在我的 Linux 上,我创建了一个像这样的 samba 共享,它运行良好。
[global]
security = user
passdb backend = tdbsam
map to guest = Bad User
guest account = mcms
[mml-t1]
path = /var/lib/mcms/exports/TPMD01/mml
writable = no
guest ok = yes
guest only = yes
现在,由于更严格的安全策略,新的 Windows 10 用户会遇到错误:
您无法访问此共享文件夹,因为您组织的安全策略阻止未经身份验证的来宾访问。这些策略有助于保护您的电脑免受网络上不安全或恶意设备的侵害。
我喜欢根据 Active Directory 中的组来允许用户。我尝试过这个:
[mml-t1]
path = /var/lib/mcms/exports/TPMD01/mml
valid users = @T_UNIX_MCMS
force user = mcms
browseable = yes
read only = yes
guest ok = no
但它不起作用,即没有连接。我也尝试过valid users = +"DOMAIN\T_UNIX_MCMS"
我需要正确配置共享。
重要提示,Linux 服务器已经链接到我们的 AD。在 Linux 服务器上,我可以使用su - domscheit我的 Windows AD 凭据,并获得一个/home/domscheit由domscheit "domain users". (但domscheit根据没有本地用户etc/passwd) 用户mcms是具有写/读权限的本地用户/var/lib/mcms/exports/TPMD01/mml
我正在运行 Samba 版本 4.7.1
更新
这是我的日志:
[2018/12/25 14:06:00.652804, 5] ../source3/auth/auth.c:524(make_auth3_context_for_ntlm)
Making default auth method list for server role = 'standalone server', encrypt passwords = yes
[2018/12/25 14:06:00.652872, 5] ../source3/auth/auth.c:48(smb_register_auth)
Attempting to register auth backend guest
[2018/12/25 14:06:00.652887, 5] ../source3/auth/auth.c:60(smb_register_auth)
Successfully added auth method 'guest'
[2018/12/25 14:06:00.652923, 5] ../source3/auth/auth.c:48(smb_register_auth)
Attempting to register auth backend sam
[2018/12/25 14:06:00.652934, 5] ../source3/auth/auth.c:60(smb_register_auth)
Successfully added auth method 'sam'
[2018/12/25 14:06:00.653067, 5] ../source3/auth/auth.c:48(smb_register_auth)
Attempting to register auth backend sam_ignoredomain
[2018/12/25 14:06:00.653125, 5] ../source3/auth/auth.c:60(smb_register_auth)
Successfully added auth method 'sam_ignoredomain'
[2018/12/25 14:06:00.653258, 5] ../source3/auth/auth.c:48(smb_register_auth)
Attempting to register auth backend sam_netlogon3
[2018/12/25 14:06:00.653317, 5] ../source3/auth/auth.c:60(smb_register_auth)
Successfully added auth method 'sam_netlogon3'
[2018/12/25 14:06:00.653330, 5] ../source3/auth/auth.c:48(smb_register_auth)
Attempting to register auth backend winbind
[2018/12/25 14:06:00.653402, 5] ../source3/auth/auth.c:60(smb_register_auth)
Successfully added auth method 'winbind'
[2018/12/25 14:06:00.653453, 5] ../source3/auth/auth.c:400(load_auth_module)
load_auth_module: Attempting to find an auth method to match guest
[2018/12/25 14:06:00.653504, 5] ../source3/auth/auth.c:425(load_auth_module)
load_auth_module: auth method guest has a valid init
[2018/12/25 14:06:00.653577, 5] ../source3/auth/auth.c:400(load_auth_module)
load_auth_module: Attempting to find an auth method to match sam_ignoredomain
[2018/12/25 14:06:00.653659, 5] ../source3/auth/auth.c:425(load_auth_module)
load_auth_module: auth method sam_ignoredomain has a valid init
[2018/12/25 14:06:00.654557, 3] ../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'gssapi_spnego' registered
[2018/12/25 14:06:00.654625, 3] ../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'gssapi_krb5' registered
[2018/12/25 14:06:00.654683, 3] ../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'gssapi_krb5_sasl' registered
[2018/12/25 14:06:00.654736, 3] ../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'spnego' registered
[2018/12/25 14:06:00.654795, 3] ../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'schannel' registered
[2018/12/25 14:06:00.654869, 3] ../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'naclrpc_as_system' registered
[2018/12/25 14:06:00.654921, 3] ../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'sasl-EXTERNAL' registered
[2018/12/25 14:06:00.654973, 3] ../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'ntlmssp' registered
[2018/12/25 14:06:00.655023, 3] ../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'ntlmssp_resume_ccache' registered
[2018/12/25 14:06:00.655074, 3] ../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'http_basic' registered
[2018/12/25 14:06:00.655126, 3] ../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'http_ntlm' registered
[2018/12/25 14:06:00.655176, 3] ../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'http_negotiate' registered
[2018/12/25 14:06:00.655292, 5] ../auth/gensec/gensec_start.c:739(gensec_start_mech)
Starting GENSEC mechanism spnego
[2018/12/25 14:06:00.655378, 5] ../auth/gensec/gensec_start.c:739(gensec_start_mech)
Starting GENSEC submechanism ntlmssp
[2018/12/25 14:06:00.682627, 5] ../source3/auth/auth.c:524(make_auth3_context_for_ntlm)
Making default auth method list for server role = 'standalone server', encrypt passwords = yes
[2018/12/25 14:06:00.682682, 5] ../source3/auth/auth.c:400(load_auth_module)
load_auth_module: Attempting to find an auth method to match guest
[2018/12/25 14:06:00.682697, 5] ../source3/auth/auth.c:425(load_auth_module)
load_auth_module: auth method guest has a valid init
[2018/12/25 14:06:00.682734, 5] ../source3/auth/auth.c:400(load_auth_module)
load_auth_module: Attempting to find an auth method to match sam_ignoredomain
[2018/12/25 14:06:00.682760, 5] ../source3/auth/auth.c:425(load_auth_module)
load_auth_module: auth method sam_ignoredomain has a valid init
[2018/12/25 14:06:00.682863, 5] ../auth/gensec/gensec_start.c:739(gensec_start_mech)
Starting GENSEC mechanism spnego
[2018/12/25 14:06:00.682953, 5] ../auth/gensec/gensec_start.c:739(gensec_start_mech)
Starting GENSEC submechanism ntlmssp
[2018/12/25 14:06:00.682990, 3] ../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0xe2088297
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_NEGOTIATE_OEM
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_LM_KEY
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP_NEGOTIATE_56
[2018/12/25 14:06:00.705494, 3] ../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth)
Got user=[domscheit] domain=[SWI] workstation=[CWP1101] len1=24 len2=326
[2018/12/25 14:06:00.705925, 5] ../source3/auth/auth_util.c:122(make_user_info_map)
Mapping user [SWI]\[domscheit] from workstation [CWP1101]
[2018/12/25 14:06:00.705951, 5] ../source3/auth/user_info.c:64(make_user_info)
attempting to make a user_info for domscheit (domscheit)
[2018/12/25 14:06:00.705965, 5] ../source3/auth/user_info.c:72(make_user_info)
making strings for domscheit's user_info struct
[2018/12/25 14:06:00.705988, 5] ../source3/auth/user_info.c:125(make_user_info)
making blobs for domscheit's user_info struct
[2018/12/25 14:06:00.706006, 3] ../source3/auth/auth.c:189(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [SWI]\[domscheit]@[CWP1101] with the new password interface
[2018/12/25 14:06:00.706019, 3] ../source3/auth/auth.c:192(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [SWI]\[domscheit]@[CWP1101]
[2018/12/25 14:06:00.706077, 3] ../source3/auth/check_samsec.c:399(check_sam_security)
check_sam_security: Couldn't find user 'domscheit' in passdb.
[2018/12/25 14:06:00.706093, 5] ../source3/auth/auth.c:251(auth_check_ntlm_password)
auth_check_ntlm_password: sam_ignoredomain authentication for user [domscheit] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2018/12/25 14:06:00.706115, 2] ../source3/auth/auth.c:332(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [domscheit] -> [domscheit] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2018/12/25 14:06:00.706128, 3] ../source3/auth/auth_util.c:2214(do_map_to_guest_server_info)
No such user domscheit [SWI] - using guest account
[2018/12/25 14:06:00.706186, 5] ../auth/ntlmssp/ntlmssp_server.c:1011(ntlmssp_server_postauth)
server session key is invalid (len == 0), cannot do KEY_EXCH!
[2018/12/25 14:06:00.728317, 1] ../source3/smbd/service.c:521(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
valid users = SWI\\domscheit我尝试使用我的个人帐户(以及更多变体)进行测试,而不是使用组名称。然而总是同样的错误。
getent group T_UNIX_MCMS并getent passwd domscheit全部返回有效条目。
更新2
我想我发现了一个重要的主题 - 服务器使用固态硬盘。我认为这就是当我按照许多“如何...”页面的建议安装“winbind”时服务器混乱的原因。我必须从备份中恢复服务器才能使其再次运行。
答案1
干得好。
[2018/12/25 14:06:00.706077, 3] ../source3/auth/check_samsec.c:399(check_sam_security) check_sam_security: Couldn't find user 'domscheit' in passdb.
这告诉您 Samba 的密码数据库不知道您的用户帐户。原因是你security = user加上了passdb backend = tdbsam(本地三八用户数据库,类似于但独立/etc/passwd)。由于您的计算机已经加入 AD 域,您应该设置 Samba 来识别它并利用它来发挥您的优势。
答案2
答案3
我与我们的一位 Linux 管理员进行了交谈。看起来 samba + sssd + winbind 彼此不是好朋友,即它们不能一起工作。但在较新的 Red Hat 版本(> 7.2)中,这似乎是可能的,但配置有点棘手。
我们的场所拥有许多服务器,我们不想要专门配置的单个服务器。我会等到我们为整个 Linux 环境找到一个通用且设计良好的解决方案。与此同时,我使用 Isilon 存储寻求不同的解决方案。