Kai*_*zke 14 security encryption samba domain-controller samba4
我们在 Ubuntu 14.04 LTS 上使用 Samba 作为具有漫游配置文件的 PDC(主域控制器)。一切正常,除非我们尝试通过设置强制加密:
server signing = mandatory
smb encrypt = mandatory
在[global]/etc/samba/smb.conf 部分。这样做后,win 8.0和win 8.1客户端(其他的没试过)抱怨:本文Die Vertrauensstellung zwischen dieser Arbeitsstation und der primären Domäne konnte nicht hergestellt werden.英文翻译:The trust relationship between this workstation and the primary domain could not be established.
如果再加上两个选项server signing,并smb encrypt仅向[profiles]smb.conf文件的部分,则tcpdump显示,实际流量是不加密的!
完整的 smb.conf:
[global]
workgroup = DOMAIN
server string = %h PDC
netbios name = HOSTNAME
wins support = true
dns proxy = no
allow dns updates = False
dns forwarder = IP
deadtime = 15
log level = 2
log file = /var/log/samba/log.%m
max log size = 5000
debug pid = yes
debug uid = yes
syslog = yes
utmp = yes
security = user
domain logons = yes
domain master = yes
os level = 64
logon path = \\%N\profiles\%U
logon home = \\%N\%U
logon drive = H:
logon script =
passdb backend = ldapsam:ldap://localhost
ldap ssl = start tls
ldap admin dn = cn=admin,dc=DOMAIN,dc=de
ldap delete dn = no
encrypt passwords = yes
server signing = mandatory
smb encrypt = mandatory
## Sync UNIX password with Samba password
ldap password sync = yes
ldap suffix = dc=intra,dc=DOMAIN,dc=de
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
add user script = /usr/sbin/smbldap-useradd -m '%u' -t 1
rename user script = /usr/sbin/smbldap-usermod -r '%unew' '%uold'
delete user script = /usr/sbin/smbldap-userdel '%u'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
add machine script = /usr/sbin/smbldap-useradd -W '%m' -t 1
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
admin users = root
guest ok = Yes
browseable = No
[profiles]
comment = Roaming Profile Share
path = /var/lib/samba/profiles
read only = No
profile acls = Yes
browsable = No
valid users = %U
create mode = 0600
directory mode = 0700
有什么帮助吗?
Mic*_*dam 14
smb.conf 手册页需要更新!它指的是旧的 Samba 特定的加密机制,仅适用于 SMB1 并通过 unix 扩展完成。这可以由smbclient.
如今,“ smb encrypt”选项还控制作为 SMB 3.0 及更新版本的一部分的 SMB 级加密。Windows 8(和更新的)客户端应该使用这些设置加密流量。
您是否尝试在 Samba 域成员或独立服务器上使用相同的设置(smb encrypt = mandatory在[global]部分)?
确保smb encrypt = auto在[global]部分(而不是[profiles]部分)中设置。然后仍然宣布加密的普遍可用性。
这很可能是 Samba 中的一个错误。所以这可能应该在 samba 的samba-technial 邮件列表或samba 的 bugzilla 上讨论。如果您使用的是 Ubuntu 版本的 Samba,那么您可能还需要查看软件包页面。我怀疑这是一个真正的 Samba 上游问题。
| 归档时间: |
|
| 查看次数: |
52692 次 |
| 最近记录: |