非标准目录中的 Solaris 11 和 samba4，除 Finger 外均适用

Question 1

如果您正确设置了 smb.conf，并且不将 winbind ldap 后端与 Samba AD 一起使用，那么它可能会有所帮助，并且您应该只使用“winbind enum”行进行测试。试试这个 smb.conf：

[global]
workgroup = MYDOM
server string = solaris11
realm = MYDOM.PRIV
security = ads
hosts allow = 10.3.0.
log file = /var/opt/gm/log/samba/samba.%m
max log size = 50
dns proxy = no 
kerberos method = secrets and keytab
server signing = mandatory
client signing = mandatory
smb encrypt = mandatory
restrict anonymous = 2
log level = 1
server min protocol = SMB3
client max protocol = SMB3
local master = No
preferred master = No
bind interfaces only = Yes
local master = No
preferred master = No
winbind use default domain = Yes
template homedir = /export/home/%U
template shell = /usr/bin/bash

idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config MYDOM : backend = rid
idmap config MYDOM : range = 10000-20000

最后，从 /etc/nsswitch.conf 中删除“wins”

Answer

如果您正确设置了 smb.conf，并且不将 winbind ldap 后端与 Samba AD 一起使用，那么它可能会有所帮助，并且您应该只使用“winbind enum”行进行测试。试试这个 smb.conf：

[global]
workgroup = MYDOM
server string = solaris11
realm = MYDOM.PRIV
security = ads
hosts allow = 10.3.0.
log file = /var/opt/gm/log/samba/samba.%m
max log size = 50
dns proxy = no 
kerberos method = secrets and keytab
server signing = mandatory
client signing = mandatory
smb encrypt = mandatory
restrict anonymous = 2
log level = 1
server min protocol = SMB3
client max protocol = SMB3
local master = No
preferred master = No
bind interfaces only = Yes
local master = No
preferred master = No
winbind use default domain = Yes
template homedir = /export/home/%U
template shell = /usr/bin/bash

idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config MYDOM : backend = rid
idmap config MYDOM : range = 10000-20000

最后，从 /etc/nsswitch.conf 中删除“wins”

Question 2

找到解决方案。是 winbind 缓存文件的问题，而不是库的问题。在 smb.conf 上添加这些行后

# Winbind
winbind enum groups = yes
winbind enum users = yes

重新启动 winbind inger 可以正常工作，getent passwd 和 getent group 也可以正常工作。

finger pino
Login name: pino                        
Directory: /export/home/pino            Shell: /usr/bin/bash
Never logged in.
No unread mail
No Plan.

如果有兴趣，这是我的 Solaris 11 客户端的 smb.conf

[global]
workgroup = MYDOM
server string = solaris11
netbios name = SOLARIS11
server role = standalone server
hosts allow = 10.3.0.
log file = /var/opt/gm/log/samba/samba.%m
max log size = 50
realm = mydom.priv
dns proxy = no 
kerberos method = secrets and keytab
server signing = mandatory
client signing = mandatory
smb encrypt = mandatory
restrict anonymous = 2
log level = 1
server min protocol = SMB3
client max protocol = SMB3
name resolve order = bcast lmhosts host wins
local master = No
preferred master = No
bind interfaces only = Yes
local master = No
preferred master = No
winbind use default domain = Yes
ldap admin dn = cn=ldapadm,dc=ldap2,dc=mydom,dc=priv
security = ads
ldap ssl = start tls
tls verify peer = no_check
template homedir = /export/home/%U
template shell = /usr/bin/bash
password hash userPassword schemes = CryptSHA512:rounds=7000

# Winbind
winbind enum groups = yes
winbind enum users = yes

idmap config * : backend      = ldap
idmap config * : range        = 10000-20000
idmap config * : ldap_url     = ldap://ldap2.mydom.priv
idmap config * : ldap_base_dn = ou=idmap,dc=ldap2,dc=mydom,dc=priv
idmap config * : ldap_user_dn = cn=ldapadm,dc=ldap2,dc=mydom,dc=priv

Answer

找到解决方案。是 winbind 缓存文件的问题，而不是库的问题。在 smb.conf 上添加这些行后

# Winbind
winbind enum groups = yes
winbind enum users = yes

重新启动 winbind inger 可以正常工作，getent passwd 和 getent group 也可以正常工作。

finger pino
Login name: pino                        
Directory: /export/home/pino            Shell: /usr/bin/bash
Never logged in.
No unread mail
No Plan.

如果有兴趣，这是我的 Solaris 11 客户端的 smb.conf

[global]
workgroup = MYDOM
server string = solaris11
netbios name = SOLARIS11
server role = standalone server
hosts allow = 10.3.0.
log file = /var/opt/gm/log/samba/samba.%m
max log size = 50
realm = mydom.priv
dns proxy = no 
kerberos method = secrets and keytab
server signing = mandatory
client signing = mandatory
smb encrypt = mandatory
restrict anonymous = 2
log level = 1
server min protocol = SMB3
client max protocol = SMB3
name resolve order = bcast lmhosts host wins
local master = No
preferred master = No
bind interfaces only = Yes
local master = No
preferred master = No
winbind use default domain = Yes
ldap admin dn = cn=ldapadm,dc=ldap2,dc=mydom,dc=priv
security = ads
ldap ssl = start tls
tls verify peer = no_check
template homedir = /export/home/%U
template shell = /usr/bin/bash
password hash userPassword schemes = CryptSHA512:rounds=7000

# Winbind
winbind enum groups = yes
winbind enum users = yes

idmap config * : backend      = ldap
idmap config * : range        = 10000-20000
idmap config * : ldap_url     = ldap://ldap2.mydom.priv
idmap config * : ldap_base_dn = ou=idmap,dc=ldap2,dc=mydom,dc=priv
idmap config * : ldap_user_dn = cn=ldapadm,dc=ldap2,dc=mydom,dc=priv

非标准目录中的 Solaris 11 和 samba4，除 Finger 外均适用

答案1

答案2

相关内容