我对 Samba 还很陌生,在允许域用户访问共享方面遇到了麻烦。我已将我的 Samba 服务器 (centos 7) 作为域成员链接到我的 AD。命令 # 领域列表显示了正确的信息,但是 ID 用户名没有显示正确的信息,但 net ads user -U admin -I serverip 确实显示了所有域用户。在 Windows 中,在共享权限中并为域用户添加组对象时,我以以下身份登录[电子邮件保护](但是我不认为这是在运行身份验证,因为其他域管理员无法登录)我单击“确定”,然后 mydomain\ 域用户会填充,因此它知道我正在使用域,但点击“应用”时显示访问被拒绝。如果我需要粘贴配置文件,请让我知道,我已附加了我认为相关的配置文件
smb配置文件
See smb.conf.example for a more detailed config
file or
read the smb.conf manpage.
Run 'testparm' to verify the config is correct
after
you modified it.
[global]
workgroup = GBZ
security = ADS
realm = GBZ.COM
#netbios name = smb.gbz.com
password server = AD.GBZ.COM
log file = /var/log/samba/log.%m
max log size = 50
unix extensions = No
client signing = required
local master = no
domain master = no
template homedir = /home/%U
template shell = /bin/bash
winbind separator = +
winbind use default domain = yes
winbind nss info = rfc2307
idmap config * : range = 16777216-33554431
idmap config * : backend = ad.gbz.com
cups options = raw
root preexec = /usr/local/sbin/mkhomedir.sh %U
usershare allow guests = yes
os level = 20
map to guest = bad user
host msdfs = no
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
[cnc]
path = /srv/samba/cnc
browseable = yes
writable = yes
guest ok = yes
read only = no
public = yes
valid users = @"GBZ+Domain Users"
admin users = @"GBZ+Domain Admins"
[public]
path = /srv/samba/public
browseable = yes
writable = yes
guest ok = yes
read only = no
public = yes
valid users = @"GBZ+domain users"
admin users = @"GBZ+Domain Admins"
[hr]
path = /srv/samba/hr
comment = Sensitive infomation, authorization is required.
read only = no
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
krb5配置文件
# Configuration snippets may be placed in this directory as well
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
ticket_lifetime = 600
defualt_realm = GBZ.COM
dns_lookup_realm = false
dns_lookup_kdc = true
defualt_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
defualt_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
GBZ.COM = {
defualt_domain = gbz.com
}
[domain_realm]
.gbz.com = GBZ.COM
gbz.com = GBZ.COM
[kdc]
profile = /etc/krb5kdc/kdc.conf
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
defualt = FILE:/var/log/krb5lib.logog
nsswitch.conf
passwd: compat files winbind
shadow: compat files winbind
group: compat files
#initgroups: files sss
bootparams: nisplus [NOTFOUND=return] files
ethers: db files
netmasks: db files
networks: db files
protocols: db files
rpc: db files
services: db files
netgroup: nis
publickey: nisplus
automount: files sss
aliases: files nisplus
非常感谢任何帮助