AD 域中的 Samba4:getent 仅显示本地帐户

AD 域中的 Samba4:getent 仅显示本地帐户

几天前,我的 samba 域成员还在运行,但现在它停止为域用户提供服务。我已经尝试过的一些步骤:清除缓存、重新加入域、重新启动、pam-auth-update、使用和不使用“winbind use default domain = yes”等等。

编辑:这是一个具有服务器 2008 DC 的 Active Directory 域

不过有些事情发生了变化。当它正常工作时,“wbinfo -u”和“wbinfo -g”会显示类似 LONGNAME\accoutname 的帐户。现在它们只显示帐户名。

---编辑2:这似乎与问题无关。我将“workgroup=LONGNAME”放在“realm=SHORTNAME.TLD”上方,现在 wbinfo -u 或 -g 显示的帐户与以前一样:LONGNAME\accountname。

somelocaluser 可以访问共享。当域用户尝试访问共享时,我得到:

[2018/04/24 13:34:49.422394,  3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
  Kerberos ticket principal name is [[email protected]]
[2018/04/24 13:34:49.423991,  3] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
  Username LONGNAME\user is invalid on this system

有人知道吗?我没什么主意了。

以下是我的配置和一些故障排除输出。

软件: Ubuntu 16.04.4 LTS、Samba 4、krb5-config、krb5-user、winbind、libpam-winbind、libnss-winbind

配置: 主机名例如为“samba”

/etc/network/interfaces

auto ens18
iface ens18 inet static
       address         10.10.*****
       netmask         255.255.0.0
       gateway         10.10.*****
       dns-nameservers 172.17.*** 172.17.***
       dns-search      shortname.tld

DNS 解析有效,但我将名称服务器(以及 AD-DC)也放在主机 /etc/hosts 中

127.0.0.1      localhost
172.17.***     DC1.shortname.tld
172.17.***     DC2.shortname.tld

时间同步是外部的,但与 DC 的来源相同,差异为零。我使用 timesyncd。

/etc/krb5.conf

[logging]
   default = FILE:/var/log/krb5.log
[libdefaults]
       ticket_lifetime = 24000
       clock_skew = 300
       default_realm = SHORTNAME.TLD
           dns_lookup_kdc = true
           dns_lookup_realm = false
[realms]
       SHORTNAME.TLD = {
               kdc = dc1:88
               admin_server = dc1:464
               default_domain = SHORTNAME.TLD
       }
[domain_realm]
       .shortname.tld = SHORTNAME.TLD
       shortname.tld = SHORTNAME.TLD

ping 和 kinit[电子邮件保护]在工作中

klist-输出:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting       Expires              Service principal
24.04.2018 18:48:19  25.04.2018 01:28:09  krbtgt/[email protected]


net ads join -U [email protected]

Using short domain name -- LONGNAME
Joined 'SAMBA' to dns domain 'shortname.tld'


/etc/nsswitch.conf

passwd:         compat winbind
group:          compat winbind
shadow:         compat
gshadow:        files
hosts:          files dns
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis

我有一个本地用户需要进行无密码身份验证,因此我将 pam-common-files 中 pam_unix.so 的 nullok_secure 参数更改为 nullok。此外,我将 pam-common-files 中 pam_krb5.so 的参数 minimum_uid 从 1000 更改为 10000。

net ads info

LDAP server: 172.17.***
LDAP server name: dc1.shortname.tld
Realm: SHORTNAME.TLD
Bind Path: dc=SHORTNAME,dc=TLD
LDAP port: 389
Server time: Di, 24 Apr 2018 19:11:11 CEST
KDC server: 172.17.***
Server time offset: 0


systemctl status winbind

● winbind.service - LSB: start Winbind daemon
   Loaded: loaded (/etc/init.d/winbind; bad; vendor preset: enabled)
   Active: active (running) since Di 2018-04-24 18:08:59 CEST; 1h 3min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 1920 ExecStop=/etc/init.d/winbind stop (code=exited, status=0/SUCCESS)
  Process: 2132 ExecStart=/etc/init.d/winbind start (code=exited, status=0/SUCCESS)
   Tasks: 8
   Memory: 25.5M
      CPU: 3.663s
   CGroup: /system.slice/winbind.service
           ├─2147 /usr/sbin/winbindd
           ├─2148 /usr/sbin/winbindd
           ├─2154 /usr/sbin/winbindd
           ├─2159 /usr/sbin/winbindd
           ├─2161 /usr/sbin/winbindd
           ├─2167 /usr/sbin/winbindd
           ├─2502 /usr/sbin/winbindd
           └─2503 /usr/sbin/winbindd

Apr 24 18:08:59 samba systemd[1]: Starting LSB: start Winbind daemon...
Apr 24 18:08:59 samba winbind[2132]:  * Starting the Winbind daemon winbind
Apr 24 18:08:59 samba winbind[2132]:    ...done.
Apr 24 18:08:59 samba winbindd[2147]: [2018/04/24 18:08:59.795374,  0] ../source3/winbindd/winbindd_cache.c:3245(initialize_winbindd_cache)
Apr 24 18:08:59 samba winbindd[2147]:   initialize_winbindd_cache: clearing cache and re-creating with version number 2
Apr 24 18:08:59 samba systemd[1]: Started LSB: start Winbind daemon.
Apr 24 18:08:59 samba winbindd[2147]: [2018/04/24 18:08:59.798362,  0] ../lib/util/become_daemon.c:124(daemon_ready)
Apr 24 18:08:59 samba winbindd[2147]:   STATUS=daemon 'winbindd' finished starting up and ready to serve connections


/etc/samba/smb.conf

[global]
realm = SHORTNAME.TLD
workgroup = LONGNAME
idmap config * : backend = tdb
idmap config * : range = 1000-9999
idmap config MICROCONSULT : backend = nss
idmap config MICROCONSULT : range = 10000-19999
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 300
winbind expand groups = 5
winbind max domain connections = 10
template homedir = /dev/null
client use spnego = yes
client ntlmv2 auth = yes
restrict anonymous = 2
acl group control = yes
inherit acls = yes
inherit owner = yes
inherit permissions = yes
vfs objects = acl_xattr
deadtime = 15
admin users = "@LONGNAME\\linuxadminsgroup"
store dos attributes = yes
null passwords = yes
domain master = no
local master = no
preferred master = no
os level = 0
server string = %h server (Samba, Ubuntu)
wins server = 172.17.*** 172.17.***
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
panic action = /usr/share/samba/panic-action %d
server role = member server
passdb backend = tdbsam
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccess    fully* .
pam password change = yes
map to guest = bad user
#======================= Share Definitions =======================
[ShareOne]
        path = /smbshare/ShareOne
        valid users = somelocaluser, @LONGNAME\\linuxwriter
        create mask = 570
        directory mask = 570
        writeable = no
        write list = @LONGNAME\\linuxwriter

[ShareTwo]
        path = /smbshare/ShareTwo
        valid users = somelocaluser, @LONGNAME\\linuxwriter
        create mask = 770
        directory mask = 770
        writeable = yes

相关内容