我们运行一个开源图像处理 Web 应用程序。它为用户提供了一个 Windows 网络驱动器,用于上传 GB 级的图像数据。该应用程序提供了便利,即会自动为在 Web 应用程序中创建的新用户提供网络驱动器。底层技术结构相当复杂:Web 应用程序将新用户写入本地 LDAP。
LDAP 记录:
dn: cn=my.user,ou=users,dc=nodomain
sambaLMPassword: CAA85EBCA5013DA4E39701B5DB7D953C
sambaPrimaryGroupSID: S-1-5-21-2939508899-399288318-4273609636-100
displayName: My User
sambaLogonScript: _my.user.bat
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
userPassword:: e01ENX1oQ1MyYlRpZnl3eVlBdXhvSmdxc1N3PT0=
uid: my.user
cn: my.user
sambaPwdLastSet: 1590661108
loginShell: loginShell
sambaAcctFlags: [U ]
gidNumber: 100
sambaPwdMustChange: 2147483647
sambaNTPassword: 76E562A44397461C150C451A0A97D45E
gecos: gecos
sambaSID: S-1-5-21-2939508899-399288318-4273609636-3017
description: description
homeDirectory: /usr/local/myapp/users/my.user
sambaKickoffTime: 0
sn: my.user
sambaPasswordHistory: 00000000000000000000000000000000000000
sambaLogonHours: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
structuralObjectClass: inetOrgPerson
entryUUID: 51216ed8-3518-103a-9360-e9248c519c0b
creatorsName: cn=admin,dc=nodomain
createTimestamp: 20200528101828Z
uidNumber: 1007
entryCSN: 20200528135857.787124Z#000000#000#000000
modifiersName: cn=admin,dc=nodomain
modifyTimestamp: 20200528135857Z
dn: cn=other.user,ou=users,dc=nodomain
sambaPrimaryGroupSID: S-1-5-21-2939508899-399288318-4273609636-100
displayName: Other User
sambaLogonScript: _other.user.bat
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
uidNumber: 1010
uid: other.user
cn: other.user
loginShell: loginShell
sambaAcctFlags: [U ]
gidNumber: 100
sambaPwdMustChange: 2147483647
gecos: gecos
sambaSID: S-1-5-21-2939508899-399288318-4273609636-3021
description: description
homeDirectory: /usr/local/myapp/users/other.user
sambaKickoffTime: 0
sn: other.user
sambaPasswordHistory: 00000000000000000000000000000000000000
structuralObjectClass: inetOrgPerson
entryUUID: c65fc8da-4e3f-103a-9362-e9248c519c0b
creatorsName: cn=admin,dc=nodomain
createTimestamp: 20200629103354Z
userPassword:: e01ENX1PM0FNYzBuWW9UYlFqY1FUbVVGLy93PT0=
sambaLMPassword: 5EB9213C5086DC258401FE06348FE504
sambaNTPassword: B918CFBDEC4953CF990B0BE1F7682F3B
sambaPwdLastSet: 1601620989
sambaLogonHours: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
entryCSN: 20210204065218.718848Z#000000#000#000000
modifiersName: cn=admin,dc=nodomain
modifyTimestamp: 20210204065218Z
这样就通过名称服务切换引入了新的 Linux 用户。
# /etc/nsswitch.conf
passwd: compat systemd ldap
group: compat systemd
shadow: compat
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
结果:
root@the-server:~# getent passwd
[…]
my.user:x:1007:100:gecos:/usr/local/myapp/users/my.user:loginShell
other.user:x:1010:100:gecos:/usr/local/myapp/users/other.user:loginShell
(脚本sudo无需密码即可创建主文件夹并分配权限。)在 Samba 配置中,通常通过以下部分为所有用户创建网络驱动器[homes]:
[global]
log level = 10
log file = /var/log/samba/log.%m
workgroup = MYWKGRP
unix extensions = no
wide links = yes
load printers = no
security = user
invalid users = root
encrypt passwords = yes
passdb backend = ldapsam:ldap://127.0.0.1
ldap suffix = dc=nodomain
ldap user suffix = ou=users
ldap group suffix = ou=groups
ldap admin dn = cn=admin,dc=nodomain
ldap ssl = no
ldap passwd sync = yes
ldap delete dn = no
[homes]
comment = Home Directories
path = /usr/local/myapp/users/%U
read only = no
browseable = no
valid users = %S
guest ok = no
inherit permissions = yes
Samba 根据 LDAP 中的条目验证用户的密码。
这一切都在 Ubuntu Xenial 16 中运行。将服务器升级到 Ubuntu 20 Focal Fossa 后,某些用户无法再使用 Samba,而其他用户则可以。(我相信只有升级前未连接的用户无法连接,但我在这里猜测。)
可以成功登录的用户示例:
root@the-server:# smbclient \\\\localhost\\my.user -U my.user
WARNING: The "encrypt passwords" option is deprecated
Enter MYWKGRP\my.user's password:
Try "help" to get a list of possible commands.
smb: \> exit
root@the-server:#
日志:
[2021/02/04 16:22:10.170404, 4, pid=162911, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:363(ntlm_password_check)
ntlm_password_check: Checking NTLMv2 password with domain [MYWKGRP]
[2021/02/04 16:22:10.170482, 4, pid=162911, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/check_samsec.c:183(sam_account_ok)
sam_account_ok: Checking SMB password for user my.user
[2021/02/04 16:22:10.170530, 5, pid=162911, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/check_samsec.c:164(logon_hours_ok)
logon_hours_ok: user my.user allowed to logon at this time (Thu Feb 4 16:22:10 2021
)
[2021/02/04 16:22:10.170571, 4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:215(push_sec_ctx)
...
2021/02/04 16:22:10.170893, 5, pid=162911, effective(0, 0), real(0, 0)] ../../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2021/02/04 16:22:10.170922, 5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/auth/token_util.c:873(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2021/02/04 16:22:10.170978, 5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:181(Get_Pwnam_alloc)
Finding user my.user
[2021/02/04 16:22:10.171010, 5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:120(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as lowercase is my.user
[2021/02/04 16:22:10.171044, 5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:158(Get_Pwnam_internals)
Get_Pwnam_internals did find user [my.user]!
...
[2021/02/04 16:22:10.171930, 10, pid=162911, effective(0, 0), real(0, 0), class=tdb] ../../source3/lib/gencache.c:222(gencache_set_data_blob)
gencache_set_data_blob: Adding cache entry with key=[ACCT_POL/minimum password age] and timeout=[Do Feb 4 16:23:10 2021 UTC] (60 seconds ahead)
[2021/02/04 16:22:10.172014, 4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2
[2021/02/04 16:22:10.172055, 4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:215(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 3
[2021/02/04 16:22:10.172087, 4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/uid.c:575(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 2
[2021/02/04 16:22:10.172118, 4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:319(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 3
[2021/02/04 16:22:10.172148, 5, pid=162911, effective(0, 0), real(0, 0)] ../../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2021/02/04 16:22:10.172177, 5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/auth/token_util.c:873(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2021/02/04 16:22:10.172249, 4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2
[2021/02/04 16:22:10.172289, 5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:181(Get_Pwnam_alloc)
Finding user my.user
[2021/02/04 16:22:10.172320, 5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:120(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as lowercase is my.user
[2021/02/04 16:22:10.172355, 5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:158(Get_Pwnam_internals)
Get_Pwnam_internals did find user [my.user]!
[2021/02/04 16:22:10.172415, 10, pid=162911, effective(0, 0), real(0, 0)] ../../source3/lib/system_smbd.c:176(sys_getgrouplist)
sys_getgrouplist: user [my.user]
[2021/02/04 16:22:10.173049, 4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:215(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 3
[2021/02/04 16:22:10.173089, 4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/uid.c:575(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 2
[2021/02/04 16:22:10.173120, 4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:319(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 3
[2021/02/04 16:22:10.173150, 5, pid=162911, effective(0, 0), real(0, 0)] ../../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2021/02/04 16:22:10.173179, 5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/auth/token_util.c:873(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2021/02/04 16:22:10.173242, 5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/lib/smbldap.c:1307(smbldap_search_ext)
smbldap_search_ext: base => [dc=nodomain], filter => [(&(objectClass=sambaGroupMapping)(gidNumber=100))], scope => [2]
[2021/02/04 16:22:10.173656, 4, pid=162911, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/pdb_ldap.c:2539(ldapsam_getgroup)
ldapsam_getgroup: Did not find group, filter was (&(objectClass=sambaGroupMapping)(gidNumber=100))
[2021/02/04 16:22:10.173741, 4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2
[2021/02/04 16:22:10.173779, 10, pid=162911, effective(0, 0), real(0, 0)] ../../source3/passdb/lookup_sid.c:1226(xid_to_sid)
xid_to_sid: GID 100 -> S-1-22-2-100 fallback
[2021/02/04 16:22:10.173816, 5, pid=162911, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/server_info_sam.c:121(make_server_info_sam)
make_server_info_sam: made server info for user my.user -> my.user
[2021/02/04 16:22:10.173865, 4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2021/02/04 16:22:10.173906, 3, pid=162911, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:266(auth_check_ntlm_password)
auth_check_ntlm_password: sam_ignoredomain authentication for user [my.user] succeeded
...
[2021/02/04 16:22:10.174071, 5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/auth/token_util.c:873(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2021/02/04 16:22:10.174132, 4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2021/02/04 16:22:10.174165, 5, pid=162911, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:293(auth_check_ntlm_password)
check_ntlm_password: PAM Account for user [my.user] succeeded
[2021/02/04 16:22:10.174231, 3, pid=162911, effective(0, 0), real(0, 0), class=auth_audit] ../../auth/auth_log.c:635(log_authentication_event_human_readable)
Auth: [SMB2,(null)] user [MYWKGRP]\[my.user] at [Do, 04 Feb 2021 16:22:10.174206 UTC] with [NTLMv2] status [NT_STATUS_OK] workstation [THE-SERVER] remote host [ipv4:127.0.0.1:35408] became [THE-SERVER]\[my.user] [S-1-5-21-2939508899-399288318-4273609636-3017]. local host [ipv4:127.0.0.1:445]
{"timestamp": "2021-02-04T16:22:10.174358+0000", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "0", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": "ipv4:127.0.0.1:445", "remoteAddress": "ipv4:127.0.0.1:35408", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "MYWKGRP", "clientAccount": "my.user", "workstation": "THE-SERVER", "becameAccount": "my.user", "becameDomain": "THE-SERVER", "becameSid": "S-1-5-21-2939508899-399288318-4273609636-3017", "mappedAccount": "my.user", "mappedDomain": "MYWKGRP", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 24104}}
[2021/02/04 16:22:10.174433, 2, pid=162911, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:322(auth_check_ntlm_password)
check_ntlm_password: authentication for user [my.user] -> [my.user] -> [my.user] succeeded
用户登录失败的示例:
root@the-server:# smbclient \\\\localhost\\other.user -U other.user
WARNING: The "encrypt passwords" option is deprecated
Enter MYWKGRP\my.user's password:
session setup failed: NT_STATUS_LOGON_FAILURE
root@the-server:#
(注意密码正确,我能使用它登录 Web 应用程序。
日志:
[2021/02/04 16:23:53.337983, 4, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:363(ntlm_password_check)
ntlm_password_check: Checking NTLMv2 password with domain [MYWKGRP]
[2021/02/04 16:23:53.338052, 4, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:377(ntlm_password_check)
ntlm_password_check: Checking NTLMv2 password with uppercased version of domain [MYWKGRP]
[2021/02/04 16:23:53.338109, 4, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:391(ntlm_password_check)
ntlm_password_check: Checking NTLMv2 password without a domain
[2021/02/04 16:23:53.338151, 3, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:403(ntlm_password_check)
ntlm_password_check: NTLMv2 password check failed
[2021/02/04 16:23:53.338181, 3, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:448(ntlm_password_check)
ntlm_password_check: Lanman passwords NOT PERMITTED for user other.user
[2021/02/04 16:23:53.338210, 4, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:485(ntlm_password_check)
ntlm_password_check: Checking LMv2 password with domain MYWKGRP
[2021/02/04 16:23:53.338250, 4, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:514(ntlm_password_check)
ntlm_password_check: Checking LMv2 password with upper-cased version of domain MYWKGRP
[2021/02/04 16:23:53.338290, 4, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:543(ntlm_password_check)
ntlm_password_check: Checking LMv2 password without a domain
[2021/02/04 16:23:53.338329, 4, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:574(ntlm_password_check)
ntlm_password_check: Checking NT MD4 password in LM field
[2021/02/04 16:23:53.338359, 3, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:595(ntlm_password_check)
ntlm_password_check: LM password and LMv2 failed for user other.user, and NT MD4 password in LM field not permitted
[2021/02/04 16:23:53.338394, 4, pid=163119, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:215(push_sec_ctx)
...
[2021/02/04 16:23:53.338710, 5, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2021/02/04 16:23:53.338739, 5, pid=163119, effective(0, 0), real(0, 0)] ../../source3/auth/token_util.c:873(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
...
[2021/02/04 16:23:53.339502, 10, pid=163119, effective(0, 0), real(0, 0), class=tdb] ../../source3/lib/gencache.c:222(gencache_set_data_blob)
gencache_set_data_blob: Adding cache entry with key=[ACCT_POL/bad lockout attempt] and timeout=[Do Feb 4 16:24:53 2021 UTC] (60 seconds ahead)
[2021/02/04 16:23:53.339580, 4, pid=163119, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2
[2021/02/04 16:23:53.339628, 4, pid=163119, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
[2021/02/04 16:23:53.339628, 4, pid=163119, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2021/02/04 16:23:53.339661, 9, pid=163119, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/passdb.c:2243(pdb_increment_bad_password_count)
No lockout policy, don't track bad passwords
...
[2021/02/04 16:23:53.339815, 5, pid=163119, effective(0, 0), real(0, 0)] ../../source3/auth/token_util.c:873(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2021/02/04 16:23:53.339873, 4, pid=163119, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/pdb_ldap.c:1975(ldapsam_update_sam_account)
ldapsam_update_sam_account: user other.user to be modified has dn: cn=other.user,ou=users,dc=nodomain
[2021/02/04 16:23:53.339907, 2, pid=163119, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/pdb_ldap.c:1168(init_ldap_from_sam)
init_ldap_from_sam: Setting entry for user: other.user
[2021/02/04 16:23:53.339942, 4, pid=163119, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/pdb_ldap.c:1988(ldapsam_update_sam_account)
ldapsam_update_sam_account: mods is empty: nothing to update for user: other.user
[2021/02/04 16:23:53.339984, 4, pid=163119, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2021/02/04 16:23:53.340021, 5, pid=163119, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:257(auth_check_ntlm_password)
auth_check_ntlm_password: sam_ignoredomain authentication for user [other.user] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2021/02/04 16:23:53.340066, 2, pid=163119, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:343(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [other.user] -> [other.user] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2021/02/04 16:23:53.340134, 2, pid=163119, effective(0, 0), real(0, 0), class=auth_audit] ../../auth/auth_log.c:635(log_authentication_event_human_readable)
Auth: [SMB2,(null)] user [MYWKGRP]\[other.user] at [Do, 04 Feb 2021 16:23:53.340109 UTC] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [THE-SERVER] remote host [ipv4:127.0.0.1:35426] mapped to [MYWKGRP]\[other.user]. local host [ipv4:127.0.0.1:445]
{"timestamp": "2021-02-04T16:23:53.340268+0000", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": "NT_STATUS_WRONG_PASSWORD", "localAddress": "ipv4:127.0.0.1:445", "remoteAddress": "ipv4:127.0.0.1:35426", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "MYWKGRP", "clientAccount": "other.user", "workstation": "THE-SERVER", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "other.user", "mappedDomain": "MYWKGRP", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 21900}}
[2021/02/04 16:23:53.340347, 5, pid=163119, effective(0, 0), real(0, 0)] ../../source3/auth/auth_ntlmssp.c:191(auth3_check_password)
Checking NTLMSSP password for MYWKGRP\other.user failed: NT_STATUS_WRONG_PASSWORD, authoritative=1
[2021/02/04 16:23:53.340384, 5, pid=163119, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_server.c:386(ntlmssp_server_auth_send)
ntlmssp_server_auth_send: Checking NTLMSSP password for MYWKGRP\other.user failed: NT_STATUS_WRONG_PASSWORD
进一步调查和思考:
- 我尝试在 中设置
client use spnego = no、 或client ntlmv2 auth = no或两者smb.conf,每次都重新启动smbd和nmbd,但没有任何变化。还尝试设置client ntlmv2 auth = yes,因为我读到这里这种类型的身份验证基于 NTLM 密码哈希。但这也没什么用。 - 或许这是一个相关问题但答案似乎不适用,或者我不明白我该做什么。
- 验证不应该要求为无法登录的用户运行
smbpasswd。Web 应用程序正在编写完整的 LDAP 条目,Samba 应该从那里获取它需要知道的一切。这就是它十年来的工作方式。(以及它如何做我my.user没有运行smbpasswd。my.user我确实运行了它来设置 LDAP 密码,这当然是可以的。升级后我也再次这样做了,以防丢失。) - 我阅读
windbind它过去是 Samba 的一部分,现在必须安装并用作自己的库。这似乎是向 Microsoft Active Directory 进行身份验证时的问题,但由于我在本地主机上向 Slapd 进行身份验证,据我所知,我不需要它,而且我还没有尝试安装它的任何东西。 - 在 LDAP 中创建新用户 → 无法登录
- 从 LDAP 中删除以前工作的用户并重新创建它(使用新的、以前未分配的用户号码)→仍然可以登录
- 将用户主页的父目录(此处
/usr/local/myapp/users)设置为组sambashare和权限1770并不能解决问题