Установка Samba + ACL на CentOS 5.6 (с введением в AD)

# yum install samba3x acl

# nano /etc/fstab
LABEL=/ / ext3 defaults,acl 1 1


# mount -o remount /

# mkdir -p /shares/test

Ставим Kerberos
# yum install krb5-workstation


# echo "[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = CAVI.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms]
CAVI.LOCAL = {
kdc = cavi.local:88
admin_server = cavi.local:749
default_domain = cavi.local
}

[domain_realm]
.cavi.local = CAVI.LOCAL
cavi.local = CAVI.LOCAL

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}" > /etc/krb5.conf

# kinit naydis@CAVI.LOCAL


# echo "[global]

# ----------------------- Network Related Options -------------------------
workgroup = CAVI
server string =
netbios name = FS01

# --------------------------- Logging Options -----------------------------
log file = /var/log/samba/log.%m
max log size = 50

# ----------------------- Domain Members Options ------------------------
security = ads
realm = CAVI.LOCAL

;password server = cavi.local

idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
template homedir = /home/%D/%U
;winbind use default domain = yes
admin users = @\"CAVI\\Domain Admins\", CAVI\naydis

#============================ Share Definitions ==============================

[test]
comment = a comment
path = /shares/test
browseable = yes
read only = no
inherit acls = yes
inherit permissions = yes
map acl inherit = yes
create mask = 700
directory mask = 700
valid users = @\"CAVI\\Domain Users\", CAVI\naydis" > /etc/samba/smb.conf

Вводим самбу в домен:
# net ads join -U naydis

Запускаем самбу и прописываем в автозапуск:
# service smb start
# chkconfig smb on

# nano /etc/nsswitch.conf
passwd: files winbind
group: files winbind

# service winbind start
# chkconfig winbind on

Смотрим на какие позиции ставить правила в iptables
# iptables -vnL --line-numbers

# iptables -I RH-Firewall-1-INPUT 8 -p udp -m udp --dport 137 -j ACCEPT
# iptables -I RH-Firewall-1-INPUT 9 -p udp -m udp --dport 138 -j ACCEPT
# iptables -I RH-Firewall-1-INPUT 10 -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT
# iptables -I RH-Firewall-1-INPUT 11 -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT


# service iptables save config
# service iptables restart


# semanage fcontext -a -t samba_share_t "/shares(/.*)?"
# restorecon -R -v /shares/

Команды, которыми можно посмотреть метки selinux:
ls -lZd /shares/test
ls -lZ /shares/test/tirlim-bom-bom.txt










# mkdir /shares
# setfacl -m u:"CAVI\naydis":rwx /shares