我有两个 TurnKey Linux Fileserver 13(基本上是 Debian 7.3)运行 Samba 来共享我们主要使用 Windows 的 LAN 上的文件夹。Samba 配置为使用域控制器上的 Active Directory 验证用户身份。
直到最近,一切都运行良好,但现在两个 Samba 服务器都无法对某些用户进行身份验证。其他使用服务器的用户仍然可以正常连接和访问文件(缓存凭据?)。以下是登录尝试失败时 Samba 日志中记录内容的典型示例:
[2016/04/26 20:08:15.768961, 0] rpc_client/cli_netlogon.c:459(rpccli_netlogon_sam_network_logon)
rpccli_netlogon_sam_network_logon: credentials chain check failed
[2016/04/26 20:08:15.769053, 0] auth/auth_domain.c:331(domain_client_validate)
domain_client_validate: unable to validate password for user lholdeman in domain meg to Domain controller DC01.MEG.LOCAL. Error was NT_STATUS_ACCESS_DENIED.
我不知道我们的域控制器发生了什么变化,而且我相当确定我们的域控制器允许 Samba 连接以验证用户,因为我在 VirtualBox 中对完全相同的操作系统/软件进行了快速设置,复制了所有生产配置,并使用在生产机器上不起作用的相同域凭据成功登录到临时 Samba 设置。
这也是我的 Samba 配置的副本:
[global]
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
obey pam restrictions = yes
admin users = root
#read prediction = yes
passwd program = /usr/bin/passwd %u
dns proxy = no
netbios name = PAFILES
default = companyfiles
workgroup = MEG
os level = 20
auto services = companyfiles
security = ads
delete user script = /usr/sbin/userdel -r '%u'
max log size = 1000
directory mode = 777
log file = /var/log/samba/samba.log
read raw = no
guest account = nobody
write raw = no
add group script = /usr/sbin/groupadd '%g'
socket options = TCP_NODELAY
delete group script = /usr/sbin/groupdel '%g'
add user to group script = /usr/sbin/usermod -G '%g' '%u'
force directory mode = 777
wins server = DC01.MEG.LOCAL
#null passwords = yes
encrypt passwords = true
winbind trusted domains only = yes
winbind use default domain = yes
realm = MEG.LOCAL
passdb backend = tdbsam
unix extensions = no
wide links = yes
server string = TurnKey Linux FileServer
password server = DC01.MEG.LOCAL
unix password sync = yes
force create mode = 777
add user script = /usr/sbin/useradd -m '%u' -g users -G users
syslog = 0
create mode = 777
panic action = /usr/share/samba/panic-action %d
pam password change = yes
[companyfiles]
shadow:basedir = /srv/storage
force directory mode = 777
recycle:keeptree = yes
shadow:sort = desc
vfs objects = shadow_copy2
writeable = yes
delete readonly = yes
path = /srv/storage
shadow:snapdir = ../snapshots/storage
force create mode = 777
comment = Public Share
create mode = 0777
recycle:repository = Recycle Bin
recycle:versions = yes
directory mode = 0777
有什么想法我下一步可以尝试吗?谢谢!
答案1
Samba 中有一个上游错误,包含在 4 月 12 日发布的更新中,该更新是为了应对广为人知的“Badlock”漏洞,这导致了您所看到的行为。Debian 错误如下:https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820981 Red Hat 有一个可用的补丁,但是截至今天(4 月 27 日)尚未发布:https://bugzilla.redhat.com/show_bug.cgi?id=1326918
目前看来,您唯一的选择是降级到以前的 Samba 版本,或者等待发行版的补丁。