我们运行一个开源 Java Web 应用程序,它为用户提供 Windows 文件共享,以便上传大量大文件。添加新用户帐户时,Web 应用程序会将用户记录写入本地 slapd,其中包含 Samba Schema 和用户密码。用户通过 NSS 引入系统,并设置 samba 服务器为这些用户提供家庭。这种方法已经使用了十年,但在我将 Ubuntu 16 LTS 更新到 20 LTS 后,一些用户无法连接到他们的共享,而其他用户则可以。(Samba 版本 4.3.9-Ubuntu → 版本 4.11.6-Ubuntu)看起来像之前从未连接过的用户无法连接,而更新前连接过的用户仍然可以连接,但我在这里猜测。
可以使用以下命令重现此问题smbclient(因此这与 Windows 设置无关):
一个用户可以成功登录:
root@the-server:# smbclient \\\\localhost\\user.ok -U user.ok
WARNING: The "encrypt passwords" option is deprecated
Enter MYAPP\user.ok's password:
Try "help" to get a list of possible commands.
smb: \> exit
其他用户不能:
root@the-server:# smbclient \\\\localhost\\failing.user -U failing.user
WARNING: The "encrypt passwords" option is deprecated
Enter MYAPP\failing.user's password:
session setup failed: NT_STATUS_LOGON_FAILURE
(当然,我使用的是正确的密码。)
到目前为止我尝试过并发现:
- 我添加了
ReadWritePaths和smbd.service,nmbd.service因为守护进程抱怨它们无法打开日志文件进行写入。在这里,我还添加了我找到的带有名称的目录samba/,以及用户主目录: - 我尝试在 中设置
client use spnego = no或client ntlmv2 auth = no或两者smb.conf,但每次都会重新启动守护进程。无法修复。 - 我也尝试设置,
client ntlmv2 auth = yes因为我读这种身份验证基于 NTLM 密码哈希。不会修复它。 - 我在 Web 应用中创建了一个新用户。新用户无法登录。
- 我删除了一个工作用户,并使用相同的用户名重新创建了它,但用户号不同(以前从未使用过)。该用户仍然可以登录。
- 我尝试设置
client min protocol = NT1和server min protocol = NT1,只是尝试一下。无法修复。 - 我尝试将用户主页 (
/usr/local/myapp/users) 的容器目录设置为组sambashare和权限1770。无法修复。
什么可能导致这种行为?
配置文件和日志
smbd.service:
[Unit]
Description=Samba SMB Daemon
Documentation=man:smbd(8) man:samba(7) man:smb.conf(5)
Wants=network-online.target
After=network.target network-online.target nmbd.service winbind.service
[Service]
Type=notify
NotifyAccess=all
PIDFile=/run/samba/smbd.pid
LimitNOFILE=16384
EnvironmentFile=-/etc/default/samba
ExecStartPre=/usr/share/samba/update-apparmor-samba-profile
ExecStart=/usr/sbin/smbd --foreground --no-process-group $SMBDOPTIONS
ExecReload=/bin/kill -HUP $MAINPID
LimitCORE=infinity
ReadWritePaths=/var/log/samba/
ReadWritePaths=/var/cache/samba/
ReadWritePaths=/var/spool/samba/
ReadWritePaths=/usr/local/myapp/users/
[Install]
WantedBy=multi-user.target
smb.conf:
[global]
log level = 4
log file = /var/log/samba/log.%m
workgroup = MYAPP
unix extensions = no
wide links = yes
load printers = no
security = user
invalid users = root
encrypt passwords = yes
passdb backend = ldapsam:ldap://127.0.0.1
ldap suffix = dc=nodomain
ldap user suffix = ou=users
ldap group suffix = ou=groups
ldap admin dn = cn=admin,dc=nodomain
ldap ssl = no
ldap passwd sync = yes
ldap delete dn = no
[homes]
comment = Home Directories
path = /usr/local/myapp/users/%U
read only = no
browseable = no
valid users = %S
guest ok = no
inherit permissions = yes
nssswitch.conf:
passwd: compat systemd ldap
group: compat systemd
shadow: compat
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
用户记录来自slapcat:
dn: cn=ok.user,ou=users,dc=nodomain
sambaLMPassword: CAA85EBCA5013DA4E39701B5DB7D953C
sambaPrimaryGroupSID: S-1-5-21-2939508899-399288318-4273609636-100
displayName: User who can log in
sambaLogonScript: _ok.user.bat
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
userPassword:: e01ENX1oQ1MyYlRpZnl3eVlBdXhvSmdxc1N3PT0=
uid: ok.user
cn: ok.user
sambaPwdLastSet: 1590661108
loginShell: loginShell
sambaAcctFlags: [U ]
gidNumber: 100
sambaPwdMustChange: 2147483647
sambaNTPassword: 76E562A44397461C150C451A0A97D45E
gecos: gecos
sambaSID: S-1-5-21-2939508899-399288318-4273609636-3017
description: description
homeDirectory: /usr/local/myapp/users/ok.user
sambaKickoffTime: 0
sn: ok.user
sambaPasswordHistory: 00000000000000000000000000000000000000
structuralObjectClass: inetOrgPerson
entryUUID: 51216ed8-3518-103a-9360-e9248c519c0b
creatorsName: cn=admin,dc=nodomain
createTimestamp: 20200528101828Z
uidNumber: 1007
sambaLogonHours: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
entryCSN: 20210204063107.618683Z#000000#000#000000
modifiersName: cn=admin,dc=nodomain
modifyTimestamp: 20210204063107Z
dn: cn=failing.user,ou=users,dc=nodomain
sambaPrimaryGroupSID: S-1-5-21-2939508899-399288318-4273609636-100
displayName: User who cannot log in
sambaLogonScript: _failing.user.bat
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
uidNumber: 1010
uid: failing.user
cn: failing.user
loginShell: loginShell
sambaAcctFlags: [U ]
gidNumber: 100
sambaPwdMustChange: 2147483647
gecos: gecos
sambaSID: S-1-5-21-2939508899-399288318-4273609636-3021
description: description
homeDirectory: /usr/local/myapp/users/failing.user
sambaKickoffTime: 0
sn: failing.user
sambaPasswordHistory: 00000000000000000000000000000000000000
structuralObjectClass: inetOrgPerson
entryUUID: c65fc8da-4e3f-103a-9362-e9248c519c0b
creatorsName: cn=admin,dc=nodomain
createTimestamp: 20200629103354Z
userPassword:: e01ENX1PM0FNYzBuWW9UYlFqY1FUbVVGLy93PT0=
sambaLMPassword: 5EB9213C5086DC258401FE06348FE504
sambaNTPassword: B918CFBDEC4953CF990B0BE1F7682F3B
sambaPwdLastSet: 1601620989
sambaLogonHours: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
entryCSN: 20210204065218.718848Z#000000#000#000000
modifiersName: cn=admin,dc=nodomain
modifyTimestamp: 20210204065218Z
用户显示于getent passwd:
ok.user:x:1007:100:gecos:/usr/local/myapp/users/ok.user:loginShell
failing.user:x:1010:100:gecos:/usr/local/myapp/users/failing.user:loginShell
log.127.0.0.1登录成功:
[2021/02/11 07:35:45.410237, 4] ../../libcli/auth/ntlm_check.c:363(ntlm_password_check)
ntlm_password_check: Checking NTLMv2 password with domain [MYAPP]
[2021/02/11 07:35:45.410294, 4] ../../source3/auth/check_samsec.c:183(sam_account_ok)
sam_account_ok: Checking SMB password for user ok.user
[…]
[2021/02/11 07:35:45.413121, 3] ../../auth/auth_log.c:635(log_authentication_event_human_readable)
Auth: [SMB2,(null)] user [MYAPP]\[ok.user] at [Do, 11 Feb 2021 07:35:45.413088 UTC] with [NTLMv2] status [NT_STATUS_OK] workstation [THE-SERVER] remote host [ipv4:127.0.0.1:55130] became [THE-SERVER]\[ok.user] [S-1-5-21-2939508899-399288318-4273609636-3027]. local host [ipv4:127.0.0.1:445]
{"timestamp": "2021-02-11T07:35:45.413267+0000", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "0", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": "ipv4:127.0.0.1:445", "remoteAddress": "ipv4:127.0.0.1:55130", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "MYAPP", "clientAccount": "ok.user", "workstation": "THE-SERVER", "becameAccount": "ok.user", "becameDomain": "THE-SERVER", "becameSid": "S-1-5-21-2939508899-399288318-4273609636-3027", "mappedAccount": "ok.user", "mappedDomain": "MYAPP", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 10517}}
[2021/02/11 07:35:45.413355, 2] ../../source3/auth/auth.c:322(auth_check_ntlm_password)
check_ntlm_password: authentication for user [ok.user] -> [ok.user] -> [ok.user] succeeded
[…]
[2021/02/11 07:35:45.425097, 4] ../../auth/auth_log.c:740(log_successful_authz_event_human_readable)
Successful AuthZ: [SMB2,NTLMSSP] user [THE-SERVER]\[ok.user] [S-1-5-21-2939508899-399288318-4273609636-3027] at [Do, 11 Feb 2021 07:35:45.425081 UTC] Remote host [ipv4:127.0.0.1:55130] local host [ipv4:127.0.0.1:445]
{"timestamp": "2021-02-11T07:35:45.425151+0000", "type": "Authorization", "Authorization": {"version": {"major": 1, "minor": 1}, "localAddress": "ipv4:127.0.0.1:445", "remoteAddress": "ipv4:127.0.0.1:55130", "serviceDescription": "SMB2", "authType": "NTLMSSP", "domain": "THE-SERVER", "account": "ok.user", "sid": "S-1-5-21-2939508899-399288318-4273609636-3027", "sessionId": "1e59857a-7fca-47ba-8e02-c7bb512caf81", "logonServer": "THE-SERVER", "transportProtection": "SMB", "accountFlags": "0x00000010"}}
[2021/02/11 07:35:45.425290, 3] ../../source3/smbd/password.c:139(register_homes_share)
Adding homes service for user 'ok.user' using home directory: '/usr/local/myapp/users/ok.user'
[2021/02/11 07:35:45.425356, 3] ../../source3/param/loadparm.c:1572(lp_add_home)
adding home's share [ok.user] for user 'ok.user' at '/usr/local/myapp/users/%U'
log.127.0.0.1登录失败:
[2021/02/11 07:37:46.762028, 4] ../../libcli/auth/ntlm_check.c:363(ntlm_password_check)
ntlm_password_check: Checking NTLMv2 password with domain [MYAPP]
[2021/02/11 07:37:46.762080, 4] ../../libcli/auth/ntlm_check.c:377(ntlm_password_check)
ntlm_password_check: Checking NTLMv2 password with uppercased version of domain [MYAPP]
[2021/02/11 07:37:46.762118, 4] ../../libcli/auth/ntlm_check.c:391(ntlm_password_check)
ntlm_password_check: Checking NTLMv2 password without a domain
[2021/02/11 07:37:46.762154, 3] ../../libcli/auth/ntlm_check.c:403(ntlm_password_check)
ntlm_password_check: NTLMv2 password check failed
[2021/02/11 07:37:46.762178, 3] ../../libcli/auth/ntlm_check.c:448(ntlm_password_check)
ntlm_password_check: Lanman passwords NOT PERMITTED for user failing.user
[2021/02/11 07:37:46.762213, 4] ../../libcli/auth/ntlm_check.c:485(ntlm_password_check)
ntlm_password_check: Checking LMv2 password with domain MYAPP
[2021/02/11 07:37:46.762249, 4] ../../libcli/auth/ntlm_check.c:514(ntlm_password_check)
ntlm_password_check: Checking LMv2 password with upper-cased version of domain MYAPP
[2021/02/11 07:37:46.762283, 4] ../../libcli/auth/ntlm_check.c:543(ntlm_password_check)
ntlm_password_check: Checking LMv2 password without a domain
[2021/02/11 07:37:46.762317, 4] ../../libcli/auth/ntlm_check.c:574(ntlm_password_check)
ntlm_password_check: Checking NT MD4 password in LM field
[2021/02/11 07:37:46.762425, 3] ../../libcli/auth/ntlm_check.c:595(ntlm_password_check)
ntlm_password_check: LM password and LMv2 failed for user failing.user, and NT MD4 password in LM field not permitted
[2021/02/11 07:37:46.762483, 4] ../../source3/smbd/sec_ctx.c:215(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
[2021/02/11 07:37:46.762510, 4] ../../source3/smbd/uid.c:575(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 1
[2021/02/11 07:37:46.762534, 4] ../../source3/smbd/sec_ctx.c:319(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2021/02/11 07:37:46.762595, 4] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2021/02/11 07:37:46.762627, 4] ../../source3/smbd/sec_ctx.c:215(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
[2021/02/11 07:37:46.762652, 4] ../../source3/smbd/uid.c:575(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 1
[2021/02/11 07:37:46.762675, 4] ../../source3/smbd/sec_ctx.c:319(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2021/02/11 07:37:46.762713, 4] ../../source3/smbd/sec_ctx.c:215(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 3
[2021/02/11 07:37:46.762738, 4] ../../source3/smbd/uid.c:575(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 2
[2021/02/11 07:37:46.762762, 4] ../../source3/smbd/sec_ctx.c:319(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 3
[2021/02/11 07:37:46.763220, 4] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2
[2021/02/11 07:37:46.763268, 4] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2021/02/11 07:37:46.763297, 4] ../../source3/smbd/sec_ctx.c:215(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
[2021/02/11 07:37:46.763323, 4] ../../source3/smbd/uid.c:575(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 1
[2021/02/11 07:37:46.763347, 4] ../../source3/smbd/sec_ctx.c:319(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2021/02/11 07:37:46.763392, 4] ../../source3/passdb/pdb_ldap.c:1975(ldapsam_update_sam_account)
ldapsam_update_sam_account: user failing.user to be modified has dn: cn=failing.user,ou=users,dc=nodomain
[2021/02/11 07:37:46.763419, 2] ../../source3/passdb/pdb_ldap.c:1168(init_ldap_from_sam)
init_ldap_from_sam: Setting entry for user: failing.user
[2021/02/11 07:37:46.763448, 4] ../../source3/passdb/pdb_ldap.c:1988(ldapsam_update_sam_account)
ldapsam_update_sam_account: mods is empty: nothing to update for user: failing.user
[2021/02/11 07:37:46.763484, 4] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2021/02/11 07:37:46.763515, 2] ../../source3/auth/auth.c:343(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [failing.user] -> [failing.user] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2021/02/11 07:37:46.763596, 2] ../../auth/auth_log.c:635(log_authentication_event_human_readable)
Auth: [SMB2,(null)] user [MYAPP]\[failing.user] at [Do, 11 Feb 2021 07:37:46.763566 UTC] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [THE-SERVER] remote host [ipv4:127.0.0.1:55160] mapped to [MYAPP]\[failing.user]. local host [ipv4:127.0.0.1:445]
{"timestamp": "2021-02-11T07:37:46.763720+0000", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": "NT_STATUS_WRONG_PASSWORD", "localAddress": "ipv4:127.0.0.1:445", "remoteAddress": "ipv4:127.0.0.1:55160", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "MYAPP", "clientAccount": "failing.user", "workstation": "THE-SERVER", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "failing.user", "mappedDomain": "MYAPP", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 9134}}
[2021/02/11 07:37:46.763836, 4] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2021/02/11 07:37:46.763882, 3] ../../auth/gensec/spnego.c:1442(gensec_spnego_server_negTokenTarg_step)
gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed: NT_STATUS_WRONG_PASSWORD
[2021/02/11 07:37:46.763916, 4] ../../source3/smbd/sec_ctx.c:215(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2021/02/11 07:37:46.763943, 4] ../../source3/smbd/uid.c:575(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2021/02/11 07:37:46.763966, 4] ../../source3/smbd/sec_ctx.c:319(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2021/02/11 07:37:46.764015, 4] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2021/02/11 07:37:46.764055, 3] ../../source3/smbd/smb2_server.c:3254(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_erro
答案1
这无疑是由于 Samba 4.3.9 和 4.11.6 之间的几个参数默认值发生了变化
在 4.3.9 中,这些是默认设置:服务器最小协议 = LANMAN1 客户端最小协议 = CORE
在 4.11.6 中这些更改为:服务器最小协议 = SMB2_02 客户端最小协议 = SMB2_02
我相信如果你改回来,你的问题就会消失,但你应该知道 Samba 正在积极致力于删除 SMBv1,这意味着你将不再能够将 openldap 与 Samba 一起使用。这不会立即发生,可能需要一年左右的时间,但它会发生,所以我建议你开始计划升级到 Samba AD 或类似版本