最近在构建服务器时,我遇到了 SAMBA 问题。以下是我多次使用过的配置,没有出现问题。
Samba 配置-(匿名已被注释掉,但启用后可以正常工作)
[global]
workgroup = SAMBA
security = user
map to guest = Bad User
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
log file = /var/log/samba/%m
log level = 1
#[Anonymous]
#comment = Anonymous File Server Share
#path = /tmp
#browsable =yes
#writable = yes
#guest ok = yes
#read only = no
[hes]
comment = stuff
path = /u01/app2
valid users = hesowner, oracle
writable = yes
browsable = yes
printable = no
invalid users = None
使用 smbclient 测试本地共享工作正常。
[root@test1 ~]# smbclient -U hesowner //test1/hes
Enter SAMBA\hesowner's password:
Domain=[TEST1] OS=[Windows 6.1] Server=[Samba 4.6.2]
smb: \> ls
. D 0 Tue Aug 29 14:39:32 2017
.. D 0 Tue Aug 29 14:33:15 2017
reports D 0 Tue Aug 29 14:33:15 2017
forms D 0 Tue Aug 29 14:33:53 2017
eis_ws_approvals D 0 Tue Aug 29 14:45:20 2017
52403200 blocks of size 1024. 36431144 blocks available
smb: \>
因此问题出在 Windows10 Pro 中,当尝试通过 \\test1\hes 访问共享时,我只是反复收到用户/密码提示,并且无法访问共享。
这是日志...
[2017/09/07 11:54:20.051608, 2] ../source3/smbd/service.c:319(create_connection_session_info)
guest user (from session setup) not permitted to access this share (hes)
[2017/09/07 11:54:20.051670, 1] ../source3/smbd/service.c:502(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2017/09/07 11:54:20.125206, 2] ../source3/smbd/service.c:319(create_connection_session_info)
guest user (from session setup) not permitted to access this share (hes)
[2017/09/07 11:54:20.125265, 1] ../source3/smbd/service.c:502(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2017/09/07 11:54:20.161800, 2] ../source3/smbd/service.c:319(create_connection_session_info)
guest user (from session setup) not permitted to access this share (hes)
[2017/09/07 11:54:20.161824, 1] ../source3/smbd/service.c:502(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2017/09/07 11:54:20.237828, 2] ../source3/smbd/service.c:319(create_connection_session_info)
guest user (from session setup) not permitted to access this share (hes)
[2017/09/07 11:54:20.237851, 1] ../source3/smbd/service.c:502(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
我看到它提到了“来宾用户”,这很奇怪。删除“映射到来宾 = 坏用户”后没有任何效果
我彻底不知所措了……
谢谢您的帮助。
答案1
如果其他人遇到这个问题,我的解决方案是调整 Windows 客户端上的安全策略。
运行>Secpol.msc
然后我将“本地策略”>“安全选项”>“网络安全:LAN 管理器身份验证级别”设置为“仅发送 NTLMv2 响应。拒绝 LM 和 NTLM”
否则,您可以编辑 SAMABA。
将以下行添加到 smb.conf 文件的全局部分。
ntlm auth = yes
自己没解决。找到了解决方案这里。
答案2
我不建议启用旧协议,例如 NTLM。这在 Win7 环境(仅支持 SMB2.10)上有效Ubuntu 14/samba-4.3.11 Active Directory
。它还为较低版本的 Windows 能够连接到任何共享设置了“天然”障碍。
$ grep -E "m[ai][xn] protocol" /etc/samba/smb.conf
client ipc max protocol = SMB3
client ipc min protocol = SMB2_10
client max protocol = SMB3
client min protocol = SMB2_10
server max protocol = SMB3
server min protocol = SMB2_10
当然可以进行配置优化和整合 - 确保您已启用最高可能的 SMB 版本支持:
$ testparm -l --show-all-parameters | grep -E "m[ai][xn] protocol|smb encrypt"
smb encrypt=P_ENUM,default|No|False|0|Off|disabled|if_required|Yes|True|1|On|enabled|auto|desired|required|mandatory|force|forced|enforced,
server max protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
max protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
server min protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
min protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
client max protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
client min protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
client ipc max protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
client ipc min protocol=P_ENUM,default|SMB2|SMB3|SMB3_11|SMB3_10|SMB3_02|SMB3_00|SMB2_24|SMB2_22|SMB2_10|SMB2_02|NT1|LANMAN2|LANMAN1|CORE|COREPLUS|CORE+,
来自生产环境的一些相关输出:
$smbstatus | grep -E "SMB|NTLM|^PID|\-\-{1,}"
PID Username Group Machine Protocol Version
------------------------------------------------------------------------------
11724 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:51177) SMB2_10
4834 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:54652) SMB2_10
1512 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:50496) SMB2_10
21140 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:62753) SMB2_10
26057 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:54410) SMB2_10
1513 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:50498) SMB2_10
11351 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:51152) SMB2_10
11464 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:65059) SMB2_10
5056 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:54671) SMB2_10
1511 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:50494) SMB2_10
...和实验室Centos7/samba-4.4.4 Active Directlry
。您应该能够使用您的 SAMBA 和 Win10 版本进行加密,确保smb encrypt
针对混合 SMB2/3 环境正确配置参数。
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------
10884 AD-User-ID User-Group X.X.X.X (ipvX:X.X.X.X:4867) SMB2_10 - HMAC-SHA256