我在使用 AD 对 Linux 服务器上的 SAMBA 共享进行身份验证时遇到了问题。
身份验证似乎有效,但只完成了一半……
[root@myserver ~]# wbinfo -a my_ad_user%password123
plaintext password authentication succeeded
challenge/response password authentication succeeded
[root@myserver ~]# wbinfo -i my_ad_user
Could not get info for user my_ad_user << weird
[root@myserver ~]# getent passwd my_ad_user
my_ad_user:*:1256023472:1256023469:my name:/:
[root@myserver ~]#
这很奇怪,因为看起来一切都正常除了的输出wbinfo -i <any_ad_user_name>。其他wbinfo查询似乎运行良好。
检查信任也有效:
[root@myserver ~]# wbinfo -t
checking the trust secret for domain MYDOMAIN via RPC calls succeeded
Samba 身份验证失败(为什么 cifs 会这样列出?):cifs/[email protected]
[root@myserver ~]# smbclient //localhost/MySharedFolder -d 3 -U my_ad_user%password123
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
added interface eth0 ip=10.2.3.7 bcast=10.2.3.255 netmask=255.255.255.0
Client started (version 3.5.22).
resolve_lmhosts: Attempting lmhosts lookup for name localhost<0x20>
Connecting to 127.0.0.1 at port 445
Doing spnego session setup (blob length=128)
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.48018.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=cifs/[email protected]
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
Domain=[CLIENTSERVER] OS=[Unix] Server=[Samba 3.5.22]
tree connect failed: NT_STATUS_ACCESS_DENIED
Keytab 看起来不错:
[root@myserver ~]# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 host/[email protected] (des-cbc-crc)
2 host/[email protected] (des-cbc-md5)
2 host/[email protected] (arcfour-hmac)
2 host/[email protected] (des-cbc-crc)
2 host/[email protected] (des-cbc-md5)
2 host/[email protected] (arcfour-hmac)
2 [email protected] (des-cbc-crc)
2 [email protected] (des-cbc-md5)
2 [email protected] (arcfour-hmac)
3 host/[email protected] (des-cbc-crc)
3 host/[email protected] (des-cbc-md5)
3 host/[email protected] (arcfour-hmac)
3 host/[email protected] (des-cbc-crc)
3 host/[email protected] (des-cbc-md5)
3 host/[email protected] (arcfour-hmac)
3 [email protected] (des-cbc-crc)
3 [email protected] (des-cbc-md5)
3 [email protected] (arcfour-hmac)
来自 smb.conf 的 Samba 配置:
[root@myserver ~]# cat /etc/samba/smb.conf
[global]
workgroup = MYDOMAIN
password server = WCR-LUCDC01.MYDOMAIN.COM
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
log file = /var/log/samba/%m.log
realm = MYDOMAIN.COM
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = true
winbind nested groups = yes
winbind enum users = yes
winbind enum groups = yes
winbind nss info = rfc2307
encrypt passwords = yes
#idmap domains = MYDOMAIN
idmap uid = 10000-20000
idmap gid = 10000-20000
idmap config MYDOMAIN : cache time = 1800
idmap config MYDOMAIN : backend = ad
idmap config MYDOMAIN : range = 16777216-33554431
idmap confg MYDOMAIN : schema_mode = rfc2307
idmap backend = tbd
log level = 3
max log size = 50
[MySharedFolder]
comment = My Share
path = /opt/MySharedFolder
browsable = yes
writable = yes
valid users = @GROUP1, @"GROUP2"