所以我想尝试一下smb协议在本地 docker (compose) 网络控制环境中,在我所有的尝试中,我已经能够解决很多问题,但这些问题似乎总是让我回到这个问题。这是我的smb.conf:
[global]
workgroup = WORKGROUP
server string = Docker Samba Server
; server role = standalone server
server services = -dns, -nbt
server signing = default
server multi channel support = yes
log level = 5
;log file = /usr/local/samba/var/log.%m
;max log size = 50
hosts allow = 127.0.0.0/8 172.41.0.0/16
hosts deny = 0.0.0.0/0
security = domain
name resolve order = dns wins bcast
realm = EXAMPLE.COM
encrypt passwords = yes
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
; security = user
guest account = nobody
pam password change = yes
map to guest = bad user
usershare allow guests = yes
create mask = 0664
force create mode = 0664
directory mask = 0775
force directory mode = 0775
follow symlinks = yes
wide links = yes
unix extensions = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
disable netbios = yes
smb ports = 445
client ipc min protocol = default
client ipc max protocol = default
;wins support = yes
;wins server = w.x.y.z
;wins proxy = yes
dns proxy = no
socket options = TCP_NODELAY
strict locking = no
local master = no
winbind scan trusted domains = yes
vfs objects = fruit streams_xattr
fruit:metadata = stream
fruit:model = MacSamba
fruit:posix_rename = yes
fruit:veto_appledouble = no
fruit:wipe_intentionally_left_blank_rfork = yes
fruit:delete_empty_adfiles = yes
fruit:time machine = yes
force user = root
force group = root
[shared]
path = /shared/tests
browsable = yes
read only = no
guest ok = no
valid users = tester
write list = tester
veto files = /._*/.apdisk/.AppleDouble/.DS_Store/.TemporaryItems/.Trashes/desktop.ini/ehthumbs.db/Network Trash Folder/Temporary Items/Thumbs.db/
delete veto files = yes
vfs objects = recycle
recycle:repository = .recycle
recycle:keeptree = yes
recycle:versions = yes
至于我的 kdc 服务器,下面是设置它的脚本:
#!/usr/bin/env bash
set -e -u
KDC_ADMIN_SERVER=$(hostname -f)
KADMIN_PRINCIPAL_FULL=$KADMIN_PRINCIPAL@$REALM
## Configure kerberos
tee /etc/krb5.conf <<EOF
[libdefaults]
default_realm = $REALM
[realms]
$REALM = {
kdc_ports = 88,750
kadmind_port = 749
kdc = $KDC_ADMIN_SERVER
admin_server = $KDC_ADMIN_SERVER
}
EOF
## Configure kerberos kdc
tee /etc/krb5kdc/kdc.conf <<EOF
[realms]
$REALM = {
acl_file = /etc/krb5kdc/kadm5.acl
max_renewable_life = 7d 0h 0m 0s
supported_enctypes = aes256-cts-hmac-sha1-96:normal
default_principal_flags = +preauth
}
EOF
## Configure default krb acl
tee /etc/krb5kdc/kadm5.acl <<EOF
$KADMIN_PRINCIPAL_FULL *
noPermissions@$REALM X
EOF
# Default realm
MASTER_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w30 | head -n1)
# This command also starts the krb5-kdc and krb5-admin-server services
krb5_newrealm <<EOF
$MASTER_PASSWORD
$MASTER_PASSWORD
EOF
# KADMIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w30 | head -n1)
kadmin.local -q "delprinc --force $KADMIN_PRINCIPAL_FULL"
kadmin.local -q "addprinc -pw $KADMIN_PASSWORD $KADMIN_PRINCIPAL_FULL"
kadmin.local -q "delprinc --force noPermissions@$REALM"
kadmin.local -q "addprinc -pw $KADMIN_PASSWORD noPermissions@$REALM"
kadmin.local -q "addprinc -randkey host/krb5-samba@$REALM"
kadmin.local -q "ktadd -k /secrets/sshserver.keytab host/krb5-samba@$REALM"
kadmin.local -q "addprinc -randkey cifs/krb5-samba@$REALM"
kadmin.local -q "ktadd -k /secrets/cifsserver.keytab -e rc4-hmac:normal cifs/krb5-samba@$REALM"
kadmin.local -q "addprinc -randkey tester"
kadmin.local -q "ktadd -k /secrets/sshuser.keytab tester@$REALM"
# 127.0.0.1 krb5-samba
cat >> /etc/hosts <<EOL
172.41.0.2 krb5-samba
EOL
krb5kdc
kadmind -nofork
我的 smb 服务器是这样设置的:
#!/usr/bin/env bash
set -e -u
tee /etc/krb5.conf <<EOF
[libdefaults]
default_realm = EXAMPLE.COM
forwardable = TRUE
[realms]
EXAMPLE.COM = {
kdc_ports = 88
kadmind_port = 749
kdc = kdc-server
admin_server = kdc-server
}
[domain_realm]
kdc-server = EXAMPLE.COM
EOF
testparm -s
id -g 1000 &> /dev/null || id -gn testing &> /dev/null || groupadd --gid 1000 --system testing
id -u 1100 &> /dev/null || id -un tester &> /dev/null || useradd --system --uid 1100 -g testing tester
smbpasswd -a -s tester <<EOF
pa$$w0rd1
pa$$w0rd1
EOF
# 127.0.0.1 kdc-server
cat >> /etc/hosts <<EOL
172.41.0.1 kdc-server
EOL
chown root:root /etc/krb5.keytab
chmod 0600 /etc/krb5.keytab
/usr/sbin/sshd
exec "$@"
cifsserver.keytab我使用 docker 卷将从 kdc创建的内容映射到 smb 服务器。
然后我有一个使用该包托管 python 脚本的单独容器。我能够使用 获取 tgt 票证sshuser.keytab。
我尝试使用mount -t cifs -o user=tester,sec=krb5 ...它来挂载共享目录,但似乎不起作用(总是返回“操作不支持(95)”。我已经在这个问题上呆了几个星期了,我真的需要帮助。