在领域信任的 Samba 服务器上漫游配置文件吗?

在领域信任的 Samba 服务器上漫游配置文件吗?

存在的理由

我正在尝试将 Active Directory 域的漫游配置文件存放在受领域信任的 Ubuntu 12.04LTS ZFS-on-Linux 文件服务器上,但目前尚未成功。最终目标是拥有一个可互操作的文件服务器来存放 Linux 的 autofs nfs 主目录和 Windows 的漫游配置文件。对于我来说,仅使用 Windows 服务器或将 Linux 服务器加入 Active Directory 来做到这一点在政治上是困难的。因此,我正在寻找技术解决方案或证据,证明这些技术解决方案不如打政治斗争那么站得住脚。

我怀疑我目前的困难与 Windows 客户端与 Samba 交互有关,而不是与 ZFS 有关,但我有点力不从心,所以我不能完全排除这种可能性。亲爱的读者,您能指出我的做法为什么是错误的,并解释正确的步骤吗?


我认为我知道

  1. 用户可以从 Kerberos 域成功登录到客户端计算机。但是,用户使用临时配置文件登录。
  2. 在文件服务器上创建了一个配置文件夹(大概是通过登录过程),但是新创建的配置文件夹中没有其他文件。
  3. 配置文件夹会根据适当的所有者/组自动创建。
  4. 鉴于此,在实例化凭证缓存或授予 krbtgt 之前加载配置文件似乎不太可能。
  5. 登录临时配置文件后,用户可以在文件服务器上创建文件,而无需向文件服务器提供任何(额外)凭据。也就是说没有提示。这些文件也是由适当的所有者/组创建的。

附加信息

我认为这就是您想知道的所有配置,但我可能错了。
很抱歉,我没有找到让它可折叠的方法。

涉及的系统和机器的简要概述

AD domain: ad.example.com  (Functional Level 2012)
domain controllers: dc1.ad.example.com, dc2.ad.example.com (OS: Windows Server 2012 Std)
mit-krb5 realm: EXAMPLE.COM  
mit-krb5 kdcs: kdc1.example.com, kdc2.example.com (mit-krb5: 1.9.4)
smb/cifs server: zfs.example.com  (OS: Ubuntu 12.04LTS)
client: client.ad.example.com (OS: Windows 8 Enterprise)

Samba 日志

root@zfs:~# cat /var/log/samba/client.log
[2013/06/14 14:37:26.194496,  0] param/loadparm.c:9114(process_usershare_file)
  process_usershare_file: stat of /var/lib/samba/usershares/tank_test failed. Permission denied
[2013/06/14 14:37:26.460344,  0] param/loadparm.c:9114(process_usershare_file)
  process_usershare_file: stat of /var/lib/samba/usershares/tank_test failed. Permission denied
[2013/06/14 14:44:04.352344,  0] param/loadparm.c:9114(process_usershare_file)
  process_usershare_file: stat of /var/lib/samba/usershares/tank_test failed. Permission denied

不确定它在抱怨什么...

root@zfs:~# ls -l /var/lib/samba/usershares/tank_test
-rw-r--r-- 1 root root 110 Jun 14 12:57 /var/lib/samba/usershares/tank_test

文件服务器共享预登录

root@zfs:~# ls -la /tank/test/
total 38
drwxrwxrwt 2 root root 2 Jun 14 09:12 .
drwxr-xr-x 5 root root 5 Jun 13 15:52 ..

文件服务器共享登录后:

root@zfs:~# ls -la /tank/test/
total 57
drwxrwxrwt 3 root root 3 Jun 14 09:16 .
drwxr-xr-x 5 root root 5 Jun 13 15:52 ..
drwxr-xr-x 2 user user 2 Jun 14 09:16 user.V2
root@zfs:~# find /tank/test
/tank/test
/tank/test/user.V2/

登录时的用户凭证缓存

Current LogonId is 0:0x6c79e3

Cached Tickets: (7)

#0> Client: user @ EXAMPLE.COM
    Server: krbtgt/EXAMPLE.COM @ EXAMPLE.COM
    KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
    Ticket Flags 0x60a90000 -> forwardable forwarded renewable pre_authent name_canonicalize 0x80000
    Start Time: 6/14/2013 14:44:24 (local)
    End Time:   6/15/2013 2:44:24 (local)
    Renew Time: 6/21/2013 14:44:24 (local)
    Session Key Type: AES-256-CTS-HMAC-SHA1-96
    Cache Flags: 0x2 -> DELEGATION 
    Kdc Called: kdc2.example.com

#1> Client: user @ EXAMPLE.COM
    Server: krbtgt/AD.EXAMPLE.COM @ EXAMPLE.COM
    KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
    Ticket Flags 0x40a90000 -> forwardable renewable pre_authent name_canonicalize 0x80000
    Start Time: 6/14/2013 14:44:24 (local)
    End Time:   6/15/2013 2:44:24 (local)
    Renew Time: 6/14/2013 14:44:24 (local)
    Session Key Type: AES-256-CTS-HMAC-SHA1-96
    Cache Flags: 0 
    Kdc Called: kdc2.example.com

#2> Client: user @ EXAMPLE.COM
    Server: krbtgt/EXAMPLE.COM @ EXAMPLE.COM
    KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
    Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize 
    Start Time: 6/14/2013 14:44:24 (local)
    End Time:   6/15/2013 2:44:24 (local)
    Renew Time: 6/21/2013 14:44:24 (local)
    Session Key Type: AES-256-CTS-HMAC-SHA1-96
    Cache Flags: 0x1 -> PRIMARY 
    Kdc Called: kdc2.example.com

#3> Client: user @ EXAMPLE.COM
    Server: ldap/dc1.ad.example.com @ AD.EXAMPLE.COM
    KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
    Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize 
    Start Time: 6/14/2013 14:44:31 (local)
    End Time:   6/15/2013 0:44:31 (local)
    Renew Time: 6/14/2013 14:44:24 (local)
    Session Key Type: AES-256-CTS-HMAC-SHA1-96
    Cache Flags: 0 
    Kdc Called: dc1.ad.example.com

#4> Client: user @ EXAMPLE.COM
    Server: LDAP/dc1.ad.example.com/ad.example.com @ AD.EXAMPLE.COM
    KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
    Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize 
    Start Time: 6/14/2013 14:44:25 (local)
    End Time:   6/15/2013 0:44:25 (local)
    Renew Time: 6/14/2013 14:44:24 (local)
    Session Key Type: AES-256-CTS-HMAC-SHA1-96
    Cache Flags: 0 
    Kdc Called: dc1.ad.example.com

#5> Client: user @ EXAMPLE.COM
    Server: cifs/dc1.ad.example.com @ AD.EXAMPLE.COM
    KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
    Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize 
    Start Time: 6/14/2013 14:44:24 (local)
    End Time:   6/15/2013 0:44:24 (local)
    Renew Time: 6/14/2013 14:44:24 (local)
    Session Key Type: AES-256-CTS-HMAC-SHA1-96
    Cache Flags: 0 
    Kdc Called: dc1.ad.example.com

#6> Client: user @ EXAMPLE.COM
    Server: cifs/zfs.example.com @ EXAMPLE.COM
    KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
    Ticket Flags 0x40a90000 -> forwardable renewable pre_authent name_canonicalize 0x80000
    Start Time: 6/14/2013 14:44:24 (local)
    End Time:   6/15/2013 2:44:24 (local)
    Renew Time: 6/14/2013 14:44:24 (local)
    Session Key Type: AES-256-CTS-HMAC-SHA1-96
    Cache Flags: 0 
    Kdc Called: kdc2.example.com

REALM 信托

ldapsearch -h ad.example.com -LLL cn=EXAMPLE.COM  objectClass trustPartner instancetype trustDirection trustAttributes
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 56
SASL data security layer installed.
dn: CN=EXAMPLE.COM,CN=System,DC=ad,DC=example,DC=com
objectClass: top
objectClass: leaf
objectClass: trustedDomain
instanceType: 4
trustDirection: 3
trustPartner: EXAMPLE.COM
trustAttributes: 1

Active Directory 用户

ldapsearch -h ad.example.com -LLL samaccountname=user profilePath altSecurityIdentities
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 56
SASL data security layer installed.
dn: CN=Test User,OU=managed users,DC=ad,DC=example,DC=com
profilePath: \\zfs.example.com\tank_test\user
altSecurityIdentities: Kerberos:[email protected]

基本 ZFS 信息

root@zfs:~#  zfs get mountpoint,casesensitivity,sharesmb,available tank/test
NAME       PROPERTY         VALUE        SOURCE
tank/test  mountpoint       /tank/test   default
tank/test  casesensitivity  mixed        -
tank/test  sharesmb         on           local
tank/test  available        26.1T        -

ZFS 创建 smb 共享 root@zfs:~# cat /var/lib/samba/usershares/tank_test #版本 2 路径=/tank/test 注释=注释:/tank/test usershare_acl=S-1-1-0:F guest_ok=n 共享名称=tank_test

Samba 配置

root@zfs:~# grep -v -e ^$ -e ^\; -e ^# /etc/samba/smb.conf
[global]
   workgroup = EXAMPLE.COM
   server string = %h server (Samba, Ubuntu)
   dns proxy = no
   log file = /var/log/samba/%M.log
   max log size = 1000
   syslog = 3
   panic action = /usr/share/samba/panic-action %d
security = ADS
realm = EXAMPLE.COM
kerberos method = system keytab
map to guest = bad user

文件服务器的 Keytab

root@zfs:~# ktutil
ktutil:  rkt /etc/krb5.keytab
ktutil:  list -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    2  host/[email protected] (aes256-cts-hmac-sha1-96)
   2    2  host/[email protected] (aes128-cts-hmac-sha1-96)
   3    2  host/[email protected] (arcfour-hmac)
   4    2   nfs/[email protected] (aes256-cts-hmac-sha1-96)
   5    2   nfs/[email protected] (aes128-cts-hmac-sha1-96)
   6    2   nfs/[email protected] (arcfour-hmac)
   7    2  cifs/[email protected] (aes256-cts-hmac-sha1-96)
   8    2  cifs/[email protected] (aes128-cts-hmac-sha1-96)
   9    2  cifs/[email protected] (arcfour-hmac)

服务器的身份映射(通过 sssd)

root@zfs:~# cat /etc/sssd/sssd.conf
# SSSD configuration generated using /usr/lib/sssd/generate-config
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = example.com
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/example.com]
enumerate = false
cache_credentials = true
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_uri = ldap://ldap.example.com
ldap_search_base = dc=example,dc=com
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
krb5_kdcip = kerberos.example.com
krb5_realm = EXAMPLE.COM
krb5_changepw_principle = kadmin/changepw
krb5_auth_timeout = 15

服务器(相关)软件包

root@zfs:~# uname -a
Linux zfs 3.5.0-23-generic #35~precise1-Ubuntu SMP Fri Jan 25 17:13:26 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
root@zfs:~# dpkg --get-selections | grep -e samba -e zfs -e krb -e sssd
krb5-config                                     install
krb5-locales                                    install
krb5-user                                       install
libgssapi-krb5-2                                install
libkrb5-26-heimdal                              install
libkrb5-3                                       install
libkrb5support0                                 install
libpam-krb5                                     install
libzfs1                                         install
samba                                           install
samba-common                                    install
samba-common-bin                                install
samba-tools                                     install
sssd                                            install
ubuntu-zfs                                      install
zfs-dkms                                        install
zfsutils                                        install

答案1

默认情况下,Windows 客户端在加载漫游配置文件时必须ACLs使用 来验证漫游配置文件文件夹。即使用户具有相同的、和适当的属性也不够。SIDsActive DirectoryuiduidNumbergidNumberaltSecurityIdentites

虽然无法禁用 SID 要求。但ACL检查本身可以。该文件夹必须仍可由用户或管理员组读取。
在 Server 2012 下,此策略称为
Do not check for user ownership of Roaming Profile Folders
,位于
Computuer Configuration \ Administrative Templates \ System \ User Profiles


我应该早点查看 Windows 客户端日志;我对此没有任何借口。

Windows 日志: Windows could not load your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you log off. Windows could not load your profile because a server copy of the profile folder already exists that does not have the correct security. Either the current user or the Administrators group must be the owner of the folder.

相关内容