我有一台 CentOS 服务器加入到 ID 域境界(8)使用固态硬盘(8)。不过我没有安装 winbind。我可以使用 AD 域用户正常登录此 CentOS 服务器。我在该服务器中设置了 samba 共享,以尝试向域中的用户提供文件:我尝试了许多 samba 配置,我的最后一个是这样的:
[global]
workgroup = MYDOMAIN
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = MYDOMAIN.LOCAL.FQDN
security = ads
log file = /var/log/samba/log.%m
log level =3
passdb backend = tdbsam
encrypt passwords = yes
[myshare]
path = /myshare/
browsable =yes
write list=@mygroup
writable = yes
read only = yes
# below are 3 attempts to allow my group
valid users=@"[email protected]" @"mygroup" @"mydomain\mygroup"
当我使用 Windows 10 PC 时,我访问 \myCentOSserver\ 并打开共享服务器列表,其中包含 myshare。当我双击它时,它会弹出一个窗口,提示我登录失败并要求输入用户名和密码,但我已经作为该 mygroup AD 组的用户成员登录。
我的 samba 日志文件是:
# cat /var/log/samba/log.192.168.15.123
[2019/02/25 18:25:13.655237, 3] ../source3/smbd/oplock.c:1340(init_oplocks)
init_oplocks: initializing messages.
[2019/02/25 18:25:13.655467, 3] ../source3/smbd/process.c:1958(process_smb)
Transaction 0 of length 159 (0 toread)
[2019/02/25 18:25:13.655511, 3] ../source3/smbd/process.c:1538(switch_message)
switch message SMBnegprot (pid 34286) conn 0x0
[2019/02/25 18:25:13.657361, 3] ../source3/smbd/negprot.c:628(reply_negprot)
Requested protocol [PC NETWORK PROGRAM 1.0]
[2019/02/25 18:25:13.657416, 3] ../source3/smbd/negprot.c:628(reply_negprot)
Requested protocol [LANMAN1.0]
[2019/02/25 18:25:13.657442, 3] ../source3/smbd/negprot.c:628(reply_negprot)
Requested protocol [Windows for Workgroups 3.1a]
[2019/02/25 18:25:13.657465, 3] ../source3/smbd/negprot.c:628(reply_negprot)
Requested protocol [LM1.2X002]
[2019/02/25 18:25:13.657488, 3] ../source3/smbd/negprot.c:628(reply_negprot)
Requested protocol [LANMAN2.1]
[2019/02/25 18:25:13.657511, 3] ../source3/smbd/negprot.c:628(reply_negprot)
Requested protocol [NT LM 0.12]
[2019/02/25 18:25:13.657534, 3] ../source3/smbd/negprot.c:628(reply_negprot)
Requested protocol [SMB 2.002]
[2019/02/25 18:25:13.657580, 3] ../source3/smbd/negprot.c:628(reply_negprot)
Requested protocol [SMB 2.???]
[2019/02/25 18:25:13.657823, 3] ../source3/smbd/smb2_negprot.c:294(smbd_smb2_request_process_negprot)
Selected protocol SMB2_FF
[2019/02/25 18:25:13.660341, 3] ../source3/smbd/negprot.c:761(reply_negprot)
Selected protocol SMB 2.???
[2019/02/25 18:25:13.663491, 3] ../source3/smbd/smb2_negprot.c:294(smbd_smb2_request_process_negprot)
Selected protocol SMB3_11
[2019/02/25 18:25:13.676251, 3] ../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac)
Found account name from PAC: Adriano.Pinaffo [PINAFFO, Adriano]
[2019/02/25 18:25:13.676326, 3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
Kerberos ticket principal name is [[email protected]]
[2019/02/25 18:25:13.678238, 3] ../source3/param/loadparm.c:3868(lp_load_ex)
lp_load_ex: refreshing parameters
[2019/02/25 18:25:13.678398, 3] ../source3/param/loadparm.c:547(init_globals)
Initialising global parameters
[2019/02/25 18:25:13.678599, 3] ../source3/param/loadparm.c:2782(lp_do_section)
Processing section "[global]"
[2019/02/25 18:25:13.678774, 2] ../source3/param/loadparm.c:2799(lp_do_section)
Processing section "[myshare]"
[2019/02/25 18:25:13.678971, 3] ../source3/param/loadparm.c:1617(lp_add_ipc)
adding IPC service
[2019/02/25 18:25:13.679817, 1] ../source3/param/loadparm.c:2488(lp_idmap_range)
idmap range not specified for domain '*'
[2019/02/25 18:25:13.680644, 3] ../source3/smbd/password.c:144(register_homes_share)
Adding homes service for user 'myuser' using home directory: '/home/mydomain.local.fqdn/myuser'
[2019/02/25 18:25:13.685042, 3] ../lib/util/access.c:365(allow_access)
Allowed connection from 192.168.15.123 (192.168.15.123)
[2019/02/25 18:25:13.685174, 3] ../source3/smbd/service.c:595(make_connection_snum)
Connect path is '/tmp' for service [IPC$]
[2019/02/25 18:25:13.685247, 3] ../source3/smbd/vfs.c:113(vfs_init_default)
Initialising default vfs hooks
[2019/02/25 18:25:13.685297, 3] ../source3/smbd/vfs.c:139(vfs_init_custom)
Initialising custom vfs hooks from [/[Default VFS]/]
[2019/02/25 18:25:13.685493, 3] ../source3/smbd/service.c:841(make_connection_snum)
192.168.15.123 (ipv4:192.168.15.123:2551) connect to service IPC$ initially as user myuser (uid=1953615494, gid=1953600513) (pid 34286)
[2019/02/25 18:25:13.688823, 3] ../source3/smbd/msdfs.c:1008(get_referred_path)
get_referred_path: |myshare| in dfs path \mycentosserver\myshare is not a dfs root.
[2019/02/25 18:25:13.688886, 3] ../source3/smbd/smb2_server.c:3171(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NOT_FOUND] || at ../source3/smbd/smb2_ioctl.c:312
[2019/02/25 18:25:13.689039, 3] ../source3/smbd/msdfs.c:1008(get_referred_path)
get_referred_path: |myshare| in dfs path \mycentosserver\myshare is not a dfs root.
[2019/02/25 18:25:13.689094, 3] ../source3/smbd/smb2_server.c:3171(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NOT_FOUND] || at ../source3/smbd/smb2_ioctl.c:312
[2019/02/25 18:25:13.692620, 3] ../lib/util/access.c:365(allow_access)
Allowed connection from 192.168.15.123 (192.168.15.123)
[2019/02/25 18:25:13.692717, 3] ../libcli/security/dom_sid.c:210(dom_sid_parse_endp)
string_to_sid: SID @[email protected] is not in a valid format
[2019/02/25 18:25:13.695607, 3] ../libcli/security/dom_sid.c:210(dom_sid_parse_endp)
string_to_sid: SID @mygroup is not in a valid format
[2019/02/25 18:25:13.700832, 3] ../libcli/security/dom_sid.c:210(dom_sid_parse_endp)
string_to_sid: SID @mydomain\mygroup is not in a valid format
[2019/02/25 18:25:13.702335, 2] ../source3/smbd/service.c:349(create_connection_session_info)
user 'myuser' (from session setup) not permitted to access this share (myshare)
[2019/02/25 18:25:13.702388, 1] ../source3/smbd/service.c:521(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2019/02/25 18:25:13.702462, 3] ../source3/smbd/smb2_server.c:3171(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_tcon.c:138
[2019/02/25 18:25:13.705850, 3] ../lib/util/access.c:365(allow_access)
Allowed connection from 192.168.15.123 (192.168.15.123)
[2019/02/25 18:25:13.705939, 3] ../libcli/security/dom_sid.c:210(dom_sid_parse_endp)
string_to_sid: SID @[email protected] is not in a valid format
[2019/02/25 18:25:13.709969, 3] ../libcli/security/dom_sid.c:210(dom_sid_parse_endp)
string_to_sid: SID @mygroup is not in a valid format
[2019/02/25 18:25:13.714254, 3] ../libcli/security/dom_sid.c:210(dom_sid_parse_endp)
string_to_sid: SID @mydomain\mygroup is not in a valid format
[2019/02/25 18:25:13.715363, 2] ../source3/smbd/service.c:349(create_connection_session_info)
user 'myuser' (from session setup) not permitted to access this share (myshare)
[2019/02/25 18:25:13.715434, 1] ../source3/smbd/service.c:521(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2019/02/25 18:25:13.715538, 3] ../source3/smbd/smb2_server.c:3171(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_tcon.c:138
[2019/02/25 18:25:13.719135, 3] ../source3/smbd/msdfs.c:1008(get_referred_path)
get_referred_path: |myshare| in dfs path \mycentosserver\myshare is not a dfs root.
[2019/02/25 18:25:13.719220, 3] ../source3/smbd/smb2_server.c:3171(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NOT_FOUND] || at ../source3/smbd/smb2_ioctl.c:312
[2019/02/25 18:25:13.719399, 3] ../source3/smbd/msdfs.c:1008(get_referred_path)
get_referred_path: |myshare| in dfs path \mycentosserver\myshare is not a dfs root.
[2019/02/25 18:25:13.719458, 3] ../source3/smbd/smb2_server.c:3171(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NOT_FOUND] || at ../source3/smbd/smb2_ioctl.c:312
[2019/02/25 18:25:13.722522, 3] ../lib/util/access.c:365(allow_access)
Allowed connection from 192.168.15.123 (192.168.15.123)
[2019/02/25 18:25:13.722632, 3] ../libcli/security/dom_sid.c:210(dom_sid_parse_endp)
string_to_sid: SID @[email protected] is not in a valid format
[2019/02/25 18:25:13.725278, 3] ../libcli/security/dom_sid.c:210(dom_sid_parse_endp)
string_to_sid: SID @mygroup is not in a valid format
[2019/02/25 18:25:13.729162, 3] ../libcli/security/dom_sid.c:210(dom_sid_parse_endp)
string_to_sid: SID @mydomain\mygroup is not in a valid format
[2019/02/25 18:25:13.730606, 2] ../source3/smbd/service.c:349(create_connection_session_info)
user 'myuser' (from session setup) not permitted to access this share (myshare)
[2019/02/25 18:25:13.730700, 1] ../source3/smbd/service.c:521(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2019/02/25 18:25:13.730803, 3] ../source3/smbd/smb2_server.c:3171(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_tcon.c:138
[2019/02/25 18:25:13.734060, 3] ../lib/util/access.c:365(allow_access)
Allowed connection from 192.168.15.123 (192.168.15.123)
[2019/02/25 18:25:13.734146, 3] ../libcli/security/dom_sid.c:210(dom_sid_parse_endp)
string_to_sid: SID @[email protected] is not in a valid format
[2019/02/25 18:25:13.737530, 3] ../libcli/security/dom_sid.c:210(dom_sid_parse_endp)
string_to_sid: SID @mygroup is not in a valid format
[2019/02/25 18:25:13.743056, 3] ../libcli/security/dom_sid.c:210(dom_sid_parse_endp)
string_to_sid: SID @mydomain\mygroup is not in a valid format
[2019/02/25 18:25:13.745052, 2] ../source3/smbd/service.c:349(create_connection_session_info)
user 'myuser' (from session setup) not permitted to access this share (myshare)
[2019/02/25 18:25:13.745105, 1] ../source3/smbd/service.c:521(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2019/02/25 18:25:13.745176, 3] ../source3/smbd/smb2_server.c:3171(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_tcon.c:138
[2019/02/25 18:25:13.749224, 3] ../source3/smbd/msdfs.c:1008(get_referred_path)
get_referred_path: |myshare| in dfs path \mycentosserver\myshare is not a dfs root.
[2019/02/25 18:25:13.749304, 3] ../source3/smbd/smb2_server.c:3171(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NOT_FOUND] || at ../source3/smbd/smb2_ioctl.c:312
[2019/02/25 18:25:13.752605, 3] ../lib/util/access.c:365(allow_access)
Allowed connection from 192.168.15.123 (192.168.15.123)
[2019/02/25 18:25:13.752686, 3] ../libcli/security/dom_sid.c:210(dom_sid_parse_endp)
string_to_sid: SID @[email protected] is not in a valid format
[2019/02/25 18:25:13.755528, 3] ../libcli/security/dom_sid.c:210(dom_sid_parse_endp)
string_to_sid: SID @mygroup is not in a valid format
[2019/02/25 18:25:13.760950, 3] ../libcli/security/dom_sid.c:210(dom_sid_parse_endp)
string_to_sid: SID @mydomain\mygroup is not in a valid format
[2019/02/25 18:25:13.762243, 2] ../source3/smbd/service.c:349(create_connection_session_info)
user 'myuser' (from session setup) not permitted to access this share (myshare)
[2019/02/25 18:25:13.762293, 1] ../source3/smbd/service.c:521(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2019/02/25 18:25:13.762362, 3] ../source3/smbd/smb2_server.c:3171(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_tcon.c:138
[2019/02/25 18:25:13.765697, 3] ../lib/util/access.c:365(allow_access)
Allowed connection from 192.168.15.123 (192.168.15.123)
[2019/02/25 18:25:13.765791, 3] ../libcli/security/dom_sid.c:210(dom_sid_parse_endp)
string_to_sid: SID @[email protected] is not in a valid format
[2019/02/25 18:25:13.768600, 3] ../libcli/security/dom_sid.c:210(dom_sid_parse_endp)
string_to_sid: SID @mygroup is not in a valid format
[2019/02/25 18:25:13.773398, 3] ../libcli/security/dom_sid.c:210(dom_sid_parse_endp)
string_to_sid: SID @mydomain\mygroup is not in a valid format
[2019/02/25 18:25:13.774735, 2] ../source3/smbd/service.c:349(create_connection_session_info)
user 'myuser' (from session setup) not permitted to access this share (myshare)
[2019/02/25 18:25:13.774806, 1] ../source3/smbd/service.c:521(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2019/02/25 18:25:13.774926, 3] ../source3/smbd/smb2_server.c:3171(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_tcon.c:138
[2019/02/25 18:25:13.779205, 3] ../source3/smbd/msdfs.c:1008(get_referred_path)
get_referred_path: |myshare| in dfs path \mycentosserver\myshare is not a dfs root.
[2019/02/25 18:25:13.779280, 3] ../source3/smbd/smb2_server.c:3171(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NOT_FOUND] || at ../source3/smbd/smb2_ioctl.c:312
[2019/02/25 18:25:13.783652, 3] ../lib/util/access.c:365(allow_access)
Allowed connection from 192.168.15.123 (192.168.15.123)
[2019/02/25 18:25:13.783720, 3] ../libcli/security/dom_sid.c:210(dom_sid_parse_endp)
string_to_sid: SID @[email protected] is not in a valid format
[2019/02/25 18:25:13.786662, 3] ../libcli/security/dom_sid.c:210(dom_sid_parse_endp)
string_to_sid: SID @mygroup is not in a valid format
[2019/02/25 18:25:13.792866, 3] ../libcli/security/dom_sid.c:210(dom_sid_parse_endp)
string_to_sid: SID @mydomain\mygroup is not in a valid format
[2019/02/25 18:25:13.794993, 2] ../source3/smbd/service.c:349(create_connection_session_info)
user 'myuser' (from session setup) not permitted to access this share (myshare)
[2019/02/25 18:25:13.795046, 1] ../source3/smbd/service.c:521(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2019/02/25 18:25:13.795318, 3] ../source3/smbd/smb2_server.c:3171(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_tcon.c:138
[2019/02/25 18:25:24.362427, 3] ../source3/smbd/service.c:1120(close_cnum)
192.168.15.123 (ipv4:192.168.15.123:2551) closed connection to service IPC$
[2019/02/25 18:25:24.368723, 3] ../source3/smbd/server_exit.c:236(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
它说对于 3 次尝试使用 AD 组来说格式无效。现在,如果我直接将我的用户名(没有“@”符号)放入smb.conf有效用户部分,或者@"Domain Users"我可以毫无问题地访问共享。那么,如何只指定一个AD组呢?