Slapd 的其他用户如何登录 Samba？

我们运行一个开源图像处理 Web 应用程序。它为用户提供了一个 Windows 网络驱动器，用于上传 GB 级的图像数据。该应用程序提供了便利，即会自动为在 Web 应用程序中创建的新用户提供网络驱动器。底层技术结构相当复杂：Web 应用程序将新用户写入本地 LDAP。

LDAP 记录：

dn: cn=my.user,ou=users,dc=nodomain
sambaLMPassword: CAA85EBCA5013DA4E39701B5DB7D953C
sambaPrimaryGroupSID: S-1-5-21-2939508899-399288318-4273609636-100
displayName: My User
sambaLogonScript: _my.user.bat
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
userPassword:: e01ENX1oQ1MyYlRpZnl3eVlBdXhvSmdxc1N3PT0=
uid: my.user
cn: my.user
sambaPwdLastSet: 1590661108
loginShell: loginShell
sambaAcctFlags: [U          ]
gidNumber: 100
sambaPwdMustChange: 2147483647
sambaNTPassword: 76E562A44397461C150C451A0A97D45E
gecos: gecos
sambaSID: S-1-5-21-2939508899-399288318-4273609636-3017
description: description
homeDirectory: /usr/local/myapp/users/my.user
sambaKickoffTime: 0
sn: my.user
sambaPasswordHistory: 00000000000000000000000000000000000000
sambaLogonHours: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
structuralObjectClass: inetOrgPerson
entryUUID: 51216ed8-3518-103a-9360-e9248c519c0b
creatorsName: cn=admin,dc=nodomain
createTimestamp: 20200528101828Z
uidNumber: 1007
entryCSN: 20200528135857.787124Z#000000#000#000000
modifiersName: cn=admin,dc=nodomain
modifyTimestamp: 20200528135857Z

dn: cn=other.user,ou=users,dc=nodomain
sambaPrimaryGroupSID: S-1-5-21-2939508899-399288318-4273609636-100
displayName: Other User
sambaLogonScript: _other.user.bat
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
uidNumber: 1010
uid: other.user
cn: other.user
loginShell: loginShell
sambaAcctFlags: [U          ]
gidNumber: 100
sambaPwdMustChange: 2147483647
gecos: gecos
sambaSID: S-1-5-21-2939508899-399288318-4273609636-3021
description: description
homeDirectory: /usr/local/myapp/users/other.user
sambaKickoffTime: 0
sn: other.user
sambaPasswordHistory: 00000000000000000000000000000000000000
structuralObjectClass: inetOrgPerson
entryUUID: c65fc8da-4e3f-103a-9362-e9248c519c0b
creatorsName: cn=admin,dc=nodomain
createTimestamp: 20200629103354Z
userPassword:: e01ENX1PM0FNYzBuWW9UYlFqY1FUbVVGLy93PT0=
sambaLMPassword: 5EB9213C5086DC258401FE06348FE504
sambaNTPassword: B918CFBDEC4953CF990B0BE1F7682F3B
sambaPwdLastSet: 1601620989
sambaLogonHours: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
entryCSN: 20210204065218.718848Z#000000#000#000000
modifiersName: cn=admin,dc=nodomain
modifyTimestamp: 20210204065218Z

这样就通过名称服务切换引入了新的 Linux 用户。

# /etc/nsswitch.conf

passwd:         compat systemd ldap
group:          compat systemd
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

结果：

root@the-server:~# getent passwd
[…]
my.user:x:1007:100:gecos:/usr/local/myapp/users/my.user:loginShell
other.user:x:1010:100:gecos:/usr/local/myapp/users/other.user:loginShell

（脚本sudo无需密码即可创建主文件夹并分配权限。）在 Samba 配置中，通常通过以下部分为所有用户创建网络驱动器[homes]：

[global]
log level = 10
log file = /var/log/samba/log.%m

workgroup = MYWKGRP
unix extensions = no
wide links = yes
load printers = no
security = user
invalid users = root
encrypt passwords = yes
passdb backend = ldapsam:ldap://127.0.0.1
ldap suffix = dc=nodomain
ldap user suffix = ou=users
ldap group suffix = ou=groups
ldap admin dn = cn=admin,dc=nodomain
ldap ssl = no
ldap passwd sync = yes
ldap delete dn = no

[homes]
comment = Home Directories
path = /usr/local/myapp/users/%U
read only = no
browseable = no
valid users = %S
guest ok = no
inherit permissions = yes

Samba 根据 LDAP 中的条目验证用户的密码。

这一切都在 Ubuntu Xenial 16 中运行。将服务器升级到 Ubuntu 20 Focal Fossa 后，某些用户无法再使用 Samba，而其他用户则可以。（我相信只有升级前未连接的用户无法连接，但我在这里猜测。）

可以成功登录的用户示例：

root@the-server:# smbclient \\\\localhost\\my.user -U my.user
WARNING: The "encrypt passwords" option is deprecated
Enter MYWKGRP\my.user's password:
Try "help" to get a list of possible commands.
smb: \> exit
root@the-server:#

日志：

[2021/02/04 16:22:10.170404,  4, pid=162911, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:363(ntlm_password_check)
  ntlm_password_check: Checking NTLMv2 password with domain [MYWKGRP]
[2021/02/04 16:22:10.170482,  4, pid=162911, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/check_samsec.c:183(sam_account_ok)
  sam_account_ok: Checking SMB password for user my.user
[2021/02/04 16:22:10.170530,  5, pid=162911, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/check_samsec.c:164(logon_hours_ok)
  logon_hours_ok: user my.user allowed to logon at this time (Thu Feb  4 16:22:10 2021
  )
[2021/02/04 16:22:10.170571,  4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:215(push_sec_ctx)

...

2021/02/04 16:22:10.170893,  5, pid=162911, effective(0, 0), real(0, 0)] ../../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2021/02/04 16:22:10.170922,  5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/auth/token_util.c:873(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2021/02/04 16:22:10.170978,  5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:181(Get_Pwnam_alloc)
  Finding user my.user
[2021/02/04 16:22:10.171010,  5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:120(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is my.user
[2021/02/04 16:22:10.171044,  5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:158(Get_Pwnam_internals)
  Get_Pwnam_internals did find user [my.user]!

...

[2021/02/04 16:22:10.171930, 10, pid=162911, effective(0, 0), real(0, 0), class=tdb] ../../source3/lib/gencache.c:222(gencache_set_data_blob)
  gencache_set_data_blob: Adding cache entry with key=[ACCT_POL/minimum password age] and timeout=[Do Feb  4 16:23:10 2021 UTC] (60 seconds ahead)
[2021/02/04 16:22:10.172014,  4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2
[2021/02/04 16:22:10.172055,  4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:215(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 3
[2021/02/04 16:22:10.172087,  4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/uid.c:575(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 2
[2021/02/04 16:22:10.172118,  4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:319(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 3
[2021/02/04 16:22:10.172148,  5, pid=162911, effective(0, 0), real(0, 0)] ../../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2021/02/04 16:22:10.172177,  5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/auth/token_util.c:873(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2021/02/04 16:22:10.172249,  4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2
[2021/02/04 16:22:10.172289,  5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:181(Get_Pwnam_alloc)
  Finding user my.user
[2021/02/04 16:22:10.172320,  5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:120(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is my.user
[2021/02/04 16:22:10.172355,  5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:158(Get_Pwnam_internals)
  Get_Pwnam_internals did find user [my.user]!
[2021/02/04 16:22:10.172415, 10, pid=162911, effective(0, 0), real(0, 0)] ../../source3/lib/system_smbd.c:176(sys_getgrouplist)
  sys_getgrouplist: user [my.user]
[2021/02/04 16:22:10.173049,  4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:215(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 3
[2021/02/04 16:22:10.173089,  4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/uid.c:575(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 2
[2021/02/04 16:22:10.173120,  4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:319(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 3
[2021/02/04 16:22:10.173150,  5, pid=162911, effective(0, 0), real(0, 0)] ../../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2021/02/04 16:22:10.173179,  5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/auth/token_util.c:873(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2021/02/04 16:22:10.173242,  5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/lib/smbldap.c:1307(smbldap_search_ext)
  smbldap_search_ext: base => [dc=nodomain], filter => [(&(objectClass=sambaGroupMapping)(gidNumber=100))], scope => [2]
[2021/02/04 16:22:10.173656,  4, pid=162911, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/pdb_ldap.c:2539(ldapsam_getgroup)
  ldapsam_getgroup: Did not find group, filter was (&(objectClass=sambaGroupMapping)(gidNumber=100))
[2021/02/04 16:22:10.173741,  4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2
[2021/02/04 16:22:10.173779, 10, pid=162911, effective(0, 0), real(0, 0)] ../../source3/passdb/lookup_sid.c:1226(xid_to_sid)
  xid_to_sid: GID 100 -> S-1-22-2-100 fallback
[2021/02/04 16:22:10.173816,  5, pid=162911, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/server_info_sam.c:121(make_server_info_sam)
  make_server_info_sam: made server info for user my.user -> my.user
[2021/02/04 16:22:10.173865,  4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2021/02/04 16:22:10.173906,  3, pid=162911, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:266(auth_check_ntlm_password)
  auth_check_ntlm_password: sam_ignoredomain authentication for user [my.user] succeeded

...

[2021/02/04 16:22:10.174071,  5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/auth/token_util.c:873(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2021/02/04 16:22:10.174132,  4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2021/02/04 16:22:10.174165,  5, pid=162911, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:293(auth_check_ntlm_password)
  check_ntlm_password:  PAM Account for user [my.user] succeeded
[2021/02/04 16:22:10.174231,  3, pid=162911, effective(0, 0), real(0, 0), class=auth_audit] ../../auth/auth_log.c:635(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [MYWKGRP]\[my.user] at [Do, 04 Feb 2021 16:22:10.174206 UTC] with [NTLMv2] status [NT_STATUS_OK] workstation [THE-SERVER] remote host [ipv4:127.0.0.1:35408] became [THE-SERVER]\[my.user] [S-1-5-21-2939508899-399288318-4273609636-3017]. local host [ipv4:127.0.0.1:445] 
  {"timestamp": "2021-02-04T16:22:10.174358+0000", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "0", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": "ipv4:127.0.0.1:445", "remoteAddress": "ipv4:127.0.0.1:35408", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "MYWKGRP", "clientAccount": "my.user", "workstation": "THE-SERVER", "becameAccount": "my.user", "becameDomain": "THE-SERVER", "becameSid": "S-1-5-21-2939508899-399288318-4273609636-3017", "mappedAccount": "my.user", "mappedDomain": "MYWKGRP", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 24104}}
[2021/02/04 16:22:10.174433,  2, pid=162911, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:322(auth_check_ntlm_password)
  check_ntlm_password:  authentication for user [my.user] -> [my.user] -> [my.user] succeeded

用户登录失败的示例：

root@the-server:# smbclient \\\\localhost\\other.user -U other.user
WARNING: The "encrypt passwords" option is deprecated
Enter MYWKGRP\my.user's password:
session setup failed: NT_STATUS_LOGON_FAILURE
root@the-server:#

（注意密码正确，我能使用它登录 Web 应用程序。

日志：

[2021/02/04 16:23:53.337983,  4, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:363(ntlm_password_check)
  ntlm_password_check: Checking NTLMv2 password with domain [MYWKGRP]
[2021/02/04 16:23:53.338052,  4, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:377(ntlm_password_check)
  ntlm_password_check: Checking NTLMv2 password with uppercased version of domain [MYWKGRP]
[2021/02/04 16:23:53.338109,  4, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:391(ntlm_password_check)
  ntlm_password_check: Checking NTLMv2 password without a domain
[2021/02/04 16:23:53.338151,  3, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:403(ntlm_password_check)
  ntlm_password_check: NTLMv2 password check failed
[2021/02/04 16:23:53.338181,  3, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:448(ntlm_password_check)
  ntlm_password_check: Lanman passwords NOT PERMITTED for user other.user
[2021/02/04 16:23:53.338210,  4, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:485(ntlm_password_check)
  ntlm_password_check: Checking LMv2 password with domain MYWKGRP
[2021/02/04 16:23:53.338250,  4, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:514(ntlm_password_check)
  ntlm_password_check: Checking LMv2 password with upper-cased version of domain MYWKGRP
[2021/02/04 16:23:53.338290,  4, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:543(ntlm_password_check)
  ntlm_password_check: Checking LMv2 password without a domain
[2021/02/04 16:23:53.338329,  4, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:574(ntlm_password_check)
  ntlm_password_check: Checking NT MD4 password in LM field
[2021/02/04 16:23:53.338359,  3, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:595(ntlm_password_check)
  ntlm_password_check: LM password and LMv2 failed for user other.user, and NT MD4 password in LM field not permitted
[2021/02/04 16:23:53.338394,  4, pid=163119, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:215(push_sec_ctx)

...

[2021/02/04 16:23:53.338710,  5, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2021/02/04 16:23:53.338739,  5, pid=163119, effective(0, 0), real(0, 0)] ../../source3/auth/token_util.c:873(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups

...

[2021/02/04 16:23:53.339502, 10, pid=163119, effective(0, 0), real(0, 0), class=tdb] ../../source3/lib/gencache.c:222(gencache_set_data_blob)
  gencache_set_data_blob: Adding cache entry with key=[ACCT_POL/bad lockout attempt] and timeout=[Do Feb  4 16:24:53 2021 UTC] (60 seconds ahead)
[2021/02/04 16:23:53.339580,  4, pid=163119, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2
[2021/02/04 16:23:53.339628,  4, pid=163119, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
[2021/02/04 16:23:53.339628,  4, pid=163119, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2021/02/04 16:23:53.339661,  9, pid=163119, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/passdb.c:2243(pdb_increment_bad_password_count)
  No lockout policy, don't track bad passwords

...

[2021/02/04 16:23:53.339815,  5, pid=163119, effective(0, 0), real(0, 0)] ../../source3/auth/token_util.c:873(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2021/02/04 16:23:53.339873,  4, pid=163119, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/pdb_ldap.c:1975(ldapsam_update_sam_account)
  ldapsam_update_sam_account: user other.user to be modified has dn: cn=other.user,ou=users,dc=nodomain
[2021/02/04 16:23:53.339907,  2, pid=163119, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/pdb_ldap.c:1168(init_ldap_from_sam)
  init_ldap_from_sam: Setting entry for user: other.user
[2021/02/04 16:23:53.339942,  4, pid=163119, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/pdb_ldap.c:1988(ldapsam_update_sam_account)
  ldapsam_update_sam_account: mods is empty: nothing to update for user: other.user
[2021/02/04 16:23:53.339984,  4, pid=163119, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2021/02/04 16:23:53.340021,  5, pid=163119, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:257(auth_check_ntlm_password)
  auth_check_ntlm_password: sam_ignoredomain authentication for user [other.user] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2021/02/04 16:23:53.340066,  2, pid=163119, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:343(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [other.user] -> [other.user] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2021/02/04 16:23:53.340134,  2, pid=163119, effective(0, 0), real(0, 0), class=auth_audit] ../../auth/auth_log.c:635(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [MYWKGRP]\[other.user] at [Do, 04 Feb 2021 16:23:53.340109 UTC] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [THE-SERVER] remote host [ipv4:127.0.0.1:35426] mapped to [MYWKGRP]\[other.user]. local host [ipv4:127.0.0.1:445] 
  {"timestamp": "2021-02-04T16:23:53.340268+0000", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": "NT_STATUS_WRONG_PASSWORD", "localAddress": "ipv4:127.0.0.1:445", "remoteAddress": "ipv4:127.0.0.1:35426", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "MYWKGRP", "clientAccount": "other.user", "workstation": "THE-SERVER", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "other.user", "mappedDomain": "MYWKGRP", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 21900}}
[2021/02/04 16:23:53.340347,  5, pid=163119, effective(0, 0), real(0, 0)] ../../source3/auth/auth_ntlmssp.c:191(auth3_check_password)
  Checking NTLMSSP password for MYWKGRP\other.user failed: NT_STATUS_WRONG_PASSWORD, authoritative=1
[2021/02/04 16:23:53.340384,  5, pid=163119, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_server.c:386(ntlmssp_server_auth_send)
  ntlmssp_server_auth_send: Checking NTLMSSP password for MYWKGRP\other.user failed: NT_STATUS_WRONG_PASSWORD

进一步调查和思考：

• 我尝试在 中设置client use spnego = no、 或client ntlmv2 auth = no或两者smb.conf，每次都重新启动smbd和nmbd，但没有任何变化。还尝试设置client ntlmv2 auth = yes，因为我读到这里这种类型的身份验证基于 NTLM 密码哈希。但这也没什么用。
• 或许这是一个相关问题但答案似乎不适用，或者我不明白我该做什么。
• 验证不应该要求为无法登录的用户运行smbpasswd。Web 应用程序正在编写完整的 LDAP 条目，Samba 应该从那里获取它需要知道的一切。这就是它十年来的工作方式。（以及它如何做我my.user没有运行smbpasswd。my.user我确实运行了它来设置 LDAP 密码，这当然是可以的。升级后我也再次这样做了，以防丢失。）
• 我阅读 windbind它过去是 Samba 的一部分，现在必须安装并用作自己的库。这似乎是向 Microsoft Active Directory 进行身份验证时的问题，但由于我在本地主机上向 Slapd 进行身份验证，据我所知，我不需要它，而且我还没有尝试安装它的任何东西。
• 在 LDAP 中创建新用户 → 无法登录
• 从 LDAP 中删除以前工作的用户并重新创建它（使用新的、以前未分配的用户号码）→仍然可以登录
• 将用户主页的父目录（此处/usr/local/myapp/users）设置为组sambashare和权限1770并不能解决问题