问题:user1 可以正常映射 6 个共享。另一个共享 homedir 已映射,但收到错误消息“Windows 无法访问 \samba\homedir:
您无权访问 \samba\homedir。”
user2 可以正常映射5个共享,但映射第6个共享和homedir时出现错误“Windows无法访问\samba[homedir|staff]:
您没有权限访问\samba[homedir|staff]。”
两个用户在 Windows AD 和 Linux NIS 中都具有相同的组成员身份。
此问题发生在使用 smb: 的 Windows 7 和 10、macOS 和 Linux 上。
其他用户有不同的有效和无效组合,并且他们处于他们尝试映射的共享的正确组中。
在所有情况下,主目录都已映射但无法访问。主目录的权限为 700。只有当“其他”具有 rxw 访问权限(即 707)时,我才能映射共享并查看它。我也可以编辑、创建和保存文件,但是仅有的如果“其他”是 rwx。甚至 007 也有效。对于私人主目录,这不是一个有用的设置。
我尝试过强制用户 = %U 和有效用户 = %U,但无济于事。我还尝试过有效用户 = DOMAIN\%S(使用正确的域名)。
另一个 samba 服务器运行非常老版本的 samba(4.05,从 samba.org 下载并编译并使用默认位置安装),并且不使用 winbindd(或 sssd),但在所有情况下都可以正常工作。
有问题的 Samba 服务器几周前能够映射具有适当权限的所有共享,但不知何故失去了这样做的能力,尽管在此期间没有对 Samba 配置或 Windows 域控制器进行任何更改。重新启动服务并重新启动 Samba 服务器和域控制器并不能解决问题。
我需要能够使用现代版本的 samba,而不是我自己从 samba.org 编译的 4.05,并且它需要能够映射共享并查看来自 NIS 和 ZFS 文件共享的权限。
设置如下:
文件服务器(均位于同一子网,且无软件防火墙):带有 ZFS 的 FreeBSD 12 (NSFv4)
这是所有文件共享和主目录所在的位置。
aclmode = 丢弃
aclinherit = 受限制
(这些是默认设置)
Linux 计算机的登录服务器:运行 NIS 的 Solaris SunOS 5.8 NIS 领域是 DEPT
Samba 服务器:运行 Samba 4.8.3 的 Scientific Linux 7.6(通过 yum install samba 从 SL 存储库获取)设置为我们域(BIO)的成员服务器,selinux 已关闭,它已加入域,kinit 和 klist 显示正在颁发令牌。
[root@samba ~]# kinit [email protected]
Password for [email protected]:
[root@samba ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: [email protected]
Valid starting Expires Service principal
04/25/2019 17:40:08 04/26/2019 03:40:08 krbtgt/[email protected]
renew until 05/02/2019 17:40:02
它正在运行 smbd、nmbd 和 winbindd
wbinfo -ug 显示来自 AD 服务器的用户和组 wbinfo -n 用户名显示用户的 AD SID wbinfo -D BIO 显示 AD 域的正确信息
Windows 域控制器服务器:Windows 2008 R2 和 Windows 2012
NIS 和 AD 中存在相同的用户名
samba服务器上的配置文件:
/etc/samba/smb.conf:
[global]
log level = 2
realm = BIO.DEPT.WISC.EDU
server string = Samba Server Version %v
netbios name = SAMBA
workgroup = BIO
security = ADS
password server = ad1.bio.dept.wisc.edu
domain master = No
local master = No
os level = 0
preferred master = No
machine password timeout = 0
disable spoolss = Yes
load printers = No
printcap name = /dev/null
template shell = /usr/bin/bash
# trying to set homedir location
template homedir = /ua/%U
winbind enum groups = Yes
winbind enum users = Yes
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind rpc only = Yes
winbind use default domain = Yes
idmap config BIO: range = 40000-50000
idmap config BIO: backend = rid
# tried backend = ad and it didn't work either
idmap config BIO: default = yes
idmap config * : range = 100000-299999
idmap config * : backend = tdb
log file = /var/log/samba/log_%m_%a_%R
max log size = 50
follow symlinks = yes
unix extensions = no
wide links = yes
inherit acls = yes
map acl inherit = yes
short preserve case = yes
preserve case = yes
oplocks = False
level2 oplocks = False
posix locking = no
include = /etc/samba/smbshares.conf
在 /etc/samba/smbshares.conf 中,homedir 部分是
[homedir]
comment = Home Directories
path = %H
browseable = No
read only = No
public = no
writable = yes
guest ok = no
printable = no
Testparm 给出:
已加载服务文件。
服务器角色:ROLE_DOMAIN_MEMBER
/etc/krb5.conf:
# Configuration snippets may be placed in this directory as well
# there is currently nothing in the below directory
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = BIO.DEPT.WISC.EDU
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
BIO.DEPT.WISC.EDU = {
kdc = xxx.xxx.xxx.xxx:88
# admin_server = xxx.xxx.xxx.xxx:749
default_domain = BIO.DEPT.WISC.EDU
}
[domain_realm]
xxx.xxx.xxx.xxx = BIO.DEPT.WISC.EDU
bio.dept.wisc.edu = BIO.DEPT.WISC.EDU
/etc/nsswitch.conf:
passwd: files winbind nis
shadow: files nis
group: files winbind nis
hosts: files nis dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
/etc/pam.d/系统身份验证:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
# add winbind
auth sufficient pam_winbind.so cached_login use_first_pass
# add pam_access.so
account required pam_access.so
# account required pam_unix.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
# add pam_winbind
account [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
# add pam_succeed
account requisite pam_succeed_if.so user ingroup [sysadmins]
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nis nullok try_first_pass use_authtok
password required pam_deny.so
# add winbind
password sufficient pam_winbind.so cached_login use_authtok
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
/etc/pam.d/密码验证:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
# add winbind
auth sufficient pam_winbind.so cached_login use_first_pass
# add pam-access.so
account required pam_access.so
# account required pam_unix.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
# add winbind
account [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
# add pam_succeed for user ingroup
account requisite pam_succeed_if.so user ingroup [sysadmins]
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nis nullok try_first_pass use_authtok
# add winbind
password sufficient pam_winbind.so cached_login use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
/etc/security/pam_winbind.conf:
[global]
# turn on debugging
;debug = no
# turn on extended PAM state debugging
;debug_state = no
# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
;cached_login = yes
# authenticate using kerberos
;krb5_auth = yes
# when using kerberos, request a "FILE" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
;krb5_ccache_type =
# make successful authentication dependent on membership of one SID
# (can also take a name)
;require_membership_of =
# password expiry warning period in days
;warn_pwd_expire = 14
# omit pam conversations
;silent = no
# create homedirectory on the fly
;mkhomedir = no
/etc/pam.d/sshd:
#%PAM-1.0
# PAM configuration for the sshd service
#
#auth
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
# Add winbind
auth sufficient /lib64/security/pam_winbind.so try_first_pass
# account
account required pam_nologin.so
account include password-auth
# Add winbind
account sufficient /lib64/security/pam_winbind.so
# password
password include password-auth
password required pam_unix.so no_warn try_first_pass
# Add windbind
password sufficient /lib64/security/pam_winbind.so no_warn try_first_pass
# session
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
# Add winbind
session required /lib64/security/pam_mkhomedir.so debug skel=/etc/skel umask=0077