Zentyal 3.3 升级至 5.1。无法从 Windows 访问 Samba 共享

Zentyal 3.3 升级至 5.1。无法从 Windows 访问 Samba 共享

我们最近将 Zentyal 3.3 服务器升级到 5.1 这是通过软件更新菜单进行的升级过程。 samba 版本是 4.1.3,现在是 4.6.7

升级后,我注意到没有人可以从 Windows 访问 Samba 共享。它具有 DC 角色,但也为最终用户配置了许多文件共享。sysvol 共享运行良好,用户可以进行身份​​验证,GPO 也可以运行,但共享却不行。错误消息是访问被拒绝。 访问它们的唯一方法是将 smb.conf 中的“管理员用户”设置为所需的组或用户。但是这给我带来了一个新问题,因为每个用户都能够访问每个文件夹,即使他们无权访问。

最后我找到了一个新的“解决方案”: 如果我设置 AD 用户访问共享,那么它工作正常。但如果我设置 AD 组,那么它就会失败。 AD 组是存在的,我使用几个命令验证了这一点。组成员身份也正确,因此我可以清楚地看到我是这些组的成员。

另一件事,可能重要,也可能不重要: 用户写入的文件夹通过 iSCSI 安装到另一个文件夹,然后硬链接到 /home 目录。以前数据直接在那里,但通过 Zentyal 升级过程,我们将数据移到了其他地方(500 GB)

我搜索解决方案超过一天,但至今没有找到。根据我尝试访问共享并使用组权限时的 samba.log:

[2018/11/02 20:22:57.348766,3,pid = 2560,有效(0,0),实际(0,0)] ../libcli/security/dom_sid.c:210(dom_sid_parse_endp)string_to_sid:SID @Domain Users 格式无效

[2018/11/02 23:23:55.424532, 3] ../source3/smbd/service.c:102(set_current_service)chdir(/home/samba/shares/iktato_uj)失败,原因:权限被拒绝 [2018/11/02 23:23:55.424574, 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)smbd_smb2_request_error_ex:smbd_smb2_request_error_ex:idx
[1] status[NT_STATUS_ACCESS_DENIED] ||在 ../source3/smbd/smb2_server.c:2449 [2018/11/02 23:23:55.427243, 3]../source3/smbd/service.c:102(set_current_service)chdir(/home/samba/shares/iktato_uj)失败,原因:权限被拒绝

以下是我尝试访问的 shares.conf 共享的一个示例:

[Iktato_uj]
    comment = Iktato_uj
    path = /home/samba/shares/iktato_uj
    browseable = yes
    force create mode = 0660
    force directory mode = 0660
    valid users = @"Iktato", "molehand"
    read list =
    write list = @"Iktato", "molehand"
    admin users =
    vfs objects = acl_xattr full_audit
    full_audit:failure = connect opendir disconnect unlink mkdir rmdir open  rename

以下是 samba-tool testparm 的输出

# Global parameters [global]
        bind interfaces only = Yes
        interfaces = lo ens36
        netbios name = GAMESZSRV2
        realm = BVDOM.LOCAL
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
        server string = Zentyal Server
        workgroup = BVDOM
        log file = /var/log/samba/samba.log
        log level = 3
        max log size = 100000
        map to guest = Bad User
        server role = active directory domain controller
        server signing = if_required
        template homedir = /home/%U
        template shell = /bin/bash
        winbind enum groups = Yes
        winbind enum users = Yes
        idmap_ldb:use rfc2307 = yes
        drs:max object sync = 1200
        dsdb:schema update allowed = yes
        server role check:inhibit = yes
        comment =
        include = /etc/samba/shares.conf

[homes]
        comment = Saját könyvtárak
        path = /home/%S
        browseable = No
        create mask = 0611
        directory mask = 0711
        read only = No
        vfs objects = acl_xattr full_audit
        full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
        full_audit:success = connect opendir disconnect unlink mkdir rmdir open rename

[Vendeg]
        comment = Vendeg
        path = /home/samba/shares/vendeg
        admin users = "@All domain users" "@Domain Admins"
        force create mode = 0660
        force directory mode = 0660
        valid users = "@All domain users" "@Domain Admins" "@All domain users" "@Domain Admins"
        write list = "@All domain users" "@Domain Admins"
        vfs objects = acl_xattr full_audit
        full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename

[muszak]
        comment = Muszak
        path = /home/samba/shares/muszak
        admin users = @Muszak
        force create mode = 0660
        force directory mode = 0660
        valid users = @Muszak @Muszak
        write list = @Muszak
        vfs objects = acl_xattr full_audit
        full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename

[Vezetes]
        comment = Vezetés
        path = /home/samba/shares/vezetes
        admin users = @Vezetes
        force create mode = 0660
        force directory mode = 0660
        valid users = @Vezetes @Vezetes
        write list = @Vezetes
        vfs objects = acl_xattr full_audit
        full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename

[Domain users]
        comment = Domain users
        path = /home/samba/shares/users
        admin users = "@Domain Userek"
        force create mode = 0660
        force directory mode = 0660
        valid users = "@Domain Userek" "@Domain Userek"
        write list = "@Domain Userek"
        vfs objects = acl_xattr full_audit
        full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename

[Berlemeny]
        comment = Bérlemény
        path = /home/samba/shares/berlemeny
        admin users = @Berlemeny
        force create mode = 0660
        force directory mode = 0660
        valid users = @Berlemeny @Berlemeny
        write list = @Berlemeny
        vfs objects = acl_xattr full_audit
        full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename

[Szamvitel]
        comment = Számvitel
        path = /home/samba/shares/szamvitel
        admin users = @Szamvitel
        force create mode = 0660
        force directory mode = 0660
        valid users = @Szamvitel @Szamvitel
        write list = @Szamvitel
        vfs objects = acl_xattr full_audit
        full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename

[Iktato]
        comment = Iktató
        path = /home/samba/shares/iktato
        admin users = @Iktato
        force create mode = 0660
        force directory mode = 0660
        valid users = @Iktato @Iktato
        write list = @Iktato
        vfs objects = acl_xattr full_audit
        full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename

[HR]
        comment = HR
        path = /home/samba/shares/hr
        admin users = @hr1
        force create mode = 0660
        force directory mode = 0660
        valid users = @hr1 @hr1
        write list = @hr1
        vfs objects = acl_xattr full_audit
        full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename

[intezmenyi]
        comment = intézmények abevjava
        path = /home/samba/shares/intezmenyi
        admin users = @anyk
        force create mode = 0660
        force directory mode = 0660
        valid users = @anyk @anyk
        write list = @anyk
        vfs objects = acl_xattr full_audit
        full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename

[Próba]
        comment = teszt
        path = /home/samba/shares/proba
        force create mode = 0660
        force directory mode = 0660
        vfs objects = acl_xattr full_audit
        full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename

[Iktato_uj]
        comment = Iktato_uj
        path = /home/samba/shares/iktato_uj
        force create mode = 0660
        force directory mode = 0660
        valid users = @Iktato molehand
        write list = @Iktato molehand
        vfs objects = acl_xattr full_audit
        full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename

[netlogon]
        path = /var/lib/samba/sysvol/bvdom.local/scripts
        browseable = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

smb.conf 输出

[global]
    workgroup = bvdom
    realm = BVDOM.LOCAL
    netbios name = gameszsrv2
    server string = Zentyal Server
    server role = dc
    server role check:inhibit = yes
    server services = -dns
    server signing = auto
    dsdb:schema update allowed = yes
    ldap server require strong auth = no
    drs:max object sync = 1200

    idmap_ldb:use rfc2307 = yes

    winbind enum users = yes
    winbind enum groups = yes
    template shell = /bin/bash
    template homedir = /home/%U

    interfaces = lo,ens36
    bind interfaces only = yes

    map to guest = Bad User

    log level = 3
    log file = /var/log/samba/samba.log
    max log size = 100000


    include = /etc/samba/shares.conf

[netlogon]
    path = /var/lib/samba/sysvol/bvdom.local/scripts
    browseable = no
    read only = yes

[sysvol]
    path = /var/lib/samba/sysvol
    read only = no

我还尝试了几种使用 unix 权限、stb 的方法,但都没有成功。当我想使用 AD 组访问共享时,它似乎无法识别 AD 组。

总结一下:

用户 ACL 有效,但组无效

更新:我尝试为另一个文件夹创建一个新共享,然后挂载的 iscsi 和 smb 访问完美运行。因此,我再次检查了 unix 权限并从 iscsi 挂载中修改了一个权限。在我修改了 acl 并使自己成为文件夹的所有者后,我能够从网络访问它并从 windows 修改 ACL。所以这似乎是一个简单的文件系统权限问题,仅此而已。我希望我也可以让它适用于其他共享

我很感激任何解决方案或提示。谢谢。

答案1

更新可能破坏了“域用户”组的组映射。我们也遇到过这种情况。请查看此答案以寻求解决方案:https://superuser.com/a/1310572/704830

相关内容