smbldap-tools
# This code was developped by IDEALX (
http://IDEALX.org/) and
# contributors (their names can be found in the CONTRIBUTORS file).
#
# Copyright (C) 2001-2002 IDEALX
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.
# Purpose :
# . be the configuration file for all smbldap-tools scripts
##############################################################################
#
# General Configuration
#
##############################################################################
# Put your own SID. To obtain this number do: "net getlocalsid".
# If not defined, parameter is taking from "net getlocalsid" return
#SID="S-1-5-21-2252255531-4061614174-2474224977"
在此处输入刚刚用 net getloalsid 所获得的SID 值
SID="S-1-5-21-83670976-3719047316-649471027"
# If not defined, parameter is taking from smb.conf configuration file
# Ex: sambaDomain="IDEALX-NT"
#sambaDomain="DOMSMB"
修改 samba 域名
sambaDomain="test"
##############################################################################
#
# LDAP Configuration
#
##############################################################################
# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
# (typically a replication directory)
# Slave LDAP server
# Ex: slaveLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
#slaveLDAP="127.0.0.1"
由于本例中只有一台LDAP 服务器,所以主与辅LDAP 服务器的地址都一样
slaveLDAP="192.168.98.221"
# Slave LDAP port
# If not defined, parameter is set to "389"
slavePort="389"
# Master LDAP server: needed for write operations
# Ex: masterLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
#masterLDAP="127.0.0.1"
masterLDAP="192.168.98.221"
# Master LDAP port
# If not defined, parameter is set to "389"
masterPort="389"
# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
# If not defined, parameter is set to "1"
ldapTLS="0"
# How to verify the server's certificate (none, optional or require)
# see "man Net::LDAP" in start_tls section for more details
#verify="require"
verify="none"
# CA certificate
# see "man Net::LDAP" in start_tls section for more details
#cafile="/etc/smbldap-tools/ca.pem"
cafile=""
# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
#clientcert="/etc/smbldap-tools/smbldap-tools.pem"
clientcert=""
# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
#clientkey="/etc/smbldap-tools/smbldap-tools.key"
clientkey=""
# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=test,dc=com"
# Where are stored Users
# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for usersdn
usersdn="ou=Users,${suffix}"
# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for computersdn
computersdn="ou=Computers,${suffix}"
# Where are stored Groups
# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
groupsdn="ou=Groups,${suffix}"
# Where are stored Idmap entries (used if samba is a domain member server)
# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
idmapdn="ou=Idmap,${suffix}"
# Where to store next uidNumber and gidNumber available for new users and groups
# If not defined, entries are stored in sambaDomainName object.
# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
#sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
sambaUNixIDPooldn="sambaDomainName=test,dc=test,dc=com"
# Default scope Used
scope="sub"
# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
hash_encrypt="SSHA"
# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
#crypt_salt_format="%s"
crypt_salt_format=""
##############################################################################
#
# Unix Accounts Configuration
#
##############################################################################
# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/bash"
# Home directory
# Ex: userHome="/home/%U"
userHome="/home/%U"
# Default mode used for user homeDirectory
userHomeDirectoryMode="700"
# Gecos
userGecos="System User"
# Default User (POSIX and Samba) GID
defaultUserGid="513"
# Default Computer (Samba) GID
defaultComputerGid="515"
# Skel dir
skeletonDir="/etc/skel"
# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="45"
##############################################################################
#
# SAMBA Configuration
#
##############################################################################
# The UNC path to home drives location (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon home'
# directive and/or disable roaming profiles
# Ex: userSmbHome="\\PDC-SMB3\%U"
#userSmbHome="\\PDC-SRV\%U"
userSmbHOme="\\PDC\%U"
# The UNC path to profiles locations (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon path'
# directive and/or disable roaming profiles
# Ex: userProfile="\\PDC-SMB3\profiles\%U"
#userProfile="\\PDC-SRV\profiles\%U"
#userProfile="\\PDC\profiles\%U"
为了能够兼容Linux 与 Windows 客户端,本例中不使用漫游配置文件,将漫游配置文件禁用
userProfile=""
# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: userHomeDrive="H:"
userHomeDrive="H:"
# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: userScript="startup.cmd" # make sure script file is edited under dos
#userScript="logon.bat"
userScript="%U.bat"
# Domain appended to the users "mail"-attribute
# when smbldap-useradd -M is used
# Ex: mailDomain="idealx.com"
mailDomain="test.com"
##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################
# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
# prefer Crypt::SmbHash library
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
# but prefer Crypt:: libraries
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
# comment out the following line to get rid of the default banner
# no_banner="1"
使用smbldap-populate命令初始化用户服务数据库
[root @test ~] # smbldap-populate
Populating LDAP directory for domain test (S-1-5-21-83670976-3719047316-649471027)
(using builtin directory structure)
adding new entry: ou=Users,dc=test,dc=com
adding new entry: ou=Groups,dc=test,dc=com
adding new entry: ou=Computers,dc=test,dc=com
adding new entry: ou=Idmap,dc=test,dc=com
adding new entry: uid=root,ou=Users,dc=test,dc=com
adding new entry: uid=nobody,ou=Users,dc=test,dc=com
adding new entry: cn=Domain Admins,ou=Groups,dc=test,dc=com
adding new entry: cn=Domain Users,ou=Groups,dc=test,dc=com
adding new entry: cn=Domain Guests,ou=Groups,dc=test,dc=com
adding new entry: cn=Domain Computers,ou=Groups,dc=test,dc=com
adding new entry: cn=Administrators,ou=Groups,dc=test,dc=com
adding new entry: cn=Account Operators,ou=Groups,dc=test,dc=com
adding new entry: cn=Print Operators,ou=Groups,dc=test,dc=com
adding new entry: cn=Backup Operators,ou=Groups,dc=test,dc=com
adding new entry: cn=Replicators,ou=Groups,dc=test,dc=com
adding new entry: sambaDomainName=test,dc=test,dc=com
Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password: 输入在LDAP 配置文件 slapd.conf设置的 rootpw密码
Retype new password: 输入在LDAP 配置文件 slapd.conf设置的 rootpw密码
[root @test ~] # service smb restart
[root @test ~] # vi /etc/smbldap-tools/smbldap.conf
将
SambaUnixIDPooldn=”sabnaDomainName=${sambaDomain},${suffix}
修改成
SambaUNixIDPooldn=”sambaDomainName=test,dc=test,dc=com”
重新启动 LDAP 服务器
[root @test ~] # service ldap restart
检查 LDAP 数据库是否已经收到 IDMAP 的信息
[root @test ~] # slapcat | grep -I idmap
dn: ou=Idmap,dc=test,dc=com
ou: Idmap
检查 LDAP 数据库是否已经收到 Group 的信息
[root @test ~] # slapcat | grep -I Groups
dn: ou=Groups,dc=test,dc=com
ou: Groups
sambaPrimaryGroupSID: S-1-5-21-83670976-3719047316-649471027-512
sambaPrimaryGroupSID: S-1-5-21-83670976-3719047316-649471027-514
dn: cn=Domain Admins,ou=Groups,dc=test,dc=com
dn: cn=Domain Users,ou=Groups,dc=test,dc=com
dn: cn=Domain Guests,ou=Groups,dc=test,dc=com
dn: cn=Domain Computers,ou=Groups,dc=test,dc=com
dn: cn=Administrators,ou=Groups,dc=test,dc=com
dn: cn=Account Operators,ou=Groups,dc=test,dc=com
dn: cn=Print Operators,ou=Groups,dc=test,dc=com
dn: cn=Backup Operators,ou=Groups,dc=test,dc=com
dn: cn=Replicators,ou=Groups,dc=test,dc=com
查看 LDAP 数据库中的所有信息
[root @test ~] # slapcat
dn: dc=test,dc=com
objectClass: dcObject
objectClass: organization
o: test
dc: test
structuralObjectClass: organization
entryUUID: 2122d5b2-760f-102c-8929-9bfbf54523e3
creatorsName: cn=Manager,dc=test,dc=com
createTimestamp: 20080223035700Z
entryCSN: 20080223035700Z#000001#00#000000
modifiersName: cn=Manager,dc=test,dc=com
modifyTimestamp: 20080223035700Z
dn: ou=Users,dc=test,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Users
structuralObjectClass: organizationalUnit
entryUUID: 21565860-760f-102c-892a-9bfbf54523e3
creatorsName: cn=Manager,dc=test,dc=com
createTimestamp: 20080223035700Z
entryCSN: 20080223035700Z#000002#00#000000
modifiersName: cn=Manager,dc=test,dc=com
modifyTimestamp: 20080223035700Z
dn: ou=Groups,dc=test,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Groups
structuralObjectClass: organizationalUnit
entryUUID: 215b5518-760f-102c-892b-9bfbf54523e3
creatorsName: cn=Manager,dc=test,dc=com
createTimestamp: 20080223035700Z
entryCSN: 20080223035700Z#000003#00#000000
modifiersName: cn=Manager,dc=test,dc=com
modifyTimestamp: 20080223035700Z
dn: ou=Computers,dc=test,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Computers
structuralObjectClass: organizationalUnit
entryUUID: 215ed670-760f-102c-892c-9bfbf54523e3
creatorsName: cn=Manager,dc=test,dc=com
createTimestamp: 20080223035700Z
entryCSN: 20080223035700Z#000004#00#000000
modifiersName: cn=Manager,dc=test,dc=com
modifyTimestamp: 20080223035700Z
dn: ou=Idmap,dc=test,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Idmap
structuralObjectClass: organizationalUnit
entryUUID: 21642b16-760f-102c-892d-9bfbf54523e3
creatorsName: cn=Manager,dc=test,dc=com
createTimestamp: 20080223035700Z
entryCSN: 20080223035700Z#000005#00#000000
modifiersName: cn=Manager,dc=test,dc=com
modifyTimestamp: 20080223035700Z
dn: uid=root,ou=Users,dc=test,dc=com
cn: root
sn: root
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: shadowAccount
gidNumber: 0
uid: root
uidNumber: 0
homeDirectory: /home/root
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaHomeDrive: H:
sambaProfilePath: \\PDC\profiles\root
sambaPrimaryGroupSID: S-1-5-21-83670976-3719047316-649471027-512
sambaSID: S-1-5-21-83670976-3719047316-649471027-500
loginShell: /bin/false
gecos: Netbios Domain Administrator
structuralObjectClass: inetOrgPerson
entryUUID: 216bef86-760f-102c-892e-9bfbf54523e3
creatorsName: cn=Manager,dc=test,dc=com
createTimestamp: 20080223035700Z
sambaLMPassword: 44EFCE164AB921CAAAD3B435B51404EE
sambaAcctFlags: [u]
sambaNTPassword: 32ED87BDB5FDC5E9CBA88547376818D4
sambaPwdLastSet: 1203739029
sambaPwdMustChange: 1207627029
userPassword:: e1NTSEF9YnZpL1FPcnNJMHFFc1IwMjlFY0VvYllnc3ZseGRXTkY=
shadowLastChange: 13932
shadowMax: 45
entryCSN: 20080223035709Z#000002#00#000000
modifiersName: cn=Manager,dc=test,dc=com
modifyTimestamp: 20080223035709Z
dn: uid=nobody,ou=Users,dc=test,dc=com
cn: nobody
sn: nobody
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: shadowAccount
gidNumber: 514
uid: nobody
uidNumber: 999
homeDirectory: /dev/null
sambaPwdLastSet: 0
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaHomeDrive: H:
sambaProfilePath: \\PDC\profiles\nobody
sambaPrimaryGroupSID: S-1-5-21-83670976-3719047316-649471027-514
sambaLMPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambaAcctFlags: [NUD ]
sambaSID: S-1-5-21-83670976-3719047316-649471027-2998
loginShell: /bin/false
structuralObjectClass: inetOrgPerson
entryUUID: 21b0644a-760f-102c-892f-9bfbf54523e3
creatorsName: cn=Manager,dc=test,dc=com
createTimestamp: 20080223035701Z
entryCSN: 20080223035701Z#000001#00#000000
modifiersName: cn=Manager,dc=test,dc=com
modifyTimestamp: 20080223035701Z
dn: cn=Domain Admins,ou=Groups,dc=test,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 512
cn: Domain Admins
memberUid: root
description: Netbios Domain Administrators
sambaSID: S-1-5-21-83670976-3719047316-649471027-512
sambaGroupType: 2
displayName: Domain Admins
structuralObjectClass: posixGroup
entryUUID: 21c0739e-760f-102c-8930-9bfbf54523e3
creatorsName: cn=Manager,dc=test,dc=com
createTimestamp: 20080223035701Z
entryCSN: 20080223035701Z#000002#00#000000
modifiersName: cn=Manager,dc=test,dc=com
modifyTimestamp: 20080223035701Z
dn: cn=Domain Users,ou=Groups,dc=test,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 513
cn: Domain Users
description: Netbios Domain Users
sambaSID: S-1-5-21-83670976-3719047316-649471027-513
sambaGroupType: 2
displayName: Domain Users
structuralObjectClass: posixGroup
entryUUID: 21d6660e-760f-102c-8931-9bfbf54523e3
creatorsName: cn=Manager,dc=test,dc=com
createTimestamp: 20080223035701Z
entryCSN: 20080223035701Z#000003#00#000000
modifiersName: cn=Manager,dc=test,dc=com
modifyTimestamp: 20080223035701Z
dn: cn=Domain Guests,ou=Groups,dc=test,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 514
cn: Domain Guests
description: Netbios Domain Guests Users
sambaSID: S-1-5-21-83670976-3719047316-649471027-514
sambaGroupType: 2
displayName: Domain Guests
structuralObjectClass: posixGroup
entryUUID: 21daf908-760f-102c-8932-9bfbf54523e3
creatorsName: cn=Manager,dc=test,dc=com
createTimestamp: 20080223035701Z
entryCSN: 20080223035701Z#000004#00#000000
modifiersName: cn=Manager,dc=test,dc=com
modifyTimestamp: 20080223035701Z
dn: cn=Domain Computers,ou=Groups,dc=test,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 515
cn: Domain Computers
description: Netbios Domain Computers accounts
sambaSID: S-1-5-21-83670976-3719047316-649471027-515
sambaGroupType: 2
displayName: Domain Computers
structuralObjectClass: posixGroup
entryUUID: 21df35c2-760f-102c-8933-9bfbf54523e3
creatorsName: cn=Manager,dc=test,dc=com
createTimestamp: 20080223035701Z
entryCSN: 20080223035701Z#000005#00#000000
modifiersName: cn=Manager,dc=test,dc=com
modifyTimestamp: 20080223035701Z
dn: cn=Administrators,ou=Groups,dc=test,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 544
cn: Administrators
description: Netbios Domain Members can fully administer the computer/sambaDom
ainName
sambaSID: S-1-5-32-544
sambaGroupType: 5
displayName: Administrators
structuralObjectClass: posixGroup
entryUUID: 21e38ce4-760f-102c-8934-9bfbf54523e3
creatorsName: cn=Manager,dc=test,dc=com
createTimestamp: 20080223035701Z
entryCSN: 20080223035701Z#000006#00#000000
modifiersName: cn=Manager,dc=test,dc=com
modifyTimestamp: 20080223035701Z
dn: cn=Account Operators,ou=Groups,dc=test,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 548
cn: Account Operators
description: Netbios Domain Users to manipulate users accounts
sambaSID: S-1-5-32-548
sambaGroupType: 5
displayName: Account Operators
structuralObjectClass: posixGroup
entryUUID: 21eddb90-760f-102c-8935-9bfbf54523e3
creatorsName: cn=Manager,dc=test,dc=com
createTimestamp: 20080223035701Z
entryCSN: 20080223035701Z#000007#00#000000
modifiersName: cn=Manager,dc=test,dc=com
modifyTimestamp: 20080223035701Z
dn: cn=Print Operators,ou=Groups,dc=test,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 550
cn: Print Operators
description: Netbios Domain Print Operators
sambaSID: S-1-5-32-550
sambaGroupType: 5
displayName: Print Operators
structuralObjectClass: posixGroup
entryUUID: 21f47d1a-760f-102c-8936-9bfbf54523e3
creatorsName: cn=Manager,dc=test,dc=com
createTimestamp: 20080223035701Z
entryCSN: 20080223035701Z#000008#00#000000
modifiersName: cn=Manager,dc=test,dc=com
modifyTimestamp: 20080223035701Z
dn: cn=Backup Operators,ou=Groups,dc=test,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 551
cn: Backup Operators
description: Netbios Domain Members can bypass file security to back up files
sambaSID: S-1-5-32-551
sambaGroupType: 5
displayName: Backup Operators
structuralObjectClass: posixGroup
entryUUID: 21f60acc-760f-102c-8937-9bfbf54523e3
creatorsName: cn=Manager,dc=test,dc=com
createTimestamp: 20080223035701Z
entryCSN: 20080223035701Z#000009#00#000000
modifiersName: cn=Manager,dc=test,dc=com
modifyTimestamp: 20080223035701Z
dn: cn=Replicators,ou=Groups,dc=test,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 552
cn: Replicators
description: Netbios Domain Supports file replication in a sambaDomainName
sambaSID: S-1-5-32-552
sambaGroupType: 5
displayName: Replicators
structuralObjectClass: posixGroup
entryUUID: 21fc2416-760f-102c-8938-9bfbf54523e3
creatorsName: cn=Manager,dc=test,dc=com
createTimestamp: 20080223035701Z
entryCSN: 20080223035701Z#00000a#00#000000
modifiersName: cn=Manager,dc=test,dc=com
modifyTimestamp: 20080223035701Z
dn: sambaDomainName=test,dc=test,dc=com
objectClass: top
objectClass: sambaDomain
objectClass: sambaUnixIdPool
sambaDomainName: test
sambaSID: S-1-5-21-83670976-3719047316-649471027
uidNumber: 1000
gidNumber: 1000
sambaNextRid: 1000
structuralObjectClass: sambaDomain
entryUUID: 21ffe16e-760f-102c-8939-9bfbf54523e3
creatorsName: cn=Manager,dc=test,dc=com
createTimestamp: 20080223035701Z
entryCSN: 20080223035701Z#00000b#00#000000
modifiersName: cn=Manager,dc=test,dc=com
modifyTimestamp: 20080223035701Z
查询LDAP数据库的目录内容
[root @test ~] # ldapsearch -x -b “dc=test,dc=com’” “(ObjectClass=*)”
# extended LDIF
#
# LDAPv3
# base <dc=test,dc=com> with scope sub
# filter: (ObjectClass=*)
# requesting: ALL
#
# test.com
dn: dc=test,dc=com
objectClass: dcObject
objectClass: organization
o: test
dc: test
# Users, test.com
dn: ou=Users,dc=test,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Users
# Groups, test.com
dn: ou=Groups,dc=test,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Groups
# Computers, test.com
dn: ou=Computers,dc=test,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Computers
# Idmap, test.com
dn: ou=Idmap,dc=test,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Idmap
# root, Users, test.com
dn: uid=root,ou=Users,dc=test,dc=com
cn: root
sn: root
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: shadowAccount
gidNumber: 0
uid: root
uidNumber: 0
homeDirectory: /home/root
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaHomeDrive: H:
sambaProfilePath: \\PDC\profiles\root
sambaPrimaryGroupSID: S-1-5-21-83670976-3719047316-649471027-512
sambaSID: S-1-5-21-83670976-3719047316-649471027-500
loginShell: /bin/false
gecos: Netbios Domain Administrator
sambaAcctFlags: [u]
sambaPwdLastSet: 1203739029
sambaPwdMustChange: 1207627029
shadowLastChange: 13932
shadowMax: 45
# nobody, Users, test.com
dn: uid=nobody,ou=Users,dc=test,dc=com
cn: nobody
sn: nobody
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: shadowAccount
gidNumber: 514
uid: nobody
uidNumber: 999
homeDirectory: /dev/null
sambaPwdLastSet: 0
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaHomeDrive: H:
sambaProfilePath: \\PDC\profiles\nobody
sambaPrimaryGroupSID: S-1-5-21-83670976-3719047316-649471027-514
sambaAcctFlags: [NUD ]
sambaSID: S-1-5-21-83670976-3719047316-649471027-2998
loginShell: /bin/false
# Domain Admins, Groups, test.com
dn: cn=Domain Admins,ou=Groups,dc=test,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 512
cn: Domain Admins
memberUid: root
description: Netbios Domain Administrators
sambaSID: S-1-5-21-83670976-3719047316-649471027-512
sambaGroupType: 2
displayName: Domain Admins
# Domain Users, Groups, test.com
dn: cn=Domain Users,ou=Groups,dc=test,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 513
cn: Domain Users
description: Netbios Domain Users
sambaSID: S-1-5-21-83670976-3719047316-649471027-513
sambaGroupType: 2
displayName: Domain Users
# Domain Guests, Groups, test.com
dn: cn=Domain Guests,ou=Groups,dc=test,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 514
cn: Domain Guests
description: Netbios Domain Guests Users
sambaSID: S-1-5-21-83670976-3719047316-649471027-514
sambaGroupType: 2
displayName: Domain Guests
# Domain Computers, Groups, test.com
dn: cn=Domain Computers,ou=Groups,dc=test,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 515
cn: Domain Computers
description: Netbios Domain Computers accounts
sambaSID: S-1-5-21-83670976-3719047316-649471027-515
sambaGroupType: 2
displayName: Domain Computers
# Administrators, Groups, test.com
dn: cn=Administrators,ou=Groups,dc=test,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 544
cn: Administrators
description: Netbios Domain Members can fully administer the computer/sambaDom
ainName
sambaSID: S-1-5-32-544
sambaGroupType: 5
displayName: Administrators
# Account Operators, Groups, test.com
dn: cn=Account Operators,ou=Groups,dc=test,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 548
cn: Account Operators
description: Netbios Domain Users to manipulate users accounts
sambaSID: S-1-5-32-548
sambaGroupType: 5
displayName: Account Operators
# Print Operators, Groups, test.com
dn: cn=Print Operators,ou=Groups,dc=test,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 550
cn: Print Operators
description: Netbios Domain Print Operators
sambaSID: S-1-5-32-550
sambaGroupType: 5
displayName: Print Operators
# Backup Operators, Groups, test.com
dn: cn=Backup Operators,ou=Groups,dc=test,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 551
cn: Backup Operators
description: Netbios Domain Members can bypass file security to back up files
sambaSID: S-1-5-32-551
sambaGroupType: 5
displayName: Backup Operators
# Replicators, Groups, test.com
dn: cn=Replicators,ou=Groups,dc=test,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 552
cn: Replicators
description: Netbios Domain Supports file replication in a sambaDomainName
sambaSID: S-1-5-32-552
sambaGroupType: 5
displayName: Replicators
# test, test.com
dn: sambaDomainName=test,dc=test,dc=com
objectClass: top
objectClass: sambaDomain
objectClass: sambaUnixIdPool
sambaDomainName: test
sambaSID: S-1-5-21-83670976-3719047316-649471027
uidNumber: 1000
gidNumber: 1000
sambaNextRid: 1000
# search result
search: 2
result: 0 Success
# numResponses: 18
# numEntries: 17
检查 NSS 解释器是否可以解析 LDAP
[root @test ~] # getent passwd | grep root
root:x:0:0:root:/root:/bin/bash
operator:x:11:0
perator:/root:/sbin/nologin
root:x:0:0:Netbios Domain Administrator:/home/root:/bin/false
[root @test ~] # getent group | grep Domain
Domain Admins:x:512:root
Domain Users:x:513:
Domain Guests:x:514:
Domain Computers:x:515:
添加用户
[root @test ~ ]# smbldap-useradd -a -m h.li
############注:smbldap-useradd 命令部分参数:####################
-a 添加一个用户帐号
-d 指定用户的主目录
-m 为创建用户主目录及复制 /etc/skel
-o 添加用户到组织单元(OU)
-u 指定用户的UID
-s 指定用户使用的SHELL
-w 添加一个计算机帐号
[root @test ~] # smbldap-passwd h.li
Changing UNIX and samba password for h.li
New passwd:
Retype passwd:
添加用户jack ,不为该用户建立用户目录,不分配使用 shell
[root @test ~] # smbldap-useradd -a -d /dev/null -s /bin/bash jack
[root @test ~] # smbldap-passwd jack
Changing UNIX and samba password for jack
New passwd:
Retype passwd:
添加用户组
[root @test ~] # smbldap-groupadd -a account
[root @test ~] # smbldap-groupadd -a finance
############注:smbldap-groupadd 命令部分参数:####################
-a 添加用户组
-g 指定用户组ID
#############################################################
将用户 jack 加入 account 用户组
[root @test ~] # smbldap-groupmod -m jack account
############注:smbldap-groupadd 命令部分参数:####################
-a 添加用户组
-g 更改用户组ID
-n 更改用户组名称
-x 从用户组中删除用户
-m 添加用户到用户组
############################################################
验证用户组是否添加成功
[root @test ~] # getent group
root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
tty:x:5:
disk:x:6:root
lp:x:7:daemon,lp
mem:x:8:
kmem:x:9:
wheel:x:10:root
mail:x:12:mail
news:x:13:news
uucp:x:14:uucp
man:x:15:
games:x:20:
gopher:x:30:
dip:x:40:
ftp:x:50:
lock:x:54:
nobody:x:99:
users:x:100:
dbus:x:81:
floppy:x:19:
vcsa:x:69:
rpm:x:37:
haldaemon:x:68:
utmp:x:22:
netdump:x:34:
nscd:x:28:
slocate:x:21:
sshd:x:74:
rpc:x:32:
rpcuser:x:29:
nfsnobody:x:65534:
mailnull:x:47:
smmsp:x:51:
pcap:x:77:
xfs:x:43:
ntp:x:38:
gdm:x:42:
htt:x:101:
named:x:25:
test:x:500:
ldap:x:55:
Domain Admins:x:512:root
Domain Users:x:513:
Domain Guests:x:514:
Domain Computers:x:515:
Administrators:x:544:
Account Operators:x:548:
Print Operators:x:550:
Backup Operators:x:551:
Replicators:x:552:
account:x:1001:
finance:x:1002:
验证 UNIX 帐户可以通过 NSS 解析
[root @test ~] # getent passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0
perator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
htt:x:100:101:IIIMF Htt:/usr/lib/im:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
test:x:500:500::/home/test:/bin/bash
ldap:x:55:55:LDAP User:/var/lib/ldap:/bin/false
root:x:0:0:Netbios Domain Administrator:/home/root:/bin/false
nobody:x:999:514:nobody:/dev/null:/bin/false
h.li:x:1000:513:System User:/home/h.li:/bin/bash
使用 id 命令可以知道你刚才的增加的用户是否是有效的
[root @test ~] # id h.li
uid=1000(h.li) gid=513(Domain Users) groups=513(Domain Users)
从这里可以知道UNIX 帐户可以从LDAP 解析
验证 samba 可以从 LDAP ldapsam passwd backent 处获得用户信息
[root @test ~] # pdbedit -Lv h.li
Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=TEST))]
smbldap_open_connection: connection opened
ldap_connect_system: succesful connection to the LDAP server
Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=TEST))]
smbldap_open_connection: connection opened
ldap_connect_system: succesful connection to the LDAP server
init_sam_from_ldap: Entry found for user: h.li
Unix username: h.li
NT username: h.li
Account Flags: [U ]
User SID: S-1-5-21-83670976-3719047316-649471027-3000
Primary Group SID: S-1-5-21-83670976-3719047316-649471027-513
Full Name: h.li
Home Directory: \\pdc\h.li
HomeDir Drive: H:
Logon Script: h.li.bat
Profile Path: \\PDC\profiles\h.li
Domain: TEST
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: 六, 14 12月 1901 04:45:51 GMT
Kickoff time: 六, 14 12月 1901 04:45:51 GMT
Password last set: 六, 23 2月 2008 13:14:43 GMT
Password can change: 0
Password must change: 二, 08 4月 2008 13:14:43 GMT
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
验证SMB 是否可以正确的查看到达WINDOWS 域组和他们是否可以正确的映射各自的UNIX 组。
[root @test ~] # net groupmap list
Domain Admins (S-1-5-21-83670976-3719047316-649471027-512) -> Domain Admins
Domain Users (S-1-5-21-83670976-3719047316-649471027-513) -> Domain Users
Domain Guests (S-1-5-21-83670976-3719047316-649471027-514) -> Domain Guests
Domain Computers (S-1-5-21-83670976-3719047316-649471027-515) -> Domain Computers
Administrators (S-1-5-32-544) -> Administrators
Account Operators (S-1-5-32-548) -> Account Operators
Print Operators (S-1-5-32-550) -> Print Operators
Backup Operators (S-1-5-32-551) -> Backup Operators
Replicators (S-1-5-32-552) -> Replicators
finance (S-1-5-21-83670976-3719047316-649471027-3005) -> finance
添加一个机器帐号
[root @test ~] # smbldap-useradd -w xp$
[root @test ~] # smbldap-useradd -w redflag$
使用用户帐号 h.li 测试登录 PDC 服务器
[root @test ~] # smbclient -L \\192.168.98.221 -U h.li
Passwd:
Anonymous login successful
Domain=[TEST] OS=[Unix] Server=[Samba 3.0.10-1.4E]
Sharename Type Comment
--------- ---- -------
netlogon Disk Network logon service
profiles Disk networkd profiles
public Disk public file
IPC$ IPC IPC Service (samba Server)
ADMIN$ IPC IPC Service (samba Server)
Anonymous login successful
Domain=[TEST] OS=[Unix] Server=[Samba 3.0.10-1.4E]
Server Comment
--------- -------
PDC samba Server
Workgroup Master
--------- -------
BH2-CAIWU BH2-CAIWU-002
BV-DIANNAO BV-DIANNAO-002
BV-YINGYE BV-YINGYE-006
CF-NW CF-NW
CFNW CFNW-CW-KINGDEE
CFNW-CS-CW CFNW-CS-SER
CFNW-FD-YY CFNW-FD-YY-SER
CFNW-GL CFNW-GL-SER
SAMBA SAMBA
TEST PDC
WORKGROUP V2003
也可以用 ssh 测试,
[root @test ~] # ssh h.li@192.168.98.221
以上的测试可以证明刚刚添加的用户可以正常使用,samba 可以从 LDAP 服务器中读取信息。
使用 ntsysv 设置服务开机自启动,请确保 ldap、smb、winbind 被选中
[root @test ~] # ntsysv
2008-07-07, 11:13 PM
Openldap + samba 集成实现 Domain Controller
平板模式
