Samba/Winbind 域成员身份验证问题

Samba/Winbind 域成员身份验证问题

在将新的 Linux Samba 文件服务器设置为 AD 成员时,我一直遇到身份验证问题。

setenforce 0它似乎是在加入 AD 后在强制模式下运行 selinux 时触发的,但如果我关闭 selinux或在 selinux 配置中重新启动它,它不会消失SELINUX=permissive- 至少在一小时左右不会消失。

在我使用相同的发行版、设置步骤和更新设置的第一个测试虚拟机上,它一直运行正常,但现在我在为生产用途设置的服务器上时不时地遇到了这个身份验证问题。

这是在 Rocky Linux 8.5 和 Samba 4.14.5 上

smb.conf 在 [global] 中大多有默认设置,我设置了一个公共的 [testshare]

[global]
security = ads

        passdb backend = tdbsam

        printing = cups
        printcap name = cups
        load printers = no
        cups options = raw
kerberos method = secrets and keytab
template homedir = /home/%U@%D
template shell = /bin/bash
idmap config ADOMAIN : range = 2000000-2999999
idmap config ADOMAIN : backend = rid
idmap config * : range = 10000-999999
idmap config * : backend = tdb
winbind use default domain = yes
winbind refresh tickets = yes
winbind offline logon = yes

# Allow guest access for public share without password
map to guest = bad user

# these should be set to no for prod use
winbind enum groups = yes
winbind enum users = yes

   # Mac tweaks for ACLs
   map acl inherit = Yes
   store dos attributes = Yes

   # Mac tweaks for Apple Resource forks
   vfs objects = fruit streams_xattr
   fruit:aapl = yes
   fruit:time machine = no
   fruit:resource = xattr
   fruit:nfs_aces = no
   fruit:model = MacSamba
workgroup = ADOMAIN
realm = ADOMAIN.LAN

   [testshare]
   path = /mnt/data01/smb/testshare
   browsable =yes
   writable = yes
   guest ok = yes
   read only = no

域加入已完成

 realm join --membership-software=samba --client-software=winbind adomain.lan

Kerberos 身份验证继续正常运行

wbinfo -K user

这个也有效

getent passwd ADOMAIN\\user

但以下失败

smbclient -L localhost -U guest%

wbinfo -a user

smbclient -d 3 //localhost/testshare -U user

最后一个吐出了以下内容:

lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
added interface ens192 ip=10.18.100.102 bcast=10.18.103.255 netmask=255.255.252.0
Client started (version 4.14.5).
resolve_lmhosts: Attempting lmhosts lookup for name localhost<0x20>
Connecting to 127.0.0.1 at port 445
Enter ADOMAIN\user's password:
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GSE to 'localhost' does not make sense
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
SPNEGO login failed: {Access Denied} A process has requested access to an object but has not been granted those access rights.
session setup failed: NT_STATUS_ACCESS_DENIED

审计日志通常不会显示任何 AVC 拒绝错误。我尝试关闭 dontaudit 规则并允许出现的 AVC 拒绝消息,但这没有帮助。

我是否需要放弃 selinux 才能使其稳定?还有其他建议吗?

相关内容