使用 SAMBA、Winbind 和 SSS 进行 AD 身份验证

使用 SAMBA、Winbind 和 SSS 进行 AD 身份验证

我在使用 AD 对 Linux 服务器上的 SAMBA 共享进行身份验证时遇到了问题。

身份验证似乎有效,但只完成了一半……

[root@myserver ~]# wbinfo -a my_ad_user%password123
plaintext password authentication succeeded
challenge/response password authentication succeeded
[root@myserver ~]# wbinfo -i my_ad_user
Could not get info for user my_ad_user << weird
[root@myserver ~]# getent passwd my_ad_user
my_ad_user:*:1256023472:1256023469:my name:/:
[root@myserver ~]# 

这很奇怪,因为看起来一切都正常除了的输出wbinfo -i <any_ad_user_name>。其他wbinfo查询似乎运行良好。

检查信任也有效:

[root@myserver ~]# wbinfo -t
checking the trust secret for domain MYDOMAIN via RPC calls succeeded

Samba 身份验证失败(为什么 cifs 会这样列出?):cifs/[email protected]

[root@myserver ~]# smbclient //localhost/MySharedFolder -d 3 -U my_ad_user%password123
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
added interface eth0 ip=10.2.3.7 bcast=10.2.3.255 netmask=255.255.255.0
Client started (version 3.5.22).
resolve_lmhosts: Attempting lmhosts lookup for name localhost<0x20>
Connecting to 127.0.0.1 at port 445
Doing spnego session setup (blob length=128)
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.48018.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=cifs/[email protected]
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
Domain=[CLIENTSERVER] OS=[Unix] Server=[Samba 3.5.22]
tree connect failed: NT_STATUS_ACCESS_DENIED

Keytab 看起来不错:

[root@myserver ~]# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/[email protected] (des-cbc-crc) 
   2 host/[email protected] (des-cbc-md5) 
   2 host/[email protected] (arcfour-hmac) 
   2 host/[email protected] (des-cbc-crc) 
   2 host/[email protected] (des-cbc-md5) 
   2 host/[email protected] (arcfour-hmac) 
   2 [email protected] (des-cbc-crc) 
   2 [email protected] (des-cbc-md5) 
   2 [email protected] (arcfour-hmac) 
   3 host/[email protected] (des-cbc-crc) 
   3 host/[email protected] (des-cbc-md5) 
   3 host/[email protected] (arcfour-hmac) 
   3 host/[email protected] (des-cbc-crc) 
   3 host/[email protected] (des-cbc-md5) 
   3 host/[email protected] (arcfour-hmac) 
   3 [email protected] (des-cbc-crc) 
   3 [email protected] (des-cbc-md5) 
   3 [email protected] (arcfour-hmac)

来自 smb.conf 的 Samba 配置:

[root@myserver ~]# cat /etc/samba/smb.conf
[global]
   workgroup = MYDOMAIN
   password server = WCR-LUCDC01.MYDOMAIN.COM
   client signing = yes
   client use spnego = yes
   kerberos method = secrets and keytab
   log file = /var/log/samba/%m.log
   realm = MYDOMAIN.COM
   security = ads
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = true
   winbind nested groups = yes
   winbind enum users = yes
   winbind enum groups = yes
   winbind nss info = rfc2307
   encrypt passwords = yes
   #idmap domains = MYDOMAIN
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   idmap config MYDOMAIN : cache time = 1800
   idmap config MYDOMAIN : backend = ad
   idmap config MYDOMAIN : range = 16777216-33554431
   idmap confg MYDOMAIN : schema_mode = rfc2307
   idmap backend = tbd
   log level = 3
   max log size = 50
[MySharedFolder]
    comment = My Share
    path = /opt/MySharedFolder
    browsable = yes
    writable = yes
    valid users = @GROUP1, @"GROUP2"

相关内容