Authentication

Samba 4:已加入域,但所有使用者都映射到沒人,Windows 客戶端無法訪問共享

  • October 3, 2019

我有一個 Debian/Jessie Samba 4.2.14 作為 AD 成員執行。ADC 是一個 Windows2008R2 伺服器。加入工作沒有問題。

# net ads testjoin
Join is OK

wbinfo -u並且wbinfo -g工作完美,並按預期提供來自 AD 的使用者和組列表。wbinfo -i <user>也可以:

# wbinfo -i TESTAD\\testuser
TESTAD\testuser:*:4294967295:4294967295:testuser:/home/TESTAD/testuser:/bin/false

**編輯:**這裡出了點問題,因為wbinfo -i將所有使用者和組映射到 id 4294967295,正如@TheSkunk 所說,2^32 -1。

編輯2: wbinfo --sid-to-uid TESTAD\\testuser失敗。當然,我必須明確設置一些idmap參數(預設值顯然根本不起作用)但是如何?

**編輯 3:**我已將這兩行添加到 smb.conf:

idmap config * : backend = tdb
idmap config * : range = 10000-30000

現在 ẁbinfo -i TESTDOMAIN\testuser reports a valid id, and a different one for each and every user. However I still have the same problems (all users mapping to nobody,id andgetent` 不知道 AD 使用者等)。

然而getent passwd TESTAD\\testuser失敗了:

# getent passwd TESTAD\\testuser
# echo $? 
2

我可以使用任何 AD 帳戶連接smbclient到伺服器:

# smbclient //srv1/data -U TESTAD\\testuser
Enter TESTAD\testuser's password: 
Domain=[TESTAD] OS=[Windows 6.1] Server=[Samba 4.2.14-Debian]
smb: \> ls
 .                                   D        0  Fri Feb 17 16:23:04 2017
 ..                                  D        0  Wed Feb  1 16:47:02 2017
 test.txt                            N        5  Fri Feb 17 14:38:21 2017
 popo                                D        0  Fri Feb 17 16:23:04 2017

               117125466112 blocks of size 1024. 117052392484 blocks available
smb: \> 

但是,連接被映射到nobody/nogroup,並且創建的文件也歸其所有nobody。Windows 機器無法使用任何 AD 帳戶進行連接。但是,如果我創建一個本地帳戶smbpasswd -a <user>,他們可以使用它進行連接。但是,它們的連接參數、文件等都是映射到的,nobody儘管該帳戶也存在於本地。

這是目前的smb.conf(盡可能接近預設值):

[global]
       workgroup = TESTAD
       realm = TESTAD.lan
       server role = member server
       security = ADS
       map to guest = Bad User
       obey pam restrictions = Yes
       pam password change = Yes
       passwd program = /usr/bin/passwd %u
       passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
       unix password sync = Yes
       syslog = 0
       log file = /var/log/samba/log.%m
       max log size = 1000
       dns proxy = No
       usershare allow guests = Yes
       panic action = /usr/share/samba/panic-action %d
       idmap config * : backend = tdb
       inherit permissions = Yes
       inherit acls = Yes


[DATA]
       path = /mnt/raid/
       read only = No
       guest ok = Yes

這是/etc/nsswitch.conf(我嘗試從陰影中添加和刪除’winbindd,根本沒有改變):

# cat /etc/nsswitch.conf 
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat winbind
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns wins
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

我不明白為什麼身份驗證似乎永遠不會通過 winbind。我越來越絕望了,有什麼想法嗎?

我找到了核心問題:缺少包。不幸的是,要做到正確並不容易:這是最終的工作配置(感謝 samba.org 的 Rowland Penny):

確保您安裝了所有必要的軟體包(缺少的是 libnss-winbind):

apt-get install samba acl attr quota fam winbind libpam-winbind \
libpam-krb5 libnss-winbind krb5-config krb5-user ntp dnsutils ldb-tools

停止服務

service smbd stop
service nmbd stop
service winbind stop

設置一個合適的 smb.conf(特別是 idmap 參數):

[global]
   workgroup = TESTAD
   security = ADS
   realm = TESTAD.LAN

   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab
   server string = Data %h

   winbind use default domain = yes
   winbind expand groups = 4
   winbind nss info = rfc2307
   winbind refresh tickets = Yes
   winbind offline logon = yes
   winbind normalize names = Yes

   ## map ids outside of domain to tdb files.
   idmap config *:backend = tdb
   idmap config *:range = 2000-9999
   ## map ids from the domain  the ranges may not overlap !
   idmap config TESTAD : backend = rid
   idmap config TESTAD : range = 10000-999999
   template shell = /bin/bash
   template homedir = /home/TESTAD/%U

   domain master = no
   local master = no
   preferred master = no
   os level = 20
   map to guest = bad user
   host msdfs = no

   # user Administrator workaround, without it you are unable to set privileges
   username map = /etc/samba/user.map

   # For ACL support on domain member
   vfs objects = acl_xattr
   map acl inherit = Yes
   store dos attributes = Yes

   # Share Setting Globally
   unix extensions = no
   reset on zero vc = yes
   veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
   hide unreadable = yes

   # disable printing completely
   load printers = no
   printing = bsd
   printcap name = /dev/null
   disable spoolss = yes

在該配置中,需要一個額外的 /etc/samba/user.map 文件,其中包含以下行:

!root = TESTAD\Administrator TESTAD\administrator Administrator administrator

不要忘記正確填寫/etc/krb5.conf:

[libdefaults]
   default_realm = TESTAD.LAN
   dns_lookup_realm = false
   dns_lookup_kdc = true

注意,krb5.conf 必須由 root 擁有並且每個人都可以讀取(644 權限)。

編輯 /etc/nsswitch.conf 並將 winbind 添加到 passwd 和 group 行:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat files winbind
group:          compat files winbind
shadow:         compat files 

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

現在加入域:

# net ads join -U Administrator
Using short domain name -- TESTAD
Joined 'DEBMEMBER' to dns domain 'TESTAD.example.com'

最後啟動服務:

service smbd start
service nmbd start
service winbind start

getent passwd現在應該與 AD 使用者一起使用:

# getent passwd testuser
testuser:*:11107:10513:testuser:/home/TESTAD/testuser:/bin/bash

CAVEAT因為我之前加入了 AD 而沒有安裝必要的庫,所以我必須在此設置後重新啟動系統才能讓系統正確驗證使用者身份!

引用自:https://serverfault.com/questions/833258