Samba 4:已加入域,但所有用户均映射到 nobody,并且无法从 Windows 客户端访问共享

tag-icon tag-icon authentication linux-networking samba4 winbind
Samba 4:已加入域,但所有用户均映射到 nobody,并且无法从 Windows 客户端访问共享

我有一个 Debian/Jessie Samba 4.2.14 作为 AD 成员运行。ADC 是一个 Windows2008R2 服务器。加入工作正常。

# net ads testjoin
Join is OK

wbinfo -uwbinfo -g完美运行,并按预期提供来自 AD 的用户和组列表。wbinfo -i <user>也可以工作:

# wbinfo -i TESTAD\\testuser
TESTAD\testuser:*:4294967295:4294967295:testuser:/home/TESTAD/testuser:/bin/false

编辑:这里有些不对劲,因为wbinfo -i将所有用户和组映射到 id 4294967295,正如@TheSkunk 所说,即 2^32 -1。

编辑2: wbinfo --sid-to-uid TESTAD\\testuser失败。我当然必须明确设置一些idmap参数(默认参数显然根本不起作用)但该怎么做呢?

编辑3:我已将以下两行添加到 smb.conf:

idmap config * : backend = tdb
idmap config * : range = 10000-30000

现在ẁbinfo -i TESTDOMAIN\testuser reports a valid id, and a different one for each and every user. However I still have the same problems (all users mapping to nobody,id andgetent` 不知道 AD 用户等)。

但是getent passwd TESTAD\\testuser失败了:

# getent passwd TESTAD\\testuser
# echo $? 
2

可以连接使用以下任意 AD 帐户登录到服务器smbclient

# smbclient //srv1/data -U TESTAD\\testuser
Enter TESTAD\testuser's password: 
Domain=[TESTAD] OS=[Windows 6.1] Server=[Samba 4.2.14-Debian]
smb: \> ls
  .                                   D        0  Fri Feb 17 16:23:04 2017
  ..                                  D        0  Wed Feb  1 16:47:02 2017
  test.txt                            N        5  Fri Feb 17 14:38:21 2017
  popo                                D        0  Fri Feb 17 16:23:04 2017

                117125466112 blocks of size 1024. 117052392484 blocks available
smb: \>

但是连接被映射到nobody/nogroup,并且创建的文件也归nobody。Windows 计算机无法使用任何 AD 帐户进行连接。但是,如果我使用 创建本地帐户smbpasswd -a <user>,它们就可以使用它进行连接。但是,它们的连接参数、文件等都映射到nobody尽管该帐户也存在于本地。

这是当前的smb.conf(尽可能接近默认值):

[global]
        workgroup = TESTAD
        realm = TESTAD.lan
        server role = member server
        security = ADS
        map to guest = Bad User
        obey pam restrictions = Yes
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        unix password sync = Yes
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        dns proxy = No
        usershare allow guests = Yes
        panic action = /usr/share/samba/panic-action %d
        idmap config * : backend = tdb
        inherit permissions = Yes
        inherit acls = Yes


[DATA]
        path = /mnt/raid/
        read only = No
        guest ok = Yes

这里是/etc/nsswitch.conf(我尝试从阴影中添加和删除'winbindd,没有任何变化):

# cat /etc/nsswitch.conf 
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat winbind
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns wins
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

我不明白为什么身份验证似乎从来都不能通过 winbind。我快绝望了,有什么想法吗?

答案1

我找到了核心问题:缺少软件包。不幸的是,修复起来并不容易:这是最终的、有效的配置(感谢 samba.org 的 Rowland Penny):

确保您安装了所有必要的软件包(缺少的是 libnss-winbind):

apt-get install samba acl attr quota fam winbind libpam-winbind \
libpam-krb5 libnss-winbind krb5-config krb5-user ntp dnsutils ldb-tools

停止服务

service smbd stop
service nmbd stop
service winbind stop

设置适当的 smb.conf(特别是 idmap 参数):

[global]
    workgroup = TESTAD
    security = ADS
    realm = TESTAD.LAN

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
    server string = Data %h

    winbind use default domain = yes
    winbind expand groups = 4
    winbind nss info = rfc2307
    winbind refresh tickets = Yes
    winbind offline logon = yes
    winbind normalize names = Yes

    ## map ids outside of domain to tdb files.
    idmap config *:backend = tdb
    idmap config *:range = 2000-9999
    ## map ids from the domain  the ranges may not overlap !
    idmap config TESTAD : backend = rid
    idmap config TESTAD : range = 10000-999999
    template shell = /bin/bash
    template homedir = /home/TESTAD/%U

    domain master = no
    local master = no
    preferred master = no
    os level = 20
    map to guest = bad user
    host msdfs = no

    # user Administrator workaround, without it you are unable to set privileges
    username map = /etc/samba/user.map

    # For ACL support on domain member
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

    # Share Setting Globally
    unix extensions = no
    reset on zero vc = yes
    veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
    hide unreadable = yes

    # disable printing completely
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

在该配置中,需要一个附加的 /etc/samba/user.map 文件,其中包含以下行:

!root = TESTAD\Administrator TESTAD\administrator Administrator administrator

不要忘记正确填写 /etc/krb5.conf:

[libdefaults]
    default_realm = TESTAD.LAN
    dns_lookup_realm = false
    dns_lookup_kdc = true

请注意,krb5.conf 必须由 root 拥有,并可供所有人读取(644 权限)。

编辑 /etc/nsswitch.conf 并将 winbind 添加到 passwd 和 group 行:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat files winbind
group:          compat files winbind
shadow:         compat files 

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

现在加入域:

# net ads join -U Administrator
Using short domain name -- TESTAD
Joined 'DEBMEMBER' to dns domain 'TESTAD.example.com'

最后启动服务:

service smbd start
service nmbd start
service winbind start

getent passwd现在应该可以与 AD 用户一起使用:

# getent passwd testuser
testuser:*:11107:10513:testuser:/home/TESTAD/testuser:/bin/bash

警告由于我之前加入了 AD 但没有安装必要的库,所以我必须重新启动系统才能使系统在完成此设置后正确地验证用户身份!

答案2

4294967295 表示 2^32 - 这是 winbind 守护进程生成的 GID 或 UID 计数器溢出,用于转换 AD 中的 xid。这与客户机映射无关...如果您使用 idmap 配置 YOUR_DOMAIN : backend = ad ,广告的意思是,信息不仅存储在本地,而且在运行时复制到所有客户端并存储在它们上面(但这在哪里,这是我目前要找出的任务)。广告的意思是,如果一个客户端丢失了,你已经将所有的uid/gid映射信息存储在其他客户端上。如果你恢复你的客户端,所有的映射都会恢复原样。问题是,如果你有一次这种溢出,你就不能轻易摆脱它,因为所有的客户端都在复制它(运行windbind),也许(我目前正在尝试找出它)DC也是如此。

下面是我正在使用的部分(工作正常,但我在通过广告的 idmaps 上遇到了另一个问题):

winbind nss info = rfc2307
idmap config * : backend = tbd
idmap config * : range = 1000-2999

idmap config MY_DOMAIN : backend =  ad
idmap config MY_DOMAIN : schema_mode = rfc2307
idmap config MY_DOMAIN : range = 3000-30000
idmap_ldb:use rfc2307 = yes

winbind refresh tickets = yes
winbind use default domain = yes
winbind enum users  = yes
winbind enum groups = yes

winbind cache time = 60  #higher might make you wait long for updates

答案3

我自己来到这里,在寻找一些好的说明时,我认为我应该在这篇文章中添加更新...

展望未来,我们的目标是在 Linux 上使用sssd而不是winbind来进行 Active Directory 集成。虽然sssd不提供 的所有功能winbind,但它使用 Kerberos 身份验证而不是 NT Lan Manager (NTLM) 身份验证。参考:Red Hat Windows 集成指南,第 4.2 章

我们正在尝试减少 NTLM 身份验证的使用,而改用 Kerberos,因为后者被认为是一种更安全的协议。

话虽如此,我们已经配置了 SAMBA 文件共享,如下所示:-

  1. 安装realmdsamba以及sssd所有依赖项。或者更多?

  2. 加入领域:realm join <domain name>

    此命令将使用域凭据将计算机加入域。然后,这将自动配置nsswitch.conf/etc/sssd/sssd.conf/etc/krb5.conf,并获取计算机密钥表,在/etc/krb5.keytab

  3. 确保文件系统已使用acl中的选项挂载/etc/fstab,例如

    UUID=foo-bar-baz /mnt/share ext4 defaults,acl 0 0

  4. 正确配置 samba。选项太多了,这有点像暗黑艺术。YMMV,但对我有用的方法如下。任何需要的东西<>需要根据自己的网络进行配置。

#/etc/samba/smb.conf
[global]
    # SMB settings
    security = ads
    workgroup = <workgroup>
    netbios name = <server name>
    server string = Samba %v on %L (%h)

    # NMB settings
    local master = no
    dns proxy = no

    # Authentication / Kerberos settings
    realm = <realm / domain name>
    password server = *
    kerberos method = secrets and keytab
    dedicated keytab file = /etc/krb5.keytab
    encrypt passwords = yes
    client use spnego = yes
    client signing = yes

    # ID mapping
    idmap config * : backend = autorid
    idmap config * : range = 1000000-1999999

    # Windows Extended ACLs
    vfs objects = acl_xattr
    map acl inherit = yes
    nt acl support = yes
    # This next one apparently incurs a significant performance hit without
    # additional functionality, but can help compatibility.
    # It adds the DOS Read-only, Archive and Hidden bits to file attributes.
    # store dos attributes = yes

[share]
    comment = <My Share>
    path = </mnt/share>
    valid users = @"<Domain Group>", <domain_user>
    # ... Other share-specific options
  1. 将域用户或组设置为 Unix 文件对象上的组。删除所有人的访问权限。
> chown root:"Domain Users" /mnt/share
> chmod 770 /mnt/share
  1. 现在,希望您应该能够从加入域的 Windows PC 访问文件共享,并使用 Windows 文件夹属性设置其权限。

如果您以某种方式将自己锁定在共享之外(就像我自己遇到的那样),则可以使用以下 Linux 命令查看和更改 Windows 权限:-

# get ACL permissions
> getfacl /mnt/share
# Set This Folder Only access on a share.
> setfacl -m group:"<domain>\<group>":rwx /mnt/share
# Set This Folder, Subdirectories and Files permissions on a folder
> set facl -m default:group:"<domain>\<group>":rwx /mnt/share

答案4

我在新的 server02 上遇到了错误“client_input_channel_req: channel 0 rtype exit-status reply 0”,但在 server01 上没有。我遇到的解决方案是添加两行,由于错误我没有将其添加到 /etc/samba/smb.conf:

模板 shell = /bin/bash

模板主目录 = /home/%D/%u

现在域用户已经登录到server02。

此致。

相关内容