使用 Samba AD DC 作为 Samba PDC 的密码后端

tag-icon tag-icon active-directory samba domain-controller samba4 smb-conf
使用 Samba AD DC 作为 Samba PDC 的密码后端

我遇到了以下情况:

  • 旧 Samba 服务器data.company.com版本 4.6.7
  • workgroup = COMPANY配置为具有以下配置的 Windows 主机群体的PDC :
[global]
        workgroup = COMPANY
        server string = COMPANY Samba Server
        netbios name = SMBMASTER
        unix extensions = no
        max open files = 200000
        log file = /var/log/samba/log.%m
        max log size = 50
        #log level = 9
        ntlm auth = Yes
        security = user
        passdb backend = tdbsam
        domain master = yes
        domain logons = yes
        logon path =
        logon script = logon.bat
        logon drive = U:
        local master = yes
        wins support = yes
  • 新的 Samba 服务器dc1.company.com版本 4.17.4
  • 配置为 AD DC,配置workgroup = COMPANY-NEW如下:
[global]
        dns forwarder = 8.8.8.8
        netbios name = DC1
        realm = COMPANY-NEW.COMPANY.INTERNAL
        server role = active directory domain controller
        workgroup = COMPANY-NEW
        log level = 2
        idmap_ldb:use rfc2307 = yes
        min protocol = SMB2
        ntlm auth = yes
        ldap server require strong auth = no

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[netlogon]
        path = /var/lib/samba/sysvol/company-new.company.internal/scripts
        read only = No

机器可以顺利加入两个域,COMPANY并且COMPANY-NEW一旦加入,就可以在相应的域上更新密码(在 Windows 中使用 Ctrl+Alt+Del)。

我希望旧服务器使用新服务器对用户进行身份验证(作为密码后端),这样用户就不必使用两个密码。这样,我就可以慢慢将用户从旧域迁移到新域,无论用户在哪里更改密码,他们都会隐式地为两个域更改密码。

由于我无法将旧服务器加入data.company.com到新服务器,dc1.company.com因为它们具有不同的域名,因此我尝试将新服务器的 LDAP 服务器设置为旧服务器的 passdb 后端,如下所示:

[global]
        workgroup = COMPANY
        server string = COMPANY Samba Server
        netbios name = SMBMASTER
        unix extensions = no
        max open files = 200000
        log file = /var/log/samba/log.%m
        max log size = 50
        #log level = 9
        ntlm auth = Yes
        security = user
        passdb backend = tdbsam
        domain master = yes
        domain logons = yes
        logon path =
        logon script = logon.bat
        logon drive = U:
        local master = yes
        wins support = yes
        passdb backend = ldapsam:ldap://dc1.company.com
        ldapsam:editposix = yes
        ldapsam:trusted = yes
        ldap admin dn = cn=Administrator,cn=Users,dc=company-new,dc=company,dc=internal
        ldap suffix = dc=company-new,dc=company,dc=internal
        ldap group suffix = ou=Groups
        ldap machine suffix = ou=Computers
        ldap user suffix = ou=Users
        ldap ssl = off
        idmap config * : backend = autorid
        idmap config * : range = 10000-24999999
        idmap config COMPANY: backend = ldap
        idmap config COMPANY: range = 10000-19999
        idmap config COMPANY: ldap_base_dn = ou=idmap,dc=company-new,dc=company,dc=internal
        idmap config COMPANY: ldap_user_dn = cn=admin,dc=company-new,dc=company,dc=internal
        map untrusted to domain = yes
        ldap delete dn = yes
        ldap password sync = yes
        winbind use default domain = yes

然而,经过这一改变,我的旧服务器将无法再启动,并在日志中显示以下消息:

[2023/12/05 19:31:43.778601,  3] ../source3/smbd/server.c:1743(main)
  Becoming a daemon.
[2023/12/05 19:31:43.781838,  2] ../source3/passdb/pdb_interface.c:161(make_pdb_method_name)
  No builtin backend found, trying to load plugin
[2023/12/05 19:31:43.786133,  2] ../lib/util/modules.c:196(do_smb_load_module)
  Module 'ldapsam' loaded
[2023/12/05 19:31:43.786281,  2] ../source3/passdb/pdb_ldap_util.c:280(smbldap_search_domain_info)
  smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=COMPANY))]
[2023/12/05 19:31:43.800342,  2] ../source3/lib/smbldap.c:794(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2023/12/05 19:31:43.853302,  3] ../source3/lib/smbldap.c:1013(smbldap_connect_system)
  ldap_connect_system: successful connection to the LDAP server
[2023/12/05 19:31:43.853352,  4] ../source3/lib/smbldap.c:1092(smbldap_open)
  The LDAP server is successfully connected
[2023/12/05 19:31:43.895873,  3] ../source3/passdb/pdb_ldap_util.c:305(smbldap_search_domain_info)
  smbldap_search_domain_info: Got no domain info entries for domain
[2023/12/05 19:31:43.934623,  3] ../source3/passdb/pdb_ldap_util.c:166(add_new_domain_info)
  add_new_domain_info: Adding new domain
[2023/12/05 19:31:43.936770,  1] ../source3/passdb/pdb_ldap_util.c:236(add_new_domain_info)
  add_new_domain_info: failed to add domain dn= sambaDomainName=COMPANY,dc=company-new,dc=company,dc=internal with: No such attribute
        0000200A: objectclass sambaDomain is not a valid objectClass in schema
[2023/12/05 19:31:43.936814,  0] ../source3/passdb/pdb_ldap_util.c:313(smbldap_search_domain_info)
  smbldap_search_domain_info: Adding domain info for COMPANY failed with NT_STATUS_UNSUCCESSFUL
[2023/12/05 19:31:43.936896,  0] ../source3/passdb/pdb_ldap.c:6540(pdb_ldapsam_init_common)
  pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it.
[2023/12/05 19:31:43.936937,  0] ../source3/passdb/pdb_interface.c:180(make_pdb_method_name)
  pdb backend ldapsam:ldap://dc1.company.com did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
  • 有人能帮我解释一下吗?
  • 我的想法是否与我想要实现的目标正确相关?
  • 如果是,那么我的配置错误在哪里?
  • 如果不是,那么正确的方法是什么?

非常感谢您的帮助,我为此而疯狂。如果您需要有关我的设置或更高日志级别输出的更多详细信息,我很乐意为您提供。

相关内容