我在用着:
- FreeBSD 12.1 发布 p10 amb64
- 桑巴 4.10.17
- 固态硬盘1.11.7
我即将将 Active Directory 从 Windows 2012R2 升级到 Windows 2019。在我现有的设置中,我将 unix 属性添加到 2012 AD 中,并使用 Winbind 与 AD 集成。
在我的新设置中,我尝试使用 SSSD + Samba 与 AD 集成,而不使用 unix 属性。我已经能够设置 SSSD 并连接到 AD。我修改了 PAM 和 NSSwitch,以便我可以以 AD 用户身份登录,并像本地用户一样查询 AD 用户。
我有一个测试共享,它指向 ZFS Zvol,该 ZFS Zvol 将 aclmode 和 aclinherit 设置为直通。我只能让用户帐户正常工作;设置组 ACL 似乎未授予访问权限。
当我使用 setfacl 设置 ACL 时,它在 BSD 和 Windows 服务器上都能正常工作。在 Windows 端,如果我查看属性 -> 安全选项卡,用户显示为“用户名 [Unix 用户\用户名]”,而不是“全名 [[电子邮件受保护]]”在我的 Windows 2012R2 设置中。
我在日志中找不到任何有用的东西。我无法发现问题所在,但相信组/acl 问题和 Windows/Samba 无法识别设置为 AD 用户而不是 Unix 用户的用户/组都是问题的症状。
krb5.conf
[libdefaults]
default_realm = DERP.WHATEVER.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5
preferred_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5
[realms]
[domain_relay]
[appdefaults]
pam = {
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
}
nsswitch.conf
group: files sss
group_compat: files
hosts: files dns
networks: files
passwd: files sss
passwd_compat: files
shells: files
services: compat
services_compat: files
protocols: files
rpc: files
pam.d/系统
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient pam_unix.so no_warn try_first_pass
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
# account
account required pam_login_access.so
account required pam_unix.so
account sufficient pam_sss.so
# session
session required pam_lastlog.so no_fail
account sufficient pam_sss.so
session required pam_mkhomedir.so umask=0700
#password
password required pam_unix.so no_warn try_first_pass nullok use_authtok
password sufficient pam_sss.so use_authtok
smb4配置文件
[global]
log level = 4
client signing = yes
client use spnego = yes
security = ads
server string = my-server
workgroup = DERP
log file = /var/log/samba4/log.%m
max log size = 50
realm = DERP.WHATEVER.COM
kerberos method = secrets and keytab
[test]
path = /data/test
admin users = @"domain admins"
browseable = yes
create mask = 0775
csc policy = disable
directory mask = 0775
map acl inherit = yes
map archive = No
map readonly = no
nfs4:acedup = merge
nfs4:chown = yes
nfs4:mode = special
nt acl support = yes
posix locking = yes
public = yes
strict locking = no
store dos attributes = yes
vfs objects = zfsacl full_audit
writable = yes
## ACL inheritance is done by ZFS
inherit acls = no
## Avoid chmod(2) that breaks ACL
inherit permissions = no
force create mode = 00000
force directory mode = 00000
store dos attributes = yes
## ZFS ACL implements "write_acl" and "write_owner" permissions that
## is compatible with Windows (NT) ACL better than "dos filemode = yes"
dos filemode = no
full_audit:prefix = %u|%I|%m|%S
full_audit:success = mkdir rename unlink rmdir open close
full_audit:failure = mkdir rename unlink rmdir open close
full_audit:facility = local7
full_audit:priority = NOTICE
veto files = /Thumbs.db/.DS_Store/._.DS_Store/.apdisk/desktop.ini/