那些遇到过的问题

Samba 4:加入了域,但所有用户都映射到没有人,并且无法从 Windows 客户端访问共享

waz*_*oox 1 authentication linux-networking winbind samba4

我有一个 Debian/Jessie Samba 4.2.14 作为 AD 成员运行。ADC是Windows2008R2服务器。加入工作没有问题。

# net ads testjoin
Join is OK
Run Code Online (Sandbox Code Playgroud)

wbinfo -uwbinfo -g完美运行并按预期提供来自 AD 的用户和组列表。wbinfo -i <user>也有效:

# wbinfo -i TESTAD\\testuser
TESTAD\testuser:*:4294967295:4294967295:testuser:/home/TESTAD/testuser:/bin/false
Run Code Online (Sandbox Code Playgroud)

编辑:这里有问题,因为wbinfo -i将所有用户和组映射到 id 4294967295,正如@TheSkunk 所说,2^32 -1。

编辑2: wbinfo --sid-to-uid TESTAD\\testuser失败。当然,我必须明确设置一些idmap参数(默认值显然根本不起作用)但是如何设置?

编辑 3:我已将这两行添加到 smb.conf:

idmap config * : backend = tdb
idmap config * : range = 10000-30000
Run Code Online (Sandbox Code Playgroud)

现在 ?binfo -i TESTDOMAIN\testuser reports a valid id, and a different one for each and every user. However I still have the same problems (all users mapping to nobody,id andgetent` 不知道 AD 用户等)。

但是getent passwd TESTAD\\testuser失败了:

# getent passwd TESTAD\\testuser
# echo $? 
2
Run Code Online (Sandbox Code Playgroud)

可以使用任何 AD 帐户连接到服务器smbclient

# smbclient //srv1/data -U TESTAD\\testuser
Enter TESTAD\testuser's password: 
Domain=[TESTAD] OS=[Windows 6.1] Server=[Samba 4.2.14-Debian]
smb: \> ls
  .                                   D        0  Fri Feb 17 16:23:04 2017
  ..                                  D        0  Wed Feb  1 16:47:02 2017
  test.txt                            N        5  Fri Feb 17 14:38:21 2017
  popo                                D        0  Fri Feb 17 16:23:04 2017

                117125466112 blocks of size 1024. 117052392484 blocks available
smb: \>
Run Code Online (Sandbox Code Playgroud)

但是,连接被映射到nobody/nogroup,并且创建的文件也归 拥有nobody。Windows 计算机无法使用任何 AD 帐户进行连接。但是,如果我创建了一个本地帐户smbpasswd -a <user>,他们可以使用它进行连接。但是,它们的连接参数、文件等都是映射到的,nobody尽管该帐户也在本地存在。

这是当前smb.conf(尽可能接近默认值):

[global]
        workgroup = TESTAD
        realm = TESTAD.lan
        server role = member server
        security = ADS
        map to guest = Bad User
        obey pam restrictions = Yes
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        unix password sync = Yes
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        dns proxy = No
        usershare allow guests = Yes
        panic action = /usr/share/samba/panic-action %d
        idmap config * : backend = tdb
        inherit permissions = Yes
        inherit acls = Yes


[DATA]
        path = /mnt/raid/
        read only = No
        guest ok = Yes
Run Code Online (Sandbox Code Playgroud)

这是/etc/nsswitch.conf(我已经尝试从阴影中添加和删除 'winbindd,根本没有变化):

# cat /etc/nsswitch.conf 
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat winbind
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns wins
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
Run Code Online (Sandbox Code Playgroud)

我不明白为什么身份验证似乎从未通过 winbind。我很绝望,有什么想法吗?

waz*_*oox 7

我发现了核心问题:缺少包。不幸的是,要做到这一点并不容易:这是最终的工作配置(感谢来自 samba.org 的 Rowland Penny):

确保您安装了所有必需的软件包(缺少的是 libnss-winbind):

apt-get install samba acl attr quota fam winbind libpam-winbind \
libpam-krb5 libnss-winbind krb5-config krb5-user ntp dnsutils ldb-tools
Run Code Online (Sandbox Code Playgroud)

停止服务

service smbd stop
service nmbd stop
service winbind stop
Run Code Online (Sandbox Code Playgroud)

设置适当的 smb.conf(特别是 idmap 参数):

[global]
    workgroup = TESTAD
    security = ADS
    realm = TESTAD.LAN

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
    server string = Data %h

    winbind use default domain = yes
    winbind expand groups = 4
    winbind nss info = rfc2307
    winbind refresh tickets = Yes
    winbind offline logon = yes
    winbind normalize names = Yes

    ## map ids outside of domain to tdb files.
    idmap config *:backend = tdb
    idmap config *:range = 2000-9999
    ## map ids from the domain  the ranges may not overlap !
    idmap config TESTAD : backend = rid
    idmap config TESTAD : range = 10000-999999
    template shell = /bin/bash
    template homedir = /home/TESTAD/%U

    domain master = no
    local master = no
    preferred master = no
    os level = 20
    map to guest = bad user
    host msdfs = no

    # user Administrator workaround, without it you are unable to set privileges
    username map = /etc/samba/user.map

    # For ACL support on domain member
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

    # Share Setting Globally
    unix extensions = no
    reset on zero vc = yes
    veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
    hide unreadable = yes

    # disable printing completely
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
Run Code Online (Sandbox Code Playgroud)

在该配置中,需要一个额外的 /etc/samba/user.map 文件,其中包含以下行:

!root = TESTAD\Administrator TESTAD\administrator Administrator administrator
Run Code Online (Sandbox Code Playgroud)

不要忘记正确填写/etc/krb5.conf:

[libdefaults]
    default_realm = TESTAD.LAN
    dns_lookup_realm = false
    dns_lookup_kdc = true
Run Code Online (Sandbox Code Playgroud)

小心,krb5.conf 必须由 root 拥有并且每个人都可读(644 权限)。

编辑 /etc/nsswitch.conf 并将 winbind 添加到 passwd 和 group 行:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat files winbind
group:          compat files winbind
shadow:         compat files 

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
Run Code Online (Sandbox Code Playgroud)

现在加入域:

# net ads join -U Administrator
Using short domain name -- TESTAD
Joined 'DEBMEMBER' to dns domain 'TESTAD.example.com'
Run Code Online (Sandbox Code Playgroud)

最后启动服务:

service smbd start
service nmbd start
service winbind start
Run Code Online (Sandbox Code Playgroud)

getent passwd 现在应该与 AD 用户一起使用:

# getent passwd testuser
testuser:*:11107:10513:testuser:/home/TESTAD/testuser:/bin/bash
Run Code Online (Sandbox Code Playgroud)

CAVEAT因为我之前在没有安装必要的库的情况下加入了 AD,所以我必须重新启动系统才能在此设置后让系统正确验证用户!

归档时间:

查看次数:

29281 次

最近记录:

6 年,1 月 前
相关归档
那里有好的 Shibboleth 教程? 18
阻止中国连接到我的 Google Compute Engine 服务器 13
Debian 7 如何设置 IPv6 链接本地地址? 12
强制执行 SSH 密钥密码? 10
托管服务提供商可以访问我的专用服务器吗? 7
来自网关 VM 的神秘“需要分段”拒绝 6
mysql验证插件未加载 5
OpenBSD 不响应 arp 查询 5
Windows - 以不同用户身份运行(在不同域上) - 错误:“域不可用” 2
Apache 可以与第 3 方 cookie 会话身份验证/授权集成吗? 1
难疑归档
如何查看 DNS 记录的生存时间 (TTL)? 124
Postgres 相当于 MySQL 的 \G? 101
Windows Active Directory 命名最佳实践? 94
Amazon Linux AMI 基于什么 Linux 发行版? 83
Nginx - 根与别名,用于服务单个文件? 79
我可以在 OS X 上的 /etc/hosts 的条目中指定端口吗? 65
xvda1 已 100% 满,这是什么?怎么修? 63
有没有办法避免 SSH 输入延迟? 60
将 cron 输出发送到名称中带有时间戳的文件 56
debian 软件包版本约定 52