我有一台笔记本电脑已加入域 AAA。有两台 DFS 命名空间服务器,它们也是带有 Win Server 2012 R2 的 AD DC。NAS 是启用了 CIFS/已加入域的 Synology 服务器。
服务器:
- dc1.domain1.本地-ip 10.8.0.3
- dc2.domain1.本地-ip 10.8.0.27
- nas1.domain1.本地-ip 10.8.0.7
- 笔记本电脑.域1.本地-10.91.0.2
所有设置一直正常工作直到最近。(不知道发生了什么,内核升级?还是 Windows 更新)。
[sssd]
domains = domain1.local
config_file_version = 2
services = nss, pam
[domain/domain1.local]
ad_domain = domain1.local
krb5_realm = DOMAIN1.LOCAL
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
enumerate = True
id_provider = ad
default_shell = /bin/bash
fallback_homedir = /home/%d/%u
krb5_lifetime = 1h
krb5_renewable_lifetime = 1d
krb5_renew_interval = 60s
ldap_id_mapping = True
krb5_store_password_if_offline = True
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
clockskew = 300
rdns = false
default_ccache_name = KEYRING:persistent:%{uid}
/etc/request-key.d/cifs.spnego.conf
create cifs.spnego * * /usr/bin/cifs.upcall -t %k
我正在尝试使用
mount -t cifs -o sec=krb5,user=$USER,cruid=$USER,uid=$USER //dc1.domain1.local/namespace1 /mnt/mp1
我可以进入 /mnt/mp1。但我无法访问 Synology 服务器 (/mnt/mp1/share1) 上的 //dc1.domain1.local/namespace1/share1 等后面的任何内容。
安装期间登录笔记本电脑:
[ 54.894236] No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount.
[ 55.036042] CIFS VFS: Autodisabling the use of server inode numbers on new server.
[ 55.036046] CIFS VFS: The server doesn't seem to support them properly or the files might be on different servers (DFS).
[ 55.036049] CIFS VFS: Hardlinks will not be recognized on this mount. Consider mounting with the "noserverino" option to silence this message.
当输入 /mnt/mp1/share1 时我得到:
mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=DC1.domain.local;ip4=10.8.0.7;sec=krb5;uid=0x460c22f4;creduid=0x460c22f4;user=admin;pid=0x923
mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: ver=2
mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: host=DC1.domain1.local
mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: ip=10.8.0.7
mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: sec=1
mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: uid=1175200500
mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: creduid=1175200500
mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: user=admin
mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: pid=2339
mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: get_cachename_from_process_env: pathname=/proc/2339/environ
mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: get_cachename_from_process_env: cachename = KEYRING:persistent:1175200500
mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: get_existing_cc: default ccache is KEYRING:persistent:1175200500:krb_ccache_s3dU4cx
mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: handle_krb5_mech: getting service ticket for server.poznan.tbhydro.net
mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: handle_krb5_mech: obtained service ticket
mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: Exit status 0
请注意,它正在请求针对其 IP 地址解析的不同主机的票证。(10.8.0.7 是主机 nas1.domain1.local)。
在 nas1.domain1.local samba 日志中:
../source3/lib/access.c:338: [2019/03/20 08:08:50.530826, all 3, pid=26839] allow_access
Allowed connection from 10.91.0.2 (10.91.0.2)
../source3/smbd/oplock.c:1323: [2019/03/20 08:08:50.530929, locking 3, pid=26839] init_oplocks
init_oplocks: initializing messages.
../source3/smbd/process.c:1975: [2019/03/20 08:08:50.530968, all 3, pid=26839] process_smb
Transaction 0 of length 196 (0 toread)
../source3/smbd/smb2_negprot.c:281: [2019/03/20 08:08:50.531044, all 3, pid=26839] smbd_smb2_request_process_negprot
Selected protocol SMB3_11
../source3/auth/auth_generic.c:246: [2019/03/20 08:08:50.531084, all 3, pid=26839] auth_generic_prepare
make_auth_context_subsystem [NT_STATUS_OK]
../source3/auth/auth_generic.c:377: [2019/03/20 08:08:50.531400, all 3, pid=26839] auth_generic_prepare
gensec_set_remote_address: [NT_STATUS_OK]
../source3/smbd/smb2_server.c:2687: [2019/03/20 08:08:50.558318, all 3, pid=26839] smbd_smb2_request_dispatch
SMB2: cmd=SMB2_OP_NEGPROT [NT_STATUS_OK]
../source3/smbd/smb2_sesssetup.c:811: [2019/03/20 08:08:50.572723, all 3, pid=26839] smbd_smb2_session_setup_send
in_session_id 0
../source3/auth/auth_generic.c:246: [2019/03/20 08:08:50.572850, all 3, pid=26839] auth_generic_prepare
make_auth_context_subsystem [NT_STATUS_OK]
../source3/auth/auth_generic.c:377: [2019/03/20 08:08:50.572870, all 3, pid=26839] auth_generic_prepare
gensec_set_remote_address: [NT_STATUS_OK]
../source3/smbd/smb2_sesssetup.c:866: [2019/03/20 08:08:50.572877, all 3, pid=26839] smbd_smb2_session_setup_send
auth_generic_prepare [NT_STATUS_OK]
../source3/smbd/smb2_server.c:2687: [2019/03/20 08:08:50.572918, all 3, pid=26839] smbd_smb2_request_dispatch
SMB2: cmd=SMB2_OP_SESSSETUP [NT_STATUS_OK]
../source3/librpc/crypto/gse.c:503: [2019/03/20 08:08:50.599304, all 1, pid=26839] gse_get_server_auth_token
gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/[email protected](kvno 76) in keytab MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)]
../auth/gensec/spnego.c:544: [2019/03/20 08:08:50.599342, all 1, pid=26839] gensec_spnego_parse_negTokenInit
SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
../auth/gensec/spnego.c:719: [2019/03/20 08:08:50.599360, all 2, pid=26839] gensec_spnego_server_negTokenTarg
SPNEGO login failed: NT_STATUS_LOGON_FAILURE
../auth/gensec/gensec.c:476: [2019/03/20 08:08:50.599370, all 3, pid=26839] gensec_update_async_trigger
gensec_update [NT_STATUS_LOGON_FAILURE]
../source3/smbd/smb2_server.c:3111: [2019/03/20 08:08:50.599393, all 3, pid=26839] smbd_smb2_request_error_ex
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:136
知道去哪里寻找答案吗?
答案1
上次我在 Ubuntu 16.04.6 文件服务器上遇到此错误,Samba 软件包于 4 月自动更新至 4.3.11+dfsg-0ubuntu0.16.04.19。Win10 客户端停止与服务器进行身份验证,并显示类似的错误消息(无法找到 cifs/[电子邮件保护](kvno x) 在 keytab MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96) 中,在 Samba 服务器日志中。我的设置与您的设置有很多共同之处,一个 Server 2016 AD DC、Ubuntu 16.04.6 Samba NAS、Windows 客户端。错误的区别在于,在我的情况下列出的是我的文件服务器,而不是您的情况下的 DC。通过将 NAS 上的 Samba 软件包降级到以前的版本 (4.3.11+dfsg-0ubuntu0.16.04.17) 解决了此问题。
看来您至少必须尝试检查 Samba 组件的更新日志,首先在 NAS 上,然后在笔记本电脑上,检查将它们降级到以前的版本是否能解决问题。