新 LDAP 用户无法连接到 [homes],但旧用户可以吗?

新 LDAP 用户无法连接到 [homes],但旧用户可以吗?

我的系统:

# cat /etc/*release*
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

# smbd -V
Version 4.13.13-Debian

OpenLDAP 2.4.57+dfsg-3+deb11u1我的问题:我在一台服务器上的openldap() 中定义了许多用户vogon,在另一个系统上有一个 samba 服务器knox。当我使用现有用户连接到 samba 时jan,它工作正常:

# smbclient //knox/homes -U jan -W ZOMBIE   
Enter ZOMBIE\jan's password: 
Try "help" to get a list of possible commands.
smb: \> pwd
Current directory is \\knox\homes\
smb: \> 

但是,当我在 LDAP 中创建新用户时zzuser,我得到:

# smbclient //knox/homes -U zzuser -W ZOMBIE
Enter ZOMBIE\zzuser's password: 
tree connect failed: NT_STATUS_BAD_NETWORK_NAME

并在/var/log/samba/log.192.168.50.109

...
[2023/04/11 10:06:56.594913,  5, pid=1089697, effective(0, 0), real(0, 0)] ../../source3/auth/token_util.c:873(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2023/04/11 10:06:56.594949,  5, pid=1089697, effective(0, 0), real(0, 0)] ../../source3/lib/smbldap.c:1307(smbldap_search_ext)
  smbldap_search_ext: base => [dc=comind,dc=io], filter => [(&(uid=zzuser)(objectclass=sambaSamAccount))], scope => [2]
[2023/04/11 10:06:56.595600,  4, pid=1089697, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/pdb_ldap.c:1563(ldapsam_getsampwnam)
  ldapsam_getsampwnam: Unable to locate user [zzuser] count=0
[2023/04/11 10:06:56.595645,  4, pid=1089697, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2023/04/11 10:06:56.595656,  3, pid=1089697, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/check_samsec.c:398(check_sam_security)
  check_sam_security: Couldn't find user 'zzuser' in passdb.
[2023/04/11 10:06:56.595665,  5, pid=1089697, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:258(auth_check_ntlm_password)
  auth_check_ntlm_password: sam_ignoredomain authentication for user [zzuser] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2023/04/11 10:06:56.595676,  2, pid=1089697, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:344(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [zzuser] -> [zzuser] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2023/04/11 10:06:56.595704,  2, pid=1089697, effective(0, 0), real(0, 0), class=auth_audit] ../../auth/auth_log.c:635(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [ZOMBIE]\[zzuser] at [Tue, 11 Apr 2023 10:06:56.595692 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [JAN] remote host [ipv4:192.168.50.106:60046] mapped to [ZOMBIE]\[zzuser]. local host [ipv4:192.168.50.7:445] 
  {"timestamp": "2023-04-11T10:06:56.595778+0000", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:192.168.50.7:445", "remoteAddress": "ipv4:192.168.50.106:60046", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "ZOMBIE", "clientAccount": "zzuser", "workstation": "JAN", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "zzuser", "mappedDomain": "ZOMBIE", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 5241}}
[2023/04/11 10:06:56.595822,  5, pid=1089697, effective(0, 0), real(0, 0)] ../../source3/auth/auth_ntlmssp.c:210(auth3_check_password_send)
  auth3_check_password_send: Checking NTLMSSP password for ZOMBIE\zzuser failed: NT_STATUS_NO_SUCH_USER, authoritative=1
[2023/04/11 10:06:56.595832,  3, pid=1089697, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth_util.c:2295(do_map_to_guest_server_info)
  No such user zzuser [ZOMBIE] - using guest account
...

zzuser这与系统众所周知的事实形成鲜明对比:

# id zzuser
uid=1104(zzuser) gid=100(users) groups=100(users)
# echo ~zzuser
/knox/home/zzuser
# su - zzuser
zzuser@knox:~$ passwd
Current Password: 
New password: 
Retype new password: 
passwd: password updated successfully

另一方面:

zzuser@knox:~$ smbpasswd
Old SMB password:
New SMB password:
Retype new SMB password:
Bad SMB2 signature for message
[0000] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[0000] 58 95 CD A8 66 08 74 38   19 A3 59 52 1E BE 15 28   X...f.t8 ..YR...(
Could not connect to machine 127.0.0.1: NT_STATUS_ACCESS_DENIED

作为根:

# smbpasswd zzuser
New SMB password:
Retype new SMB password:
Failed to find entry for user zzuser.

那么这是怎么回事呢?我似乎记得我jan过去向 samba 添加了用户,这可能是区别,但如果 samba 需要这样才能运行,那么使用 LDAP 的全部意义就消失了。

相关内容