waz*_*oox 1 authentication linux-networking winbind samba4
我有一个 Debian/Jessie Samba 4.2.14 作为 AD 成员运行。ADC是Windows2008R2服务器。加入工作没有问题。
# net ads testjoin
Join is OK
wbinfo -u并wbinfo -g完美运行并按预期提供来自 AD 的用户和组列表。wbinfo -i <user>也有效:
# wbinfo -i TESTAD\\testuser
TESTAD\testuser:*:4294967295:4294967295:testuser:/home/TESTAD/testuser:/bin/false
编辑:这里有问题,因为wbinfo -i将所有用户和组映射到 id 4294967295,正如@TheSkunk 所说,2^32 -1。
编辑2: wbinfo --sid-to-uid TESTAD\\testuser失败。当然,我必须明确设置一些idmap参数(默认值显然根本不起作用)但是如何设置?
编辑 3:我已将这两行添加到 smb.conf:
idmap config * : backend = tdb
idmap config * : range = 10000-30000
现在 ?binfo -i TESTDOMAIN\testuser reports a valid id, and a different one for each and every user. However I still have the same problems (all users mapping to nobody,id andgetent` 不知道 AD 用户等)。
但是getent passwd TESTAD\\testuser失败了:
# getent passwd TESTAD\\testuser
# echo $?
2
我可以使用任何 AD 帐户连接到服务器smbclient:
# smbclient //srv1/data -U TESTAD\\testuser
Enter TESTAD\testuser's password:
Domain=[TESTAD] OS=[Windows 6.1] Server=[Samba 4.2.14-Debian]
smb: \> ls
. D 0 Fri Feb 17 16:23:04 2017
.. D 0 Wed Feb 1 16:47:02 2017
test.txt N 5 Fri Feb 17 14:38:21 2017
popo D 0 Fri Feb 17 16:23:04 2017
117125466112 blocks of size 1024. 117052392484 blocks available
smb: \>
但是,连接被映射到nobody/nogroup,并且创建的文件也归 拥有nobody。Windows 计算机无法使用任何 AD 帐户进行连接。但是,如果我创建了一个本地帐户smbpasswd -a <user>,他们可以使用它进行连接。但是,它们的连接参数、文件等都是映射到的,nobody尽管该帐户也在本地存在。
这是当前smb.conf(尽可能接近默认值):
[global]
workgroup = TESTAD
realm = TESTAD.lan
server role = member server
security = ADS
map to guest = Bad User
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
unix password sync = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
dns proxy = No
usershare allow guests = Yes
panic action = /usr/share/samba/panic-action %d
idmap config * : backend = tdb
inherit permissions = Yes
inherit acls = Yes
[DATA]
path = /mnt/raid/
read only = No
guest ok = Yes
这是/etc/nsswitch.conf(我已经尝试从阴影中添加和删除 'winbindd,根本没有变化):
# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat winbind
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
我不明白为什么身份验证似乎从未通过 winbind。我很绝望,有什么想法吗?
我发现了核心问题:缺少包。不幸的是,要做到这一点并不容易:这是最终的工作配置(感谢来自 samba.org 的 Rowland Penny):
确保您安装了所有必需的软件包(缺少的是 libnss-winbind):
apt-get install samba acl attr quota fam winbind libpam-winbind \
libpam-krb5 libnss-winbind krb5-config krb5-user ntp dnsutils ldb-tools
停止服务
service smbd stop
service nmbd stop
service winbind stop
设置适当的 smb.conf(特别是 idmap 参数):
[global]
workgroup = TESTAD
security = ADS
realm = TESTAD.LAN
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
server string = Data %h
winbind use default domain = yes
winbind expand groups = 4
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind offline logon = yes
winbind normalize names = Yes
## map ids outside of domain to tdb files.
idmap config *:backend = tdb
idmap config *:range = 2000-9999
## map ids from the domain the ranges may not overlap !
idmap config TESTAD : backend = rid
idmap config TESTAD : range = 10000-999999
template shell = /bin/bash
template homedir = /home/TESTAD/%U
domain master = no
local master = no
preferred master = no
os level = 20
map to guest = bad user
host msdfs = no
# user Administrator workaround, without it you are unable to set privileges
username map = /etc/samba/user.map
# For ACL support on domain member
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
# Share Setting Globally
unix extensions = no
reset on zero vc = yes
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
hide unreadable = yes
# disable printing completely
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
在该配置中,需要一个额外的 /etc/samba/user.map 文件,其中包含以下行:
!root = TESTAD\Administrator TESTAD\administrator Administrator administrator
不要忘记正确填写/etc/krb5.conf:
[libdefaults]
default_realm = TESTAD.LAN
dns_lookup_realm = false
dns_lookup_kdc = true
小心,krb5.conf 必须由 root 拥有并且每个人都可读(644 权限)。
编辑 /etc/nsswitch.conf 并将 winbind 添加到 passwd 和 group 行:
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat files winbind
group: compat files winbind
shadow: compat files
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
现在加入域:
# net ads join -U Administrator
Using short domain name -- TESTAD
Joined 'DEBMEMBER' to dns domain 'TESTAD.example.com'
最后启动服务:
service smbd start
service nmbd start
service winbind start
getent passwd 现在应该与 AD 用户一起使用:
# getent passwd testuser
testuser:*:11107:10513:testuser:/home/TESTAD/testuser:/bin/bash
CAVEAT因为我之前在没有安装必要的库的情况下加入了 AD,所以我必须重新启动系统才能在此设置后让系统正确验证用户!
| 归档时间: |
|
| 查看次数: |
29281 次 |
| 最近记录: |