CentOS 7 SSSD AD 与 Samba 共享

CentOS 7 SSSD AD 与 Samba 共享

我跟着这个网站的教程安装 SSSD(不带 WinBind)以加入 Windows Server 2008 域。这是一个巨大的成功。在此之前,我尝试使用 Zentyal 设置共享文件夹,但没有成功...Zentyal 总是显示错误...

我想使用GUI来完成这项工作,但是当我在Webmin Samba和Zentyal上失败时,我剩下的唯一选择就是用命令一一设置,并手动实现smb.conf。幸运的是,教程可以毫无问题地加入域,并且我可以设置 Samba 共享。


这是 smb.conf

[global]
        workgroup = ADDOMAIN
        server string = Samba Server Version %v
        security = ads
        # encrypt passwords = yes
        # passdb backend = tdbsam
        idmap config * : backend = tdb
        realm = addomain.tld
        access based share enum = yes

        # this is just a member server
        domain master = no
        local master = no
        preferred master = no

        # in my test network I could not get AD authentication for smb shares to work
        # without adding "kerberos method = secrets and keytab"
        kerberos method = secrets and keytab

        # Add the IPs / network ranges / subnets allowed acces to the server in general.
        # this is not a nesessary entry but in general a good idea.
        # hosts allow = 127. your local network info

        # log files split per-machine:
        log file = /var/log/samba/log.%m

        # enable the following line to debug:
        # log level = 3
        # maximum size of 50KB per log file, then rotate:
        max log size = 50

        # Not interested in printers
        load printers = no
        cups options = raw

        # This stops an annoying message from appearing in logs
        printcap name = /dev/null

        # File Shares under valid users I put a group if you create a group for samba in # active directory and add users to it those users will be able to access smb
        # shares from this server over the network.

[guest]
        comment = guest
        path = /home/samba/guest
        public = yes
        readonly = no
        writable = yes
        guest ok = yes

[admin]
        comment = admin
        path = /home/samba/admin
        public = no
        readonly = no
        writable = yes
        guest ok = no
        valid users = @"[email protected]"

有一个用户 ADDOMAIN\admintest (或[电子邮件受保护])登录 Windows PC 并尝试访问“Admin”共享文件夹,但无法授予访问权限。日志显示“NT_STATUS_ACCESS_DENIED”。但我确信该帐户在该组中。

为了确保 AD 和用户信息同步到我的 CentOS 7,我将有效用户从 更改为。用户可以访问共享文件夹。@"[email protected]""[email protected]"

然后我尝试解决的问题是,使用id命令。我已经修改了 sssd.conf 不需要使用完整限定名称。所以 ...

# id admintest

  uid=821800500(admintest) gid=821800513(domain users) groups=821800513(domain users)

这简直太奇怪了。是的,这个帐户位于域用户中,但它仍然有一些其他属于的组,包括“admingp”。

然后我使用“getent”命令来显示组成员。

# getent group admingp
  admingp:*:821808307:administrator,admintest,ben, ... (etc)

就是这样,admintest 在组中。因为它也在域用户组中,所以我再次尝试修改 smb.conf,有效用户更改为,猜猜是什么?共享文件夹可以访问。@"domain [email protected]"

所以我可以得出结论,smb.conf 没问题,AD 身份验证没问题。但正如您所注意到的,id admintest仅显示第一个匹配的组。其他的被跳过,所以我无法使用组权限设置共享文件夹。而且我那里有几十个组和几十个共享文件夹,我不能简单地一一实现它。

我最终测试了该id命令。 Linux 帐户“support”属于 2 个组。一是“支撑”本身,二是“轮子”。

# id support
  uid=1000(support) gid=1000(support) groups=1000(support),10(wheel)

Linux 用户不受影响。那么……出了什么问题?我已在此处附上 sssd.conf。请看一看。

[sssd]
domains = addomain.tld
config_file_version = 2
services = nss, pam

[domain/addomain.tld]
ad_domain = addomain.tld
krb5_realm = ADDOMAIN.TLD
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True

# use_fully_qualified_names = True
# fallback_homedir = /home/%u@%d

use_fully_qualified_names = False
fallback_homedir = /home/%u

enumerate = True
access_provider = simple
# access_provider = ldap

非常感谢。

相关内容