我的系统:
# cat /etc/*release*
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
# smbd -V
Version 4.13.13-Debian
OpenLDAP 2.4.57+dfsg-3+deb11u1
我的问题:我在一台服务器上的openldap() 中定义了许多用户vogon
,在另一个系统上有一个 samba 服务器knox
。当我使用现有用户连接到 samba 时jan
,它工作正常:
# smbclient //knox/homes -U jan -W ZOMBIE
Enter ZOMBIE\jan's password:
Try "help" to get a list of possible commands.
smb: \> pwd
Current directory is \\knox\homes\
smb: \>
但是,当我在 LDAP 中创建新用户时zzuser
,我得到:
# smbclient //knox/homes -U zzuser -W ZOMBIE
Enter ZOMBIE\zzuser's password:
tree connect failed: NT_STATUS_BAD_NETWORK_NAME
并在/var/log/samba/log.192.168.50.109
:
...
[2023/04/11 10:06:56.594913, 5, pid=1089697, effective(0, 0), real(0, 0)] ../../source3/auth/token_util.c:873(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2023/04/11 10:06:56.594949, 5, pid=1089697, effective(0, 0), real(0, 0)] ../../source3/lib/smbldap.c:1307(smbldap_search_ext)
smbldap_search_ext: base => [dc=comind,dc=io], filter => [(&(uid=zzuser)(objectclass=sambaSamAccount))], scope => [2]
[2023/04/11 10:06:56.595600, 4, pid=1089697, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/pdb_ldap.c:1563(ldapsam_getsampwnam)
ldapsam_getsampwnam: Unable to locate user [zzuser] count=0
[2023/04/11 10:06:56.595645, 4, pid=1089697, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2023/04/11 10:06:56.595656, 3, pid=1089697, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/check_samsec.c:398(check_sam_security)
check_sam_security: Couldn't find user 'zzuser' in passdb.
[2023/04/11 10:06:56.595665, 5, pid=1089697, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:258(auth_check_ntlm_password)
auth_check_ntlm_password: sam_ignoredomain authentication for user [zzuser] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2023/04/11 10:06:56.595676, 2, pid=1089697, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:344(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [zzuser] -> [zzuser] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2023/04/11 10:06:56.595704, 2, pid=1089697, effective(0, 0), real(0, 0), class=auth_audit] ../../auth/auth_log.c:635(log_authentication_event_human_readable)
Auth: [SMB2,(null)] user [ZOMBIE]\[zzuser] at [Tue, 11 Apr 2023 10:06:56.595692 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [JAN] remote host [ipv4:192.168.50.106:60046] mapped to [ZOMBIE]\[zzuser]. local host [ipv4:192.168.50.7:445]
{"timestamp": "2023-04-11T10:06:56.595778+0000", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:192.168.50.7:445", "remoteAddress": "ipv4:192.168.50.106:60046", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "ZOMBIE", "clientAccount": "zzuser", "workstation": "JAN", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "zzuser", "mappedDomain": "ZOMBIE", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 5241}}
[2023/04/11 10:06:56.595822, 5, pid=1089697, effective(0, 0), real(0, 0)] ../../source3/auth/auth_ntlmssp.c:210(auth3_check_password_send)
auth3_check_password_send: Checking NTLMSSP password for ZOMBIE\zzuser failed: NT_STATUS_NO_SUCH_USER, authoritative=1
[2023/04/11 10:06:56.595832, 3, pid=1089697, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth_util.c:2295(do_map_to_guest_server_info)
No such user zzuser [ZOMBIE] - using guest account
...
zzuser
这与系统众所周知的事实形成鲜明对比:
# id zzuser
uid=1104(zzuser) gid=100(users) groups=100(users)
# echo ~zzuser
/knox/home/zzuser
# su - zzuser
zzuser@knox:~$ passwd
Current Password:
New password:
Retype new password:
passwd: password updated successfully
另一方面:
zzuser@knox:~$ smbpasswd
Old SMB password:
New SMB password:
Retype new SMB password:
Bad SMB2 signature for message
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
[0000] 58 95 CD A8 66 08 74 38 19 A3 59 52 1E BE 15 28 X...f.t8 ..YR...(
Could not connect to machine 127.0.0.1: NT_STATUS_ACCESS_DENIED
作为根:
# smbpasswd zzuser
New SMB password:
Retype new SMB password:
Failed to find entry for user zzuser.
那么这是怎么回事呢?我似乎记得我jan
过去向 samba 添加了用户,这可能是区别,但如果 samba 需要这样才能运行,那么使用 LDAP 的全部意义就消失了。