Windows 域上的 Samba 文件服务器无法验证用户身份 - 显示“凭证链检查失败”

tag-icon tag-icon linux active-directory samba network-share
Windows 域上的 Samba 文件服务器无法验证用户身份 - 显示“凭证链检查失败”

我有两个 TurnKey Linux Fileserver 13(基本上是 Debian 7.3)运行 Samba 来共享我们主要使用 Windows 的 LAN 上的文件夹。Samba 配置为使用域控制器上的 Active Directory 验证用户身份。

直到最近,一切都运行良好,但现在两个 Samba 服务器都无法对某些用户进行身份验证。其他使用服务器的用户仍然可以正常连接和访问文件(缓存凭据?)。以下是登录尝试失败时 Samba 日志中记录内容的典型示例:

[2016/04/26 20:08:15.768961,  0] rpc_client/cli_netlogon.c:459(rpccli_netlogon_sam_network_logon)
  rpccli_netlogon_sam_network_logon: credentials chain check failed
[2016/04/26 20:08:15.769053,  0] auth/auth_domain.c:331(domain_client_validate)
  domain_client_validate: unable to validate password for user lholdeman in domain meg to Domain controller DC01.MEG.LOCAL. Error was NT_STATUS_ACCESS_DENIED.

我不知道我们的域控制器发生了什么变化,而且我相当确定我们的域控制器允许 Samba 连接以验证用户,因为我在 VirtualBox 中对完全相同的操作系统/软件进行了快速设置,复制了所有生产配置,并使用在生产机器上不起作用的相同域凭据成功登录到临时 Samba 设置。

这也是我的 Samba 配置的副本:

[global]
    passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
    obey pam restrictions = yes
    admin users = root
    #read prediction = yes
    passwd program = /usr/bin/passwd %u
    dns proxy = no
    netbios name = PAFILES
    default = companyfiles
    workgroup = MEG
    os level = 20
    auto services = companyfiles
    security = ads
    delete user script = /usr/sbin/userdel -r '%u'
    max log size = 1000
    directory mode = 777
    log file = /var/log/samba/samba.log
    read raw = no
    guest account = nobody
    write raw = no
    add group script = /usr/sbin/groupadd '%g'
    socket options = TCP_NODELAY
    delete group script = /usr/sbin/groupdel '%g'
    add user to group script = /usr/sbin/usermod -G '%g' '%u'
    force directory mode = 777
    wins server = DC01.MEG.LOCAL
    #null passwords = yes
    encrypt passwords = true
    winbind trusted domains only = yes
    winbind use default domain = yes
    realm = MEG.LOCAL
    passdb backend = tdbsam
    unix extensions = no
    wide links = yes
    server string = TurnKey Linux FileServer
    password server = DC01.MEG.LOCAL
    unix password sync = yes
    force create mode = 777
    add user script = /usr/sbin/useradd -m '%u' -g users -G users
    syslog = 0
    create mode = 777
    panic action = /usr/share/samba/panic-action %d
    pam password change = yes



[companyfiles]
    shadow:basedir = /srv/storage
    force directory mode = 777
    recycle:keeptree = yes
    shadow:sort = desc
    vfs objects = shadow_copy2
    writeable = yes
    delete readonly = yes
    path = /srv/storage
    shadow:snapdir = ../snapshots/storage
    force create mode = 777
    comment = Public Share
    create mode = 0777
    recycle:repository = Recycle Bin
    recycle:versions = yes
    directory mode = 0777

有什么想法我下一步可以尝试吗?谢谢!

答案1

Samba 中有一个上游错误,包含在 4 月 12 日发布的更新中,该更新是为了应对广为人知的“Badlock”漏洞,这导致了您所看到的行为。Debian 错误如下:https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820981 Red Hat 有一个可用的补丁,但是截至今天(4 月 27 日)尚未发布:https://bugzilla.redhat.com/show_bug.cgi?id=1326918

目前看来,您唯一的选择是降级到以前的 Samba 版本,或者等待发行版的补丁。

相关内容