我已经使用 Samba 配置了我的 Debian 机器,并使用 Winbind 成功加入我的域。我尝试共享一个文件夹并使用 Windows Active Directory 身份验证(在 Server 2012 R2 域上)公开它。一切似乎都正常,但无论我做什么,当我尝试访问共享时都会收到“访问被拒绝”的提示。
我使用本教程来配置 Samba:
https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
我可以看到共享,并使用计算机管理控制台将其拉到 Windows 机器上。我甚至可以使用 Windows 更改权限,但无论如何,我实际上无法访问共享。
下面是我在 AD 中注册该盒子并公开共享所采取的步骤:
添加存储库
curl https://debgen.simplylinux.ch/txt/jessie/sources_02afb983ca66b4136396fe1f3cc5e8052fa5532a.txt | sudo tee /etc/apt/sources.list
全面更新/升级
cat /etc/debian_version; apt-get update --fix-missing -y; apt-get dist-upgrade -y; apt-get upgrade -y; cat /etc/debian_version
安装工具加入域
apt-get -y install ntp ntpdate winbind samba samba-client libnss-winbind libpam-winbind krb5-config krb5-locales krb5-user
编辑/etc/ntp.conf
server dc1.my.domain.com prefer iburst
service ntp restart
编辑 /etc/krb5.conf
[libdefaults]
ticket_lifetime = 24000
default_realm = MY.DOMAIN.COM
default_tgs_entypes = rc4-hmac des-cbc-md5
default_tkt__enctypes = rc4-hmac des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-md5
dns_lookup_realm = true
dns_lookup_kdc = true
dns_fallback = yes
[realms]
MY.DOMAIN.COM = {
kdc = DC1.MY.DOMAIN.COM
default_domain = DC1.MY.DOMAIN.COM
}
[domain_realm]
.my.domain.com = DC1.MY.DOMAIN.COM
my.domain.com = DC1.MY.DOMAIN.COM
[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
测试获取管理员的票
root@nas02:~# kinit domain_admin
Password for [email protected]:
root@nas02:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
10/14/2016 21:56:26 10/15/2016 04:36:20 krbtgt/[email protected]
kdestroy
编辑 /etc/samba/smb.conf
# Global parameters
[global]
workgroup = MY
realm = MY.DOMAIN.COM
server role = member server
security = ADS
map to guest = Bad User
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
unix password sync = Yes
syslog = 0
syslog only = Yes
log file = /var/log/samba/log.%m
max log size = 1000
dns proxy = No
usershare allow guests = Yes
panic action = /usr/share/samba/panic-action %d
template homedir = /home/%U
template shell = /sbin/bash
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind refresh tickets = Yes
idmap config samdom:range = 10000-99999
idmap config samdom:backend = rid
idmap config *:range = 2000-9999
idmap config * : backend = tdb
map acl inherit = Yes
store dos attributes = Yes
vfs objects = acl_xattr
编辑 /etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
shadow: compat winbind
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
加入域
root@nas02:/etc/samba# net ads join -S DC1.MY.DOMAIN.COM -U [email protected]
Enter [email protected]'s password:
Using short domain name -- MY
Joined 'NAS02' to dns domain 'MY.DOMAIN.COM'
重启一切
service smbd restart; service nmbd restart; service winbind restart
测试域加入
root@nas02:/etc/samba# wbinfo -u
domain_admin
guest
krbtgt
svc.sql
svc.tfs
nas_admin
root@nas02:/etc/samba# wbinfo -g
winrmremotewmiusers__
domain computers
domain controllers
schema admins
enterprise admins
cert publishers
domain admins
domain users
domain guests
group policy creator owners
ras and ias servers
allowed rodc password replication group
denied rodc password replication group
read-only domain controllers
enterprise read-only domain controllers
cloneable domain controllers
protected users
dnsadmins
dnsupdateproxy
domain local admins
wss_admin_wpg
wss_wpg
netmon users
root@nas02:/etc/samba# wbinfo -i domain_admin
domain_admin:*:10500:10513:domain_admin:/home/domain_admin:/sbin/bash
root@nas02:/etc/samba# getent passwd
....
....
domain_admin:*:10500:10513:domain_admin:/home/domain_admin:/sbin/bash
....
....
root@nas02:/etc/samba# getent group
root:x:0:
daemon:x:1:
bin:x:2:
....
sambashare:x:114:
winbindd_priv:x:115:
winrmremotewmiusers__:x:11000:
domain computers:x:10515:
domain controllers:x:10516:
schema admins:x:10518:
enterprise admins:x:10519:
....
domain admins:x:10512:
domain users:x:10513:
domain guests:x:10514:
....
root@nas02:/etc/samba# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[Demo]"
Processing section "[print$]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
创建我们要共享的目录
mkdir -p /srv/samba/Demo/
设置权限
root@nas02:/etc/samba# chmod g=rwx /srv/samba/Demo/
root@nas02:/etc/samba# chgrp "Domain Admins" /srv/samba/Demo/
编辑 /etc/samba/smb.conf
[Demo]
path = /srv/samba/Demo/
read only = no
重新加载 Samba
root@nas02:/etc/samba# smbcontrol all reload-config
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED