4.12.10我已经在 AIX 中通过 yum安装了 Samba 7.2。我还安装了 kerberos 包,以便使用 kerberos 对 samba 进行身份验证。
我的目标是允许用户从他们的 Windows 机器访问 AIX 中的文件夹/文件。
# yum list installed | grep samba
samba.ppc 4.12.10-2 @AIX_Toolbox_72
samba-client.ppc 4.12.10-2 @AIX_Toolbox_72
samba-common.ppc 4.12.10-2 @AIX_Toolbox_72
samba-devel.ppc 4.12.10-2 @AIX_Toolbox_72
samba-libs.ppc 4.12.10-2 @AIX_Toolbox_72
samba-winbind.ppc 4.12.10-2 @AIX_Toolbox_72
samba-winbind-clients.ppc 4.12.10-2 @AIX_Toolbox_72
# yum list installed | grep winbin
samba-winbind.ppc 4.12.10-2 @AIX_Toolbox_72
samba-winbind-clients.ppc 4.12.10-2 @AIX_Toolbox_72
# yum list installed | grep krb5
krb5-devel.ppc 1.18.3-1 @AIX_Toolbox
krb5-libs.ppc 1.18.3-1 @AIX_Toolbox
krb5-server.ppc 1.18.3-1 @AIX_Toolbox
krb5-server-ldap.ppc 1.18.3-1 @AIX_Toolbox
krb5-workstation.ppc 1.18.3-1 @AIX_Toolbox
但是,当我尝试在 Windows 文件资源管理器中访问 AIX 服务器时:\\pc96p9(pc96p9 是我的 AIX 机器名)即使提供了正确的域用户名和密码,也显示访问被拒绝。
然后我检查了 samba 日志/etc/samba/log.10.161.139.74(10.161.139.74 是访问 AIX 的 Windows 机器),出现以下错误:
[2021/03/26 12:07:51.353238, 0] ../../source3/auth/token_util.c:567(add_local_groups)
add_local_groups: SID S-1-5-21-2693943023-2014060074-1703039353-34220 -> getpwuid(100000) failed, is nsswitch configured?
[2021/03/26 12:07:51.353328, 3] ../../source3/auth/token_util.c:403(create_local_nt_token_from_info3)
Failed to add local groups
[2021/03/26 12:07:51.353351, 1] ../../source3/auth/auth_generic.c:174(auth3_generate_session_info_pac)
Failed to map kerberos pac to server info (NT_STATUS_NO_SUCH_USER)
[2021/03/26 12:07:51.353424, 3] ../../source3/smbd/smb2_server.c:3280(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_sesssetup.c:146
[2021/03/26 12:07:51.354653, 3] ../../source3/smbd/server_exit.c:250(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
这是我的/etc/krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MY-OA.MY.ORG.HK
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
MY-OA.MY.ORG.HK = {
kdc = MYIFS28.MY-OA.MY.ORG.HK
admin_server = MYIFS28.MY-OA.ORG.HK
}
[domain_realm]
.my.org.hk = MY.ORG.HK
my.org.hk = MY.ORG.HK
这是我的/etc/samba/smb.conf:
[global]
realm = my-oa.my.org.hk
netbios name = pc96p9
workgroup = MY-OA
realm = MY-OA.MY.ORG.HK
password server = 10.67.1.92
server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns, s3fs
security = ads
idmap uid = 100000-200000
idmap gid = 100000-200000
template homedir = /home/%U
template shell = /usr/bin/bash
winbind use default domain = yes
winbind offline logon = false
winbind enum users = yes
winbind enum groups = yes
domain master = no
local master = no
preferred master = no
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_SNDBUF=32768 SO_RCVBUF=32768
os level = 0
wins server = 10.67.1.92
encrypt passwords = yes
server signing = auto
log file = /var/log/samba/log.%m
log level = 3
max log size = 50
[data]
comment = Public Data Share
path = /data1/winshare
public = yes
writable = yes
inherit acls = yes
inherit permissions = yes
printable = no
这是我的/etc/nsswitch.conf:
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns wins
实际上,我们3.6在 AIX7.1生产环境中已经很好地运行了 samba,上述 3 个配置文件直接从 AIX 7.1(samba 3.6)复制到了新的 AIX 7.2(samba 4.12)。
有人能告诉我我的 Samba 配置是否有问题吗?提前谢谢。
答案1
在完全不同的环境中遇到过类似的错误,我只能提供建议,而不是解决方案,但是......
错误消息表明 Windows 样式的安全标识符 (SID)S-1-5-21-2693943023-2014060074-1703039353-34220正在映射到 Unix 样式的用户标识符 (UID) 100000。此映射显然不正确;在旧环境中它可能是正确的,但在新环境中需要进行修改。
由于您似乎正在使用winbindd,因此您应该能够识别相关用户并更正映射,使用wbinfo。我没有使用winbindd,所以我自己没有测试过,但它应该以类似以下内容开头:
$ wbinfo -s S-1-5-21-2693943023-2014060074-1703039353-34220