几天前,我的 samba 域成员还在运行,但现在它停止为域用户提供服务。我已经尝试过的一些步骤:清除缓存、重新加入域、重新启动、pam-auth-update、使用和不使用“winbind use default domain = yes”等等。
编辑:这是一个具有服务器 2008 DC 的 Active Directory 域
不过有些事情发生了变化。当它正常工作时,“wbinfo -u”和“wbinfo -g”会显示类似 LONGNAME\accoutname 的帐户。现在它们只显示帐户名。
---编辑2:这似乎与问题无关。我将“workgroup=LONGNAME”放在“realm=SHORTNAME.TLD”上方,现在 wbinfo -u 或 -g 显示的帐户与以前一样:LONGNAME\accountname。
somelocaluser 可以访问共享。当域用户尝试访问共享时,我得到:
[2018/04/24 13:34:49.422394, 3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
Kerberos ticket principal name is [[email protected]]
[2018/04/24 13:34:49.423991, 3] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
Username LONGNAME\user is invalid on this system
有人知道吗?我没什么主意了。
以下是我的配置和一些故障排除输出。
软件: Ubuntu 16.04.4 LTS、Samba 4、krb5-config、krb5-user、winbind、libpam-winbind、libnss-winbind
配置: 主机名例如为“samba”
/etc/network/interfaces
auto ens18
iface ens18 inet static
address 10.10.*****
netmask 255.255.0.0
gateway 10.10.*****
dns-nameservers 172.17.*** 172.17.***
dns-search shortname.tld
DNS 解析有效,但我将名称服务器(以及 AD-DC)也放在主机 /etc/hosts 中
127.0.0.1 localhost
172.17.*** DC1.shortname.tld
172.17.*** DC2.shortname.tld
时间同步是外部的,但与 DC 的来源相同,差异为零。我使用 timesyncd。
/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5.log
[libdefaults]
ticket_lifetime = 24000
clock_skew = 300
default_realm = SHORTNAME.TLD
dns_lookup_kdc = true
dns_lookup_realm = false
[realms]
SHORTNAME.TLD = {
kdc = dc1:88
admin_server = dc1:464
default_domain = SHORTNAME.TLD
}
[domain_realm]
.shortname.tld = SHORTNAME.TLD
shortname.tld = SHORTNAME.TLD
ping 和 kinit[电子邮件保护]在工作中
klist-输出:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
24.04.2018 18:48:19 25.04.2018 01:28:09 krbtgt/[email protected]
net ads join -U [email protected]
Using short domain name -- LONGNAME
Joined 'SAMBA' to dns domain 'shortname.tld'
/etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
shadow: compat
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
我有一个本地用户需要进行无密码身份验证,因此我将 pam-common-files 中 pam_unix.so 的 nullok_secure 参数更改为 nullok。此外,我将 pam-common-files 中 pam_krb5.so 的参数 minimum_uid 从 1000 更改为 10000。
net ads info
LDAP server: 172.17.***
LDAP server name: dc1.shortname.tld
Realm: SHORTNAME.TLD
Bind Path: dc=SHORTNAME,dc=TLD
LDAP port: 389
Server time: Di, 24 Apr 2018 19:11:11 CEST
KDC server: 172.17.***
Server time offset: 0
systemctl status winbind
● winbind.service - LSB: start Winbind daemon
Loaded: loaded (/etc/init.d/winbind; bad; vendor preset: enabled)
Active: active (running) since Di 2018-04-24 18:08:59 CEST; 1h 3min ago
Docs: man:systemd-sysv-generator(8)
Process: 1920 ExecStop=/etc/init.d/winbind stop (code=exited, status=0/SUCCESS)
Process: 2132 ExecStart=/etc/init.d/winbind start (code=exited, status=0/SUCCESS)
Tasks: 8
Memory: 25.5M
CPU: 3.663s
CGroup: /system.slice/winbind.service
├─2147 /usr/sbin/winbindd
├─2148 /usr/sbin/winbindd
├─2154 /usr/sbin/winbindd
├─2159 /usr/sbin/winbindd
├─2161 /usr/sbin/winbindd
├─2167 /usr/sbin/winbindd
├─2502 /usr/sbin/winbindd
└─2503 /usr/sbin/winbindd
Apr 24 18:08:59 samba systemd[1]: Starting LSB: start Winbind daemon...
Apr 24 18:08:59 samba winbind[2132]: * Starting the Winbind daemon winbind
Apr 24 18:08:59 samba winbind[2132]: ...done.
Apr 24 18:08:59 samba winbindd[2147]: [2018/04/24 18:08:59.795374, 0] ../source3/winbindd/winbindd_cache.c:3245(initialize_winbindd_cache)
Apr 24 18:08:59 samba winbindd[2147]: initialize_winbindd_cache: clearing cache and re-creating with version number 2
Apr 24 18:08:59 samba systemd[1]: Started LSB: start Winbind daemon.
Apr 24 18:08:59 samba winbindd[2147]: [2018/04/24 18:08:59.798362, 0] ../lib/util/become_daemon.c:124(daemon_ready)
Apr 24 18:08:59 samba winbindd[2147]: STATUS=daemon 'winbindd' finished starting up and ready to serve connections
/etc/samba/smb.conf
[global]
realm = SHORTNAME.TLD
workgroup = LONGNAME
idmap config * : backend = tdb
idmap config * : range = 1000-9999
idmap config MICROCONSULT : backend = nss
idmap config MICROCONSULT : range = 10000-19999
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 300
winbind expand groups = 5
winbind max domain connections = 10
template homedir = /dev/null
client use spnego = yes
client ntlmv2 auth = yes
restrict anonymous = 2
acl group control = yes
inherit acls = yes
inherit owner = yes
inherit permissions = yes
vfs objects = acl_xattr
deadtime = 15
admin users = "@LONGNAME\\linuxadminsgroup"
store dos attributes = yes
null passwords = yes
domain master = no
local master = no
preferred master = no
os level = 0
server string = %h server (Samba, Ubuntu)
wins server = 172.17.*** 172.17.***
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
panic action = /usr/share/samba/panic-action %d
server role = member server
passdb backend = tdbsam
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccess fully* .
pam password change = yes
map to guest = bad user
#======================= Share Definitions =======================
[ShareOne]
path = /smbshare/ShareOne
valid users = somelocaluser, @LONGNAME\\linuxwriter
create mask = 570
directory mask = 570
writeable = no
write list = @LONGNAME\\linuxwriter
[ShareTwo]
path = /smbshare/ShareTwo
valid users = somelocaluser, @LONGNAME\\linuxwriter
create mask = 770
directory mask = 770
writeable = yes