我遇到了一个非常令人沮丧的问题,我试图解决几天了,也许你们中的一个可以帮助我。
我有两个(独立的)samba 服务器,它们应该使用 LDAP 服务器对用户进行身份验证。两个 samba 服务器都正确地使用 LDAP 进行 nss 和 unix 用户身份验证(即 ssh 适用于所有 LDAP 用户,getent passwd/group 显示所有用户/组)。但是,samba 仅在服务器 1 上工作,而不在服务器 2 上工作,因此我得到
[2013/06/06 19:03:06.972236, 3] auth/auth.c:216(check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [XXX]\[xxx]@[XXX] with the new password interface
[2013/06/06 19:03:06.972266, 3] auth/auth.c:219(check_ntlm_password)
check_ntlm_password: mapped user is: [YYY]\[xxx]@[XXX]
[2013/06/06 19:03:06.972311, 3] smbd/sec_ctx.c:210(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2013/06/06 19:03:06.972334, 3] smbd/uid.c:429(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2013/06/06 19:03:06.972351, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2013/06/06 19:03:06.972395, 3] smbd/sec_ctx.c:418(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2013/06/06 19:03:06.972414, 3] auth/auth_sam.c:399(check_sam_security)
check_sam_security: Couldn't find user 'xxx' in passdb.
[2013/06/06 19:03:06.972432, 2] auth/auth.c:314(check_ntlm_password)
check_ntlm_password: Authentication for user [xxx] -> [xxx] FAILED with error NT_STATUS_NO_SUCH_USER
[2013/06/06 19:03:06.972463, 3] smbd/error.c:80(error_packet_set)
error packet at smbd/sesssetup.c(111) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
smb.conf 的一般部分是确切地两台服务器上的情况相同。但是,服务器 1 正确使用了 LDAP:
[2013/06/06 19:15:38.458920, 3] auth/auth.c:216(check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [YYY]\[xxx]@[XXX] with the new password interface
[2013/06/06 19:15:38.458941, 3] auth/auth.c:219(check_ntlm_password)
check_ntlm_password: mapped user is: [XXX]\[xxx]@[XXX]
[2013/06/06 19:15:38.458961, 3] smbd/sec_ctx.c:210(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2013/06/06 19:15:38.458974, 3] smbd/uid.c:429(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2013/06/06 19:15:38.458987, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2013/06/06 19:15:38.465392, 3] lib/smbldap.c:735(smb_ldap_start_tls)
StartTLS issued: using a TLS connection
[2013/06/06 19:15:38.479800, 2] lib/smbldap.c:950(smbldap_open_connection)
smbldap_open_connection: connection opened
[2013/06/06 19:15:38.481107, 3] lib/smbldap.c:1166(smbldap_connect_system)
ldap_connect_system: successful connection to the LDAP server
[2013/06/06 19:15:38.481136, 4] lib/smbldap.c:1242(smbldap_open)
The LDAP server is successfully connected
[2013/06/06 19:15:38.481922, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: ldaplookup
唯一显著的区别是服务器 1 是带有 samba 3.5.6 的 debian 6.0.3,服务器 2 是带有 samba 3.5.10 的 CentOS 6.3。ldap 和 pam 的配置文件位于不同位置,但 samba 在我看来是相同的。以下是没有共享的 smb.conf:
[global]
workgroup = XXX
server string = %h server
dns proxy = no
name resolve order = lmhosts host wins bcast
hosts allow = 127.0.0.0/8 192.168.99.0/24 172.24.0.0/16 172.25.0.0/16 172.30.0.0/16
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
encrypt passwords = true
passdb backend = ldapsam:ldap://myldapserver
ldap suffix = dc=mydomain,dc=com
ldap admin dn = cn=replicator,dc=mydomain,dc=com
ldap user suffix = ou=users
ldap group suffix = ou=groups
ldap machine suffix = ou=computers
ldap passwd sync = Yes
ldap ssl = start tls
ldap debug level = 4
log level = 4
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
过去几天我一直在查阅指南和教程,但大多数都使用了 winbind 和 idmap,但由于我的设置只适用于一台服务器,因此我认为不需要设置其他服务。配置中一定存在我看不到的错误。由于我之前只使用 debian 和 ubuntu 作为服务器操作系统,所以我不知道我是否遗漏了一些必须在 centOS 中启用/禁用/更改的简单功能。
更改配置后,我在两台服务器上重新加载了(但没有重新启动)samba 服务。接下来的几天内无法重新启动,因为用户每天 24 小时都在工作,重新启动会导致连接断开。但是,根据 log.smbd,配置已更新:
[2013/06/06 19:44:15.896620, 3] param/loadparm.c:7873(do_section)
Processing section "[global]"
...
doing parameter passdb backend = ldapsam:ldap://myldapserver
doing parameter ldap suffix = dc=mydomain,dc=com
...
更改调试级别等内容有效。这可能是问题所在,即重新加载仅重新加载配置的某些部分,而不是全部?
我非常感谢你的每一个提示!