Samba、winbind 和 AD 身份验证:此系统上的用户名无效

Samba、winbind 和 AD 身份验证:此系统上的用户名无效

我正在尝试使用 Samba 和 Winbind 设置具有 Active Directory 身份验证的文件服务器。

域控制器是 Windows 2000 SP4(不作判断)。
文件服务器是 Debian 7.7(最新稳定版)。这是全新安装,仅安装了一些指南库和依赖项推荐的程序。Samba 是从源代码构建的,具有以下参数:

./configure --with-acl-support --with-ads --with-shared-modules=idmap_ad --disable-cups --disable-iprint

 

root@this-server:~# samba --version
Version 4.1.13
root@this-server:~# winbindd --version
Version 3.6.6
root@this-server:~# klist -V
Kerberos 5 version 1.10.1

kinit 管理员、net ads join -k、net ads testjoin、getent passwd、getent group、wbinfo -u、wbinfo -g、id DomainUser、chown DomainUser:DomainGroup、chgrp DomainUser:DomainGroup - 全部正常,无错误。

我可以使用域凭据通过 ssh 登录。

smbclient -k -L any-other-host - 也有效。

然而...

root@this-server:~# smbclient -k -L this-server -d 3
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file "/usr/local/samba/etc/smb.conf"
Processing section "[global]"
added interface eth0 ip=192.168.1.104 bcast=192.168.1.255 netmask=255.255.255.0
Client started (version 4.1.13).
resolve_lmhosts: Attempting lmhosts lookup for name this-server<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name this-server<0x20>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name this-server<0x20>
Connecting to 192.168.1.104 at port 445
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
cli_session_setup_spnego: using target hostname not SPNEGO principal
cli_session_setup_spnego: guessed server principal=cifs/this-server@MY-DOMAIN
Doing kerberos session setup
ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_0.1] expiration Sat, 29 Nov 2014 02:29:49 MSK
SPNEGO login failed: Access denied
session setup failed: NT_STATUS_ACCESS_DENIED

(/usr/local/samba/etc/smb.conf 是 /usr/share/samba/smb.conf 的符号链接)

日志摘录:

[2014/11/28 16:46:58.430797,  1, pid=6006, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
  Username MY-DOMAIN\Administrator is invalid on this system
[2014/11/28 16:46:58.430856,  1, pid=6006, effective(0, 0), real(0, 0)] ../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac)
  Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
[2014/11/28 16:46:58.430965,  1, pid=6006, effective(0, 0), real(0, 0)] ../source3/smbd/sesssetup.c:276(reply_sesssetup_and_X_spnego)
  Failed to generate session_info (user and group token) for session setup: NT_STATUS_ACCESS_DENIED

以下是一些配置信息,大部分都是不相关的:

/etc/samba/smb.conf(这也是 /usr/share/samba/smb.conf 的符号链接)

[global]

   netbios name = this-server
   realm = MY-DOMAIN
   workgroup = MY-DOMAIN
   server string = %h server
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d

   security = ads
   encrypt passwords = yes
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user

   winbind enum groups = yes
   winbind enum users = yes

   idmap config * : backend        = tdb
   idmap config * : range          = 20000-29999

   idmap config MY-DOMAIN : backend  = rid
   idmap config MY-DOMAIN : range    = 10000 - 19999

   winbind trusted domains only = no
   winbind use default domain = yes
   client use spnego = yes
   kerberos method = secrets and keytab

   vfs objects = acl_xattr
   map acl inherit = yes
   store dos attributes = yes
   template homedir = /home/%D/%U
   template shell = /bin/bash
   load printers = no
   printcap name = /dev/null
   log level = 10

[homes]
   comment = Home Directories
   browseable = no
   read only = yes
   create mask = 0700
   directory mask = 0700
   valid users = %S

[demoshare]
   path = /srv/samba/test
   read only = no

/etc/hosts

127.0.0.1       localhost       localhost.localdomain
192.168.1.104   this-server.MY-DOMAIN        this-server
192.168.1.100   domain-controller.MY-DOMAIN  domain-controller

/etc/resolv.conf

nameserver 192.168.1.100
search MY-DOMAIN

/etc/nsswitch.conf

passwd:         files winbind
group:          files winbind
shadow:         files winbind

hosts:          files dns wins
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

所有 /etc/pam.d/* 文件都是用 pam-auth-update 生成的,下面是其内容:

桑巴舞

@include common-auth
@include common-account
@include common-session-noninteractive

/etc/pam.d/common-auth

auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so

/etc/pam.d/通用帐户

account [success=2 new_authtok_reqd=done default=ignore]        pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore]        pam_winbind.so
account requisite                       pam_deny.so
account required                        pam_permit.so

/etc/pam.d/session-noninteractive

session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session required        pam_unix.so
session optional        pam_winbind.so

/etc/pam.d/common-session

session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session required        pam_unix.so
session optional        pam_winbind.so

/etc/pam.d/通用密码

password        [success=2 default=ignore]      pam_unix.so obscure sha512
password        [success=1 default=ignore]      pam_winbind.so use_authtok try_first_pass
password        requisite                       pam_deny.so
password        required                        pam_permit.so

/etc/krb5.conf

[libdefaults]
default_realm = MY-DOMAIN

krb4_config = /etc/krb.
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true

default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
preferred_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

[realms]
MY-DOMAIN = {
        kdc = domain-controller.my-domain
        admin_server = domain-controller.my-domain
        default_domain = MY-DOMAIN
}

[domain_realm]
.my-domain = MY-DOMAIN
my-domain = MY-DOMAIN

这可能是什么问题?我该如何解决?

相关内容