OracleLinux 7.3-Samba 4.6.2-NT_STATUS_ACCESS_DENIED

OracleLinux 7.3-Samba 4.6.2-NT_STATUS_ACCESS_DENIED

最近在构建服务器时,我遇到了 SAMBA 问题。以下是我多次使用过的配置,没有出现问题。

Samba 配置-(匿名已被注释掉,但启用后可以正常工作)

    [global]
    workgroup = SAMBA
    security = user
    map to guest = Bad User
    passdb backend = tdbsam

    printing = cups
    printcap name = cups
    load printers = yes
    cups options = raw

    log file = /var/log/samba/%m
    log level = 1

    #[Anonymous]
    #comment = Anonymous File Server Share
    #path = /tmp
    #browsable =yes
    #writable = yes
    #guest ok = yes
    #read only = no

    [hes]
    comment = stuff
    path = /u01/app2
    valid users = hesowner, oracle
    writable = yes
    browsable = yes
    printable = no
    invalid users = None

使用 smbclient 测试本地共享工作正常。

    [root@test1 ~]# smbclient -U hesowner //test1/hes
    Enter SAMBA\hesowner's password:
    Domain=[TEST1] OS=[Windows 6.1] Server=[Samba 4.6.2]
    smb: \> ls
    .                                   D        0  Tue Aug 29 14:39:32 2017
    ..                                  D        0  Tue Aug 29 14:33:15 2017
    reports                             D        0  Tue Aug 29 14:33:15 2017
    forms                               D        0  Tue Aug 29 14:33:53 2017
    eis_ws_approvals                    D        0  Tue Aug 29 14:45:20 2017

            52403200 blocks of size 1024. 36431144 blocks available
    smb: \>

因此问题出在 Windows10 Pro 中,当尝试通过 \\test1\hes 访问共享时,我只是反复收到用户/密码提示,并且无法访问共享。

这是日志...

   [2017/09/07 11:54:20.051608,  2] ../source3/smbd/service.c:319(create_connection_session_info)
   guest user (from session setup) not permitted to access this share (hes)
   [2017/09/07 11:54:20.051670,  1] ../source3/smbd/service.c:502(make_connection_snum)
     create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
    [2017/09/07 11:54:20.125206,  2] ../source3/smbd/service.c:319(create_connection_session_info)
     guest user (from session setup) not permitted to access this share (hes)
    [2017/09/07 11:54:20.125265,  1] ../source3/smbd/service.c:502(make_connection_snum)
     create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
    [2017/09/07 11:54:20.161800,  2] ../source3/smbd/service.c:319(create_connection_session_info)
     guest user (from session setup) not permitted to access this share (hes)
    [2017/09/07 11:54:20.161824,  1] ../source3/smbd/service.c:502(make_connection_snum)
      create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
    [2017/09/07 11:54:20.237828,  2] ../source3/smbd/service.c:319(create_connection_session_info)
     guest user (from session setup) not permitted to access this share (hes)
    [2017/09/07 11:54:20.237851,  1] ../source3/smbd/service.c:502(make_connection_snum)
     create_connection_session_info failed: NT_STATUS_ACCESS_DENIED

我看到它提到了“来宾用户”,这很奇怪。删除“映射到来宾 = 坏用户”后没有任何效果

我彻底不知所措了……

谢谢您的帮助。

答案1

如果其他人遇到这个问题,我的解决方案是调整 Windows 客户端上的安全策略。

运行>Secpol.msc

然后我将“本地策略”>“安全选项”>“网络安全:LAN 管理器身份验证级别”设置为“仅发送 NTLMv2 响应。拒绝 LM 和 NTLM”

否则,您可以编辑 SAMABA。

将以下行添加到 smb.conf 文件的全局部分。

ntlm auth = yes

自己没解决。找到了解决方案这里。

答案2

我不建议启用旧协议,例如 NTLM。这在 Win7 环境(仅支持 SMB2.10)上有效Ubuntu 14/samba-4.3.11 Active Directory。它还为较低版本的 Windows 能够连接到任何共享设置了“天然”障碍。

$ grep -E "m[ai][xn] protocol" /etc/samba/smb.conf
        client ipc max protocol = SMB3
        client ipc min protocol = SMB2_10
        client max protocol = SMB3
        client min protocol = SMB2_10
        server max protocol = SMB3
        server min protocol = SMB2_10

当然可以进行配置优化和整合 - 确保您已启用最高可能的 SMB 版本支持:

$ testparm -l --show-all-parameters | grep -E "m[ai][xn] protocol|smb encrypt"
smb encrypt=P_ENUM,default|No|False|0|Off|disabled|if_required|Yes|True|1|On|enabled|auto|desired|required|mandatory|force|forced|enforced,
server max protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
max protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
server min protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
min protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
client max protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
client min protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
client ipc max protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
client ipc min protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,

来自生产环境的一些相关输出:

$smbstatus | grep -E "SMB|NTLM|^PID|\-\-{1,}"
PID       Username         Group              Machine            Protocol Version
------------------------------------------------------------------------------
11724     AD-User-ID       User-Group         X.X.X.X (ipvX:X.X.X.X:51177) SMB2_10
4834      AD-User-ID       User-Group         X.X.X.X (ipvX:X.X.X.X:54652) SMB2_10
1512      AD-User-ID       User-Group         X.X.X.X (ipvX:X.X.X.X:50496) SMB2_10
21140     AD-User-ID       User-Group         X.X.X.X (ipvX:X.X.X.X:62753) SMB2_10
26057     AD-User-ID       User-Group         X.X.X.X (ipvX:X.X.X.X:54410) SMB2_10
1513      AD-User-ID       User-Group         X.X.X.X (ipvX:X.X.X.X:50498) SMB2_10
11351     AD-User-ID       User-Group         X.X.X.X (ipvX:X.X.X.X:51152) SMB2_10
11464     AD-User-ID       User-Group         X.X.X.X (ipvX:X.X.X.X:65059) SMB2_10
5056      AD-User-ID       User-Group         X.X.X.X (ipvX:X.X.X.X:54671) SMB2_10
1511      AD-User-ID       User-Group         X.X.X.X (ipvX:X.X.X.X:50494) SMB2_10

...和实验室Centos7/samba-4.4.4 Active Directlry。您应该能够使用您的 SAMBA 和 Win10 版本进行加密,确保smb encrypt针对混合 SMB2/3 环境正确配置参数。

PID     Username     Group        Machine                                   Protocol Version  Encryption           Signing
----------------------------------------------------------------------------------------------------------------------------------------
10884   AD-User-ID      User-Group        X.X.X.X (ipvX:X.X.X.X:4867)       SMB2_10           -                    HMAC-SHA256

相关内容