无法从 AD 设置主机上 Samba 共享的权限

无法从 AD 设置主机上 Samba 共享的权限

所以我花了几天时间寻找方法来设置这个“简单”的东西。我想要一个文件服务器,用户可以用他们的域名(domain\name)和密码登录。服务器应该根据他们的名字给他们一个目录的访问权限。一些管理员(或本地用户)应该能够访问它们。这行得通,但是我在虚拟机上工作,并遵循多个半弃用的指南。所以我在一台新机器上复制了我的步骤,但无法让它工作。(两者都是最新的 Centos 7.2)

我的方法简而言之:

  • 设置时区
  • 安装krb5-workstation并设置kinit [email protected]
  • 安装samba samba-winbind-clients并设置(参见下面的配置)
  • net ads join -U [email protected](成功;见下文)
  • 启动服务 smb、nmb 和 winbind
  • 在 /etc/nsswitch.conf 中添加 winbind 到 passwd、shadow 和 group
  • 测试域用户:wbinfo -n 用户和 wbinfo -g (组)

连接的结果:

Enter [email protected]'s password:
Using short domain name -- DOMAIN
Joined 'SERVER' to dns domain 'domain.url'
No DNS domain configured for server. Unable to perform DNS Update.
DNS update failed: NT_STATUS_INVALID_PARAMETER

samba 配置:

[global]
        netbios name = SERVER_NAME
        workgroup = DOMAIN
        realm = DOMAIN.url
        server string = Samba Server Version %v
        security = ADS
        allow trusted domains = No
        obey pam restrictions = Yes
        password server = first.domain.controler.url
        log file = /var/log/samba/log.%m
        max log size = 50
        load printers = No
        preferred master = No
        idmap backend = idmap_rid:acme=16777216-33554431
        template homedir = /home/%U
        template shell = /bin/bash
        winbind separator = +
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        idmap config * : range = 16777216-33554431
        idmap config * : backend = idmap_rid:acme=16777216-33554431
        cups options = raw

[microsphere]
        root preexec = bash -c '[[ -d /data/%U ]] || mkdir -m 0700 /data/%U && chown %U:"Domain Users" /data/%U'
        comment = Home Directories
        valid users = "@DOMAIN+Domain Users"
        admin users = "@DOMAIN+Domain Admins"
        path = /data
        read only = no
        create mask = 0600
        force create mode = 0600
        directory mask = 0700
        force directory mode = 0700
        hide unreadable = Yes
        access based share enum = Yes

所有这些似乎都有效:

wbinfo -n test
S-1-5-21-999108875-1658920850-184960113-4061 SID_USER (1)

检查组是否存在:getent group "Domain Users" domain users:x:4294967295:

但是在“干净”的服务器上,权限从未正确设置。目录已创建,但权限设置不正确。手动执行也拒绝。(注意:/data 位于根分区上,没有外部内容)

[root@server data]# chown -v test."domain users" test/
ownership of ‘test/’ retained as root:root
[root@server data]# ll
total 1
drwx------ 2 root root 3 Aug 11 09:43 svenn
drwx------ 2 root root 2 Aug 11 09:48 test

这是怎么回事 ?

相关内容