我是 SLES 和 Samba 的新手,所以我需要一些帮助。我在 SUSE 11 上成功设置了 Samba。我能够创建一个没有用户限制的共享,我设法从 Windows 访问它。但我想只允许特定组的用户访问该共享。所以我使用“有效用户”、“读取列表”和“写入列表”。但是一旦我将有效用户添加到我的配置文件中,我就无法再访问该共享。即使我输入了正确的凭据,我也收到访问被拒绝错误。我尝试使用 root、本地用户帐户和 AD 域用户。这些都不起作用。你能给我一个关于如何解决这个问题的建议吗?这是我的 smb.conf 文件:
# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
# Date: 2012-02-03
[global]
workgroup = *******
passdb backend = tdbsam
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
usershare allow guests = No
idmap gid = 10000-20000
idmap uid = 10000-20000
realm = ********
security = ADS
template homedir = /home/%D/%U
template shell = /bin/bash
usershare max shares = 100
winbind refresh tickets = yes
wins support = No
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[profiles]
comment = Network Profiles Service
path = %H
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
[users]
comment = All users
path = /home
read only = No
inherit acls = Yes
veto files = /aquota.user/groups/shares/
[groups]
comment = All groups
path = /home/groups
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[Share]
inherit acls = Yes
path = /share/Share
read only = No
browseable = Yes
valid users = @****+Group1, *****+user1
当我尝试访问共享时,这是日志文件的输出:
[2013/05/17 15:39:18.753943, 3] lib/access.c:338(allow_access)
Allowed connection from IP Address(IP Address)
[2013/05/17 15:39:18.754178, 3] smbd/oplock.c:922(init_oplocks)
init_oplocks: initializing messages.
[2013/05/17 15:39:18.754281, 3] smbd/oplock_linux.c:226(linux_init_kernel_oplocks)
Linux kernel oplocks enabled
[2013/05/17 15:39:18.754396, 3] smbd/process.c:1662(process_smb)
Transaction 0 of length 137 (0 toread)
[2013/05/17 15:39:18.754447, 3] smbd/process.c:1467(switch_message)
switch message SMBnegprot (pid 11575) conn 0x0
[2013/05/17 15:39:18.754827, 3] smbd/negprot.c:598(reply_negprot)
Requested protocol [PC NETWORK PROGRAM 1.0]
[2013/05/17 15:39:18.754882, 3] smbd/negprot.c:598(reply_negprot)
Requested protocol [LANMAN1.0]
[2013/05/17 15:39:18.754922, 3] smbd/negprot.c:598(reply_negprot)
Requested protocol [Windows for Workgroups 3.1a]
[2013/05/17 15:39:18.754959, 3] smbd/negprot.c:598(reply_negprot)
Requested protocol [LM1.2X002]
[2013/05/17 15:39:18.754996, 3] smbd/negprot.c:598(reply_negprot)
Requested protocol [LANMAN2.1]
[2013/05/17 15:39:18.755035, 3] smbd/negprot.c:598(reply_negprot)
Requested protocol [NT LM 0.12]
[2013/05/17 15:39:18.755163, 3] smbd/negprot.c:419(reply_nt1)
using SPNEGO
[2013/05/17 15:39:18.755204, 3] smbd/negprot.c:704(reply_negprot)
Selected protocol NT LM 0.12
[2013/05/17 15:39:18.757824, 3] smbd/process.c:1662(process_smb)
Transaction 1 of length 142 (0 toread)
[2013/05/17 15:39:18.757917, 3] smbd/process.c:1467(switch_message)
switch message SMBsesssetupX (pid 11575) conn 0x0
[2013/05/17 15:39:18.757970, 3] smbd/sesssetup.c:1333(reply_sesssetup_and_X)
wct=12 flg2=0xc807
[2013/05/17 15:39:18.758013, 2] smbd/sesssetup.c:1279(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2013/05/17 15:39:18.758051, 3] smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego)
Doing spnego session setup
[2013/05/17 15:39:18.758091, 3] smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego)
NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
[2013/05/17 15:39:18.758159, 3] smbd/sesssetup.c:660(reply_spnego_negotiate)
reply_spnego_negotiate: Got secblob of size 40
[2013/05/17 15:39:18.758344, 3] ../libcli/auth/ntlmssp.c:34(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0xe2088297
[2013/05/17 15:39:18.762052, 3] smbd/process.c:1662(process_smb)
Transaction 2 of length 486 (0 toread)
[2013/05/17 15:39:18.762108, 3] smbd/process.c:1467(switch_message)
switch message SMBsesssetupX (pid 11575) conn 0x0
[2013/05/17 15:39:18.762152, 3] smbd/sesssetup.c:1333(reply_sesssetup_and_X)
wct=12 flg2=0xc807
[2013/05/17 15:39:18.762190, 2] smbd/sesssetup.c:1279(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2013/05/17 15:39:18.762225, 3] smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego)
Doing spnego session setup
[2013/05/17 15:39:18.762262, 3] smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego)
NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
[2013/05/17 15:39:18.762313, 3] ../libcli/auth/ntlmssp_server.c:348(ntlmssp_server_preauth)
Got user=[user1] domain=[DOMAINNAME] workstation=[WORKSTATIONNAME] len1=24 len2=246
答案1
抱歉,我没有将此作为评论写下来,但我的声誉还不够高。
我看到您使用 + 作为域和组的分隔符,但是您没有在配置中将 + 设置为 winbind 分隔符。
winbind separator = +
另外,您还将 passdb 后端设置为本地数据库 tdbsam。这可能是您的 AD 身份验证失败的原因。
尝试进行以下设置:
workgroup = [SHORTDOMAINNAME]
realm = [KERBEROS REALM / LONG DOMAIN NAME]
password server = [fqdn of your pdc]
winbind use default domain = yes
encrypt passwords = yes
security = ads
领域和工作组应该全部大写,并与您的“krb5.conf”文件匹配
krb5.conf:
[libdefaults]
default_realm = [KERBEROS REALM / LONG DOMAIN NAME]
dns_lookup_realm = true
dns_lookup_kdc = true
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1
clockskew = 300
forwardable = true
proxiable = true
[realms]
[KERBEROS REALM / LONG DOMAIN NAME] = {
kdc = [fqdn of your pdc]
default_domain = [long domain name lowercase]
}
[domain_realm]
.[long domain name lowercase] = [KERBEROS REALM / LONG DOMAIN NAME]
[long domain name lowercase] = [KERBEROS REALM / LONG DOMAIN NAME]
您还可以检查一切是否正常
wbinfo -u
你应该看到用户列表
wbinfo -g
查看群组列表。
如果你的组名中有空格,请不要忘记将它们放在有效用户中的“
希望能帮助到你