我们最近将 Zentyal 3.3 服务器升级到 5.1 这是通过软件更新菜单进行的升级过程。 samba 版本是 4.1.3,现在是 4.6.7
升级后,我注意到没有人可以从 Windows 访问 Samba 共享。它具有 DC 角色,但也为最终用户配置了许多文件共享。sysvol 共享运行良好,用户可以进行身份验证,GPO 也可以运行,但共享却不行。错误消息是访问被拒绝。 访问它们的唯一方法是将 smb.conf 中的“管理员用户”设置为所需的组或用户。但是这给我带来了一个新问题,因为每个用户都能够访问每个文件夹,即使他们无权访问。
最后我找到了一个新的“解决方案”: 如果我设置 AD 用户访问共享,那么它工作正常。但如果我设置 AD 组,那么它就会失败。 AD 组是存在的,我使用几个命令验证了这一点。组成员身份也正确,因此我可以清楚地看到我是这些组的成员。
另一件事,可能重要,也可能不重要: 用户写入的文件夹通过 iSCSI 安装到另一个文件夹,然后硬链接到 /home 目录。以前数据直接在那里,但通过 Zentyal 升级过程,我们将数据移到了其他地方(500 GB)
我搜索解决方案超过一天,但至今没有找到。根据我尝试访问共享并使用组权限时的 samba.log:
[2018/11/02 20:22:57.348766,3,pid = 2560,有效(0,0),实际(0,0)] ../libcli/security/dom_sid.c:210(dom_sid_parse_endp)string_to_sid:SID @Domain Users 格式无效
[2018/11/02 23:23:55.424532, 3] ../source3/smbd/service.c:102(set_current_service)chdir(/home/samba/shares/iktato_uj)失败,原因:权限被拒绝 [2018/11/02 23:23:55.424574, 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)smbd_smb2_request_error_ex:smbd_smb2_request_error_ex:idx
[1] status[NT_STATUS_ACCESS_DENIED] ||在 ../source3/smbd/smb2_server.c:2449 [2018/11/02 23:23:55.427243, 3]../source3/smbd/service.c:102(set_current_service)chdir(/home/samba/shares/iktato_uj)失败,原因:权限被拒绝
以下是我尝试访问的 shares.conf 共享的一个示例:
[Iktato_uj]
comment = Iktato_uj
path = /home/samba/shares/iktato_uj
browseable = yes
force create mode = 0660
force directory mode = 0660
valid users = @"Iktato", "molehand"
read list =
write list = @"Iktato", "molehand"
admin users =
vfs objects = acl_xattr full_audit
full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
以下是 samba-tool testparm 的输出
# Global parameters [global]
bind interfaces only = Yes
interfaces = lo ens36
netbios name = GAMESZSRV2
realm = BVDOM.LOCAL
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
server string = Zentyal Server
workgroup = BVDOM
log file = /var/log/samba/samba.log
log level = 3
max log size = 100000
map to guest = Bad User
server role = active directory domain controller
server signing = if_required
template homedir = /home/%U
template shell = /bin/bash
winbind enum groups = Yes
winbind enum users = Yes
idmap_ldb:use rfc2307 = yes
drs:max object sync = 1200
dsdb:schema update allowed = yes
server role check:inhibit = yes
comment =
include = /etc/samba/shares.conf
[homes]
comment = Saját könyvtárak
path = /home/%S
browseable = No
create mask = 0611
directory mask = 0711
read only = No
vfs objects = acl_xattr full_audit
full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
full_audit:success = connect opendir disconnect unlink mkdir rmdir open rename
[Vendeg]
comment = Vendeg
path = /home/samba/shares/vendeg
admin users = "@All domain users" "@Domain Admins"
force create mode = 0660
force directory mode = 0660
valid users = "@All domain users" "@Domain Admins" "@All domain users" "@Domain Admins"
write list = "@All domain users" "@Domain Admins"
vfs objects = acl_xattr full_audit
full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
[muszak]
comment = Muszak
path = /home/samba/shares/muszak
admin users = @Muszak
force create mode = 0660
force directory mode = 0660
valid users = @Muszak @Muszak
write list = @Muszak
vfs objects = acl_xattr full_audit
full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
[Vezetes]
comment = Vezetés
path = /home/samba/shares/vezetes
admin users = @Vezetes
force create mode = 0660
force directory mode = 0660
valid users = @Vezetes @Vezetes
write list = @Vezetes
vfs objects = acl_xattr full_audit
full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
[Domain users]
comment = Domain users
path = /home/samba/shares/users
admin users = "@Domain Userek"
force create mode = 0660
force directory mode = 0660
valid users = "@Domain Userek" "@Domain Userek"
write list = "@Domain Userek"
vfs objects = acl_xattr full_audit
full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
[Berlemeny]
comment = Bérlemény
path = /home/samba/shares/berlemeny
admin users = @Berlemeny
force create mode = 0660
force directory mode = 0660
valid users = @Berlemeny @Berlemeny
write list = @Berlemeny
vfs objects = acl_xattr full_audit
full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
[Szamvitel]
comment = Számvitel
path = /home/samba/shares/szamvitel
admin users = @Szamvitel
force create mode = 0660
force directory mode = 0660
valid users = @Szamvitel @Szamvitel
write list = @Szamvitel
vfs objects = acl_xattr full_audit
full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
[Iktato]
comment = Iktató
path = /home/samba/shares/iktato
admin users = @Iktato
force create mode = 0660
force directory mode = 0660
valid users = @Iktato @Iktato
write list = @Iktato
vfs objects = acl_xattr full_audit
full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
[HR]
comment = HR
path = /home/samba/shares/hr
admin users = @hr1
force create mode = 0660
force directory mode = 0660
valid users = @hr1 @hr1
write list = @hr1
vfs objects = acl_xattr full_audit
full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
[intezmenyi]
comment = intézmények abevjava
path = /home/samba/shares/intezmenyi
admin users = @anyk
force create mode = 0660
force directory mode = 0660
valid users = @anyk @anyk
write list = @anyk
vfs objects = acl_xattr full_audit
full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
[Próba]
comment = teszt
path = /home/samba/shares/proba
force create mode = 0660
force directory mode = 0660
vfs objects = acl_xattr full_audit
full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
[Iktato_uj]
comment = Iktato_uj
path = /home/samba/shares/iktato_uj
force create mode = 0660
force directory mode = 0660
valid users = @Iktato molehand
write list = @Iktato molehand
vfs objects = acl_xattr full_audit
full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
[netlogon]
path = /var/lib/samba/sysvol/bvdom.local/scripts
browseable = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
smb.conf 输出
[global]
workgroup = bvdom
realm = BVDOM.LOCAL
netbios name = gameszsrv2
server string = Zentyal Server
server role = dc
server role check:inhibit = yes
server services = -dns
server signing = auto
dsdb:schema update allowed = yes
ldap server require strong auth = no
drs:max object sync = 1200
idmap_ldb:use rfc2307 = yes
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
template homedir = /home/%U
interfaces = lo,ens36
bind interfaces only = yes
map to guest = Bad User
log level = 3
log file = /var/log/samba/samba.log
max log size = 100000
include = /etc/samba/shares.conf
[netlogon]
path = /var/lib/samba/sysvol/bvdom.local/scripts
browseable = no
read only = yes
[sysvol]
path = /var/lib/samba/sysvol
read only = no
我还尝试了几种使用 unix 权限、stb 的方法,但都没有成功。当我想使用 AD 组访问共享时,它似乎无法识别 AD 组。
总结一下:
用户 ACL 有效,但组无效
更新:我尝试为另一个文件夹创建一个新共享,然后挂载的 iscsi 和 smb 访问完美运行。因此,我再次检查了 unix 权限并从 iscsi 挂载中修改了一个权限。在我修改了 acl 并使自己成为文件夹的所有者后,我能够从网络访问它并从 windows 修改 ACL。所以这似乎是一个简单的文件系统权限问题,仅此而已。我希望我也可以让它适用于其他共享
我很感激任何解决方案或提示。谢谢。
答案1
更新可能破坏了“域用户”组的组映射。我们也遇到过这种情况。请查看此答案以寻求解决方案:https://superuser.com/a/1310572/704830