在领域信任的 Samba 服务器上漫游配置文件吗？

存在的理由

我正在尝试将 Active Directory 域的漫游配置文件存放在受领域信任的 Ubuntu 12.04LTS ZFS-on-Linux 文件服务器上，但目前尚未成功。最终目标是拥有一个可互操作的文件服务器来存放 Linux 的 autofs nfs 主目录和 Windows 的漫游配置文件。对于我来说，仅使用 Windows 服务器或将 Linux 服务器加入 Active Directory 来做到这一点在政治上是困难的。因此，我正在寻找技术解决方案或证据，证明这些技术解决方案不如打政治斗争那么站得住脚。

我怀疑我目前的困难与 Windows 客户端与 Samba 交互有关，而不是与 ZFS 有关，但我有点力不从心，所以我不能完全排除这种可能性。亲爱的读者，您能指出我的做法为什么是错误的，并解释正确的步骤吗？

---

我认为我知道

1. 用户可以从 Kerberos 域成功登录到客户端计算机。但是，用户使用临时配置文件登录。
2. 在文件服务器上创建了一个配置文件夹（大概是通过登录过程），但是新创建的配置文件夹中没有其他文件。
3. 配置文件夹会根据适当的所有者/组自动创建。
4. 鉴于此，在实例化凭证缓存或授予 krbtgt 之前加载配置文件似乎不太可能。
5. 登录临时配置文件后，用户可以在文件服务器上创建文件，而无需向文件服务器提供任何（额外）凭据。也就是说没有提示。这些文件也是由适当的所有者/组创建的。

---

附加信息

我认为这就是您想知道的所有配置，但我可能错了。
很抱歉，我没有找到让它可折叠的方法。

涉及的系统和机器的简要概述

AD domain: ad.example.com  (Functional Level 2012)
domain controllers: dc1.ad.example.com, dc2.ad.example.com (OS: Windows Server 2012 Std)
mit-krb5 realm: EXAMPLE.COM  
mit-krb5 kdcs: kdc1.example.com, kdc2.example.com (mit-krb5: 1.9.4)
smb/cifs server: zfs.example.com  (OS: Ubuntu 12.04LTS)
client: client.ad.example.com (OS: Windows 8 Enterprise)

Samba 日志

root@zfs:~# cat /var/log/samba/client.log
[2013/06/14 14:37:26.194496,  0] param/loadparm.c:9114(process_usershare_file)
  process_usershare_file: stat of /var/lib/samba/usershares/tank_test failed. Permission denied
[2013/06/14 14:37:26.460344,  0] param/loadparm.c:9114(process_usershare_file)
  process_usershare_file: stat of /var/lib/samba/usershares/tank_test failed. Permission denied
[2013/06/14 14:44:04.352344,  0] param/loadparm.c:9114(process_usershare_file)
  process_usershare_file: stat of /var/lib/samba/usershares/tank_test failed. Permission denied

不确定它在抱怨什么...

root@zfs:~# ls -l /var/lib/samba/usershares/tank_test
-rw-r--r-- 1 root root 110 Jun 14 12:57 /var/lib/samba/usershares/tank_test

文件服务器共享预登录

root@zfs:~# ls -la /tank/test/
total 38
drwxrwxrwt 2 root root 2 Jun 14 09:12 .
drwxr-xr-x 5 root root 5 Jun 13 15:52 ..

文件服务器共享登录后：

root@zfs:~# ls -la /tank/test/
total 57
drwxrwxrwt 3 root root 3 Jun 14 09:16 .
drwxr-xr-x 5 root root 5 Jun 13 15:52 ..
drwxr-xr-x 2 user user 2 Jun 14 09:16 user.V2
root@zfs:~# find /tank/test
/tank/test
/tank/test/user.V2/

登录时的用户凭证缓存

Current LogonId is 0:0x6c79e3

Cached Tickets: (7)

#0> Client: user @ EXAMPLE.COM
    Server: krbtgt/EXAMPLE.COM @ EXAMPLE.COM
    KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
    Ticket Flags 0x60a90000 -> forwardable forwarded renewable pre_authent name_canonicalize 0x80000
    Start Time: 6/14/2013 14:44:24 (local)
    End Time:   6/15/2013 2:44:24 (local)
    Renew Time: 6/21/2013 14:44:24 (local)
    Session Key Type: AES-256-CTS-HMAC-SHA1-96
    Cache Flags: 0x2 -> DELEGATION 
    Kdc Called: kdc2.example.com

#1> Client: user @ EXAMPLE.COM
    Server: krbtgt/AD.EXAMPLE.COM @ EXAMPLE.COM
    KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
    Ticket Flags 0x40a90000 -> forwardable renewable pre_authent name_canonicalize 0x80000
    Start Time: 6/14/2013 14:44:24 (local)
    End Time:   6/15/2013 2:44:24 (local)
    Renew Time: 6/14/2013 14:44:24 (local)
    Session Key Type: AES-256-CTS-HMAC-SHA1-96
    Cache Flags: 0 
    Kdc Called: kdc2.example.com

#2> Client: user @ EXAMPLE.COM
    Server: krbtgt/EXAMPLE.COM @ EXAMPLE.COM
    KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
    Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize 
    Start Time: 6/14/2013 14:44:24 (local)
    End Time:   6/15/2013 2:44:24 (local)
    Renew Time: 6/21/2013 14:44:24 (local)
    Session Key Type: AES-256-CTS-HMAC-SHA1-96
    Cache Flags: 0x1 -> PRIMARY 
    Kdc Called: kdc2.example.com

#3> Client: user @ EXAMPLE.COM
    Server: ldap/dc1.ad.example.com @ AD.EXAMPLE.COM
    KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
    Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize 
    Start Time: 6/14/2013 14:44:31 (local)
    End Time:   6/15/2013 0:44:31 (local)
    Renew Time: 6/14/2013 14:44:24 (local)
    Session Key Type: AES-256-CTS-HMAC-SHA1-96
    Cache Flags: 0 
    Kdc Called: dc1.ad.example.com

#4> Client: user @ EXAMPLE.COM
    Server: LDAP/dc1.ad.example.com/ad.example.com @ AD.EXAMPLE.COM
    KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
    Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize 
    Start Time: 6/14/2013 14:44:25 (local)
    End Time:   6/15/2013 0:44:25 (local)
    Renew Time: 6/14/2013 14:44:24 (local)
    Session Key Type: AES-256-CTS-HMAC-SHA1-96
    Cache Flags: 0 
    Kdc Called: dc1.ad.example.com

#5> Client: user @ EXAMPLE.COM
    Server: cifs/dc1.ad.example.com @ AD.EXAMPLE.COM
    KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
    Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize 
    Start Time: 6/14/2013 14:44:24 (local)
    End Time:   6/15/2013 0:44:24 (local)
    Renew Time: 6/14/2013 14:44:24 (local)
    Session Key Type: AES-256-CTS-HMAC-SHA1-96
    Cache Flags: 0 
    Kdc Called: dc1.ad.example.com

#6> Client: user @ EXAMPLE.COM
    Server: cifs/zfs.example.com @ EXAMPLE.COM
    KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
    Ticket Flags 0x40a90000 -> forwardable renewable pre_authent name_canonicalize 0x80000
    Start Time: 6/14/2013 14:44:24 (local)
    End Time:   6/15/2013 2:44:24 (local)
    Renew Time: 6/14/2013 14:44:24 (local)
    Session Key Type: AES-256-CTS-HMAC-SHA1-96
    Cache Flags: 0 
    Kdc Called: kdc2.example.com

REALM 信托

ldapsearch -h ad.example.com -LLL cn=EXAMPLE.COM  objectClass trustPartner instancetype trustDirection trustAttributes
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 56
SASL data security layer installed.
dn: CN=EXAMPLE.COM,CN=System,DC=ad,DC=example,DC=com
objectClass: top
objectClass: leaf
objectClass: trustedDomain
instanceType: 4
trustDirection: 3
trustPartner: EXAMPLE.COM
trustAttributes: 1

Active Directory 用户

ldapsearch -h ad.example.com -LLL samaccountname=user profilePath altSecurityIdentities
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 56
SASL data security layer installed.
dn: CN=Test User,OU=managed users,DC=ad,DC=example,DC=com
profilePath: \\zfs.example.com\tank_test\user
altSecurityIdentities: Kerberos:[email protected]

基本 ZFS 信息

root@zfs:~#  zfs get mountpoint,casesensitivity,sharesmb,available tank/test
NAME       PROPERTY         VALUE        SOURCE
tank/test  mountpoint       /tank/test   default
tank/test  casesensitivity  mixed        -
tank/test  sharesmb         on           local
tank/test  available        26.1T        -

ZFS 创建 smb 共享 root@zfs:~# cat /var/lib/samba/usershares/tank_test #版本 2 路径=/tank/test 注释=注释：/tank/test usershare_acl=S-1-1-0:F guest_ok=n 共享名称=tank_test

Samba 配置

root@zfs:~# grep -v -e ^$ -e ^\; -e ^# /etc/samba/smb.conf
[global]
   workgroup = EXAMPLE.COM
   server string = %h server (Samba, Ubuntu)
   dns proxy = no
   log file = /var/log/samba/%M.log
   max log size = 1000
   syslog = 3
   panic action = /usr/share/samba/panic-action %d
security = ADS
realm = EXAMPLE.COM
kerberos method = system keytab
map to guest = bad user

文件服务器的 Keytab

root@zfs:~# ktutil
ktutil:  rkt /etc/krb5.keytab
ktutil:  list -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    2  host/[email protected] (aes256-cts-hmac-sha1-96)
   2    2  host/[email protected] (aes128-cts-hmac-sha1-96)
   3    2  host/[email protected] (arcfour-hmac)
   4    2   nfs/[email protected] (aes256-cts-hmac-sha1-96)
   5    2   nfs/[email protected] (aes128-cts-hmac-sha1-96)
   6    2   nfs/[email protected] (arcfour-hmac)
   7    2  cifs/[email protected] (aes256-cts-hmac-sha1-96)
   8    2  cifs/[email protected] (aes128-cts-hmac-sha1-96)
   9    2  cifs/[email protected] (arcfour-hmac)

服务器的身份映射（通过 sssd）

root@zfs:~# cat /etc/sssd/sssd.conf
# SSSD configuration generated using /usr/lib/sssd/generate-config
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = example.com
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/example.com]
enumerate = false
cache_credentials = true
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_uri = ldap://ldap.example.com
ldap_search_base = dc=example,dc=com
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
krb5_kdcip = kerberos.example.com
krb5_realm = EXAMPLE.COM
krb5_changepw_principle = kadmin/changepw
krb5_auth_timeout = 15

服务器（相关）软件包

root@zfs:~# uname -a
Linux zfs 3.5.0-23-generic #35~precise1-Ubuntu SMP Fri Jan 25 17:13:26 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
root@zfs:~# dpkg --get-selections | grep -e samba -e zfs -e krb -e sssd
krb5-config                                     install
krb5-locales                                    install
krb5-user                                       install
libgssapi-krb5-2                                install
libkrb5-26-heimdal                              install
libkrb5-3                                       install
libkrb5support0                                 install
libpam-krb5                                     install
libzfs1                                         install
samba                                           install
samba-common                                    install
samba-common-bin                                install
samba-tools                                     install
sssd                                            install
ubuntu-zfs                                      install
zfs-dkms                                        install
zfsutils                                        install