我使用 system-config-samba 在 Ubuntu 中设置了具有读/写权限的共享。我将我的用户也配置为 smbuser。
在我的所有其他系统(2 Win10、1 Win8、1 Ubuntu)上,系统提示我输入用户名和密码(因为guest ok = no在 smb.conf 中只有一个有效用户)。
问题是 Win Server 2012 没有收到此提示,更糟糕的是,可以以某种方式绕过身份验证并读取目标机器上的所有共享。
起初我以为这可能是 Server 2012 中的用户名与 Ubuntu 机器和 smbuser 相同的故障,但即使更改了 Win 服务器用户名后,问题仍然存在。
无论如何,我认为这似乎是某种大规模的安全漏洞。我已经确认没有存储任何可能被使用的凭据。
smb.conf 包括:
usershare allow guests = no
username map = /etc/samba/smbusers
security = user
encrypt passwords = yes
guest ok = no
guest account = nobody
[ShareName]
path = /media/[user]/[ext4_drive]/[share folder]
writeable = yes
browseable = yes
guest ok = no
valid users = [user]
更新:
/var/log/samba/日志:
[2015/10/29 14:49:30.544283, 2] ../source3/param/loadparm.c:3581(do_section)
Processing section "[public]"
[2015/10/29 14:49:30.544373, 0] ../source3/param/loadparm.c:3188(lp_do_parameter)
Global parameter usershare allow guests found in service section!
[2015/10/29 14:49:30.544402, 0] ../source3/param/loadparm.c:3188(lp_do_parameter)
Global parameter username map found in service section!
[2015/10/29 14:49:30.544428, 0] ../source3/param/loadparm.c:3188(lp_do_parameter)
Global parameter security found in service section!
[2015/10/29 14:49:30.544452, 0] ../source3/param/loadparm.c:3188(lp_do_parameter)
Global parameter encrypt passwords found in service section!
[2015/10/29 14:49:30.544489, 0] ../source3/param/loadparm.c:2376(service_ok)
WARNING: No path in service public - making it unavailable!
[2015/10/29 14:49:30.544513, 1] ../source3/param/loadparm.c:2383(service_ok)
NOTE: Service public is flagged unavailable.
[2015/10/29 14:49:30.544537, 2] ../source3/param/loadparm.c:3581(do_section)
Processing section "[printers]"
[2015/10/29 14:49:30.544577, 0] ../source3/param/loadparm.c:2363(service_ok)
WARNING: [printers] service MUST be printable!
[2015/10/29 14:49:30.544603, 0] ../source3/param/loadparm.c:2376(service_ok)
WARNING: No path in service printers - making it unavailable!
[2015/10/29 14:49:30.544626, 1] ../source3/param/loadparm.c:2383(service_ok)
NOTE: Service printers is flagged unavailable.
[2015/10/29 14:49:30.544650, 2] ../source3/param/loadparm.c:3581(do_section)
Processing section "[ShareName]"
[2015/10/29 14:49:30.544677, 0] ../source3/param/loadparm.c:3188(lp_do_parameter)
Global parameter security found in service section!
[2015/10/29 14:49:30.544860, 2] ../source3/lib/interface.c:341(add_interface)
added interface eth1 ip=[IP] bcast=[BCAST] netmask=[MASK]
[2015/10/29 14:51:50.380113, 2] ../source3/smbd/open.c:972(open_file)
[USER] opened file test.txt read=No write=No (numopen=3)
[2015/10/29 14:51:50.381445, 2] ../source3/smbd/close.c:780(close_normal_file)
[USER] closed file test.txt (numopen=2) NT_STATUS_OK
[2015/10/29 14:51:51.428034, 2] ../source3/smbd/open.c:972(open_file)
[USER] opened file test.txt read=Yes write=No (numopen=2)
[2015/10/29 14:51:51.433698, 2] ../source3/smbd/open.c:972(open_file)
[USER] opened file test - Copy.txt read=Yes write=Yes (numopen=3)
[2015/10/29 14:52:06.492354, 2] ../source3/smbd/close.c:780(close_normal_file)
[USER] closed file test.txt (numopen=3) NT_STATUS_OK
[2015/10/29 14:52:06.492925, 2] ../source3/smbd/close.c:780(close_normal_file)
[USER] closed file test - Copy.txt (numopen=2) NT_STATUS_OK
答案1
您必须找到 Windows 计算机正在使用的凭据。您可以尝试两种不同的(互补的)方法:
- 从 Win2012 机器创建一个文件,然后在 Linux 机器上找到哪个用户拥有新创建的文件
- 启用 samba 日志,
log level = 2在/etc/samba/smb.conf文件中添加指令。然后,查看/var/log/samba/
通过 Win2012 机器找到凭证用户后,应该很容易了解发生了什么。
答案2
问题的本质是用户名和密码都相同跨Ubuntu系统和Windows Server。
不确定这是否是一种便利还是一个安全漏洞。