Samba 4:已加入域,但所有使用者都映射到沒人,Windows 客戶端無法訪問共享
我有一個 Debian/Jessie Samba 4.2.14 作為 AD 成員執行。ADC 是一個 Windows2008R2 伺服器。加入工作沒有問題。
# net ads testjoin Join is OK
wbinfo -u
並且wbinfo -g
工作完美,並按預期提供來自 AD 的使用者和組列表。wbinfo -i <user>
也可以:# wbinfo -i TESTAD\\testuser TESTAD\testuser:*:4294967295:4294967295:testuser:/home/TESTAD/testuser:/bin/false
**編輯:**這裡出了點問題,因為
wbinfo -i
將所有使用者和組映射到 id 4294967295,正如@TheSkunk 所說,2^32 -1。編輯2:
wbinfo --sid-to-uid TESTAD\\testuser
失敗。當然,我必須明確設置一些idmap
參數(預設值顯然根本不起作用)但是如何?**編輯 3:**我已將這兩行添加到 smb.conf:
idmap config * : backend = tdb idmap config * : range = 10000-30000
現在 ẁbinfo -i TESTDOMAIN\testuser
reports a valid id, and a different one for each and every user. However I still have the same problems (all users mapping to nobody,
idand
getent` 不知道 AD 使用者等)。然而
getent passwd TESTAD\\testuser
失敗了:# getent passwd TESTAD\\testuser # echo $? 2
我可以使用任何 AD 帳戶連接
smbclient
到伺服器:# smbclient //srv1/data -U TESTAD\\testuser Enter TESTAD\testuser's password: Domain=[TESTAD] OS=[Windows 6.1] Server=[Samba 4.2.14-Debian] smb: \> ls . D 0 Fri Feb 17 16:23:04 2017 .. D 0 Wed Feb 1 16:47:02 2017 test.txt N 5 Fri Feb 17 14:38:21 2017 popo D 0 Fri Feb 17 16:23:04 2017 117125466112 blocks of size 1024. 117052392484 blocks available smb: \>
但是,連接被映射到
nobody/nogroup
,並且創建的文件也歸其所有nobody
。Windows 機器無法使用任何 AD 帳戶進行連接。但是,如果我創建一個本地帳戶smbpasswd -a <user>
,他們可以使用它進行連接。但是,它們的連接參數、文件等都是映射到的,nobody
儘管該帳戶也存在於本地。這是目前的
smb.conf
(盡可能接近預設值):[global] workgroup = TESTAD realm = TESTAD.lan server role = member server security = ADS map to guest = Bad User obey pam restrictions = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 dns proxy = No usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d idmap config * : backend = tdb inherit permissions = Yes inherit acls = Yes [DATA] path = /mnt/raid/ read only = No guest ok = Yes
這是
/etc/nsswitch.conf
(我嘗試從陰影中添加和刪除’winbindd,根本沒有改變):# cat /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: compat winbind gshadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns wins networks: files protocols: db files services: db files ethers: db files rpc: db files
我不明白為什麼身份驗證似乎永遠不會通過 winbind。我越來越絕望了,有什麼想法嗎?
我找到了核心問題:缺少包。不幸的是,要做到正確並不容易:這是最終的工作配置(感謝 samba.org 的 Rowland Penny):
確保您安裝了所有必要的軟體包(缺少的是 libnss-winbind):
apt-get install samba acl attr quota fam winbind libpam-winbind \ libpam-krb5 libnss-winbind krb5-config krb5-user ntp dnsutils ldb-tools
停止服務
service smbd stop service nmbd stop service winbind stop
設置一個合適的 smb.conf(特別是 idmap 參數):
[global] workgroup = TESTAD security = ADS realm = TESTAD.LAN dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab server string = Data %h winbind use default domain = yes winbind expand groups = 4 winbind nss info = rfc2307 winbind refresh tickets = Yes winbind offline logon = yes winbind normalize names = Yes ## map ids outside of domain to tdb files. idmap config *:backend = tdb idmap config *:range = 2000-9999 ## map ids from the domain the ranges may not overlap ! idmap config TESTAD : backend = rid idmap config TESTAD : range = 10000-999999 template shell = /bin/bash template homedir = /home/TESTAD/%U domain master = no local master = no preferred master = no os level = 20 map to guest = bad user host msdfs = no # user Administrator workaround, without it you are unable to set privileges username map = /etc/samba/user.map # For ACL support on domain member vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes # Share Setting Globally unix extensions = no reset on zero vc = yes veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ hide unreadable = yes # disable printing completely load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes
在該配置中,需要一個額外的 /etc/samba/user.map 文件,其中包含以下行:
!root = TESTAD\Administrator TESTAD\administrator Administrator administrator
不要忘記正確填寫/etc/krb5.conf:
[libdefaults] default_realm = TESTAD.LAN dns_lookup_realm = false dns_lookup_kdc = true
注意,krb5.conf 必須由 root 擁有並且每個人都可以讀取(644 權限)。
編輯 /etc/nsswitch.conf 並將 winbind 添加到 passwd 和 group 行:
# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat files winbind group: compat files winbind shadow: compat files hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
現在加入域:
# net ads join -U Administrator Using short domain name -- TESTAD Joined 'DEBMEMBER' to dns domain 'TESTAD.example.com'
最後啟動服務:
service smbd start service nmbd start service winbind start
getent passwd
現在應該與 AD 使用者一起使用:# getent passwd testuser testuser:*:11107:10513:testuser:/home/TESTAD/testuser:/bin/bash
CAVEAT因為我之前加入了 AD 而沒有安裝必要的庫,所以我必須在此設置後重新啟動系統才能讓系統正確驗證使用者身份!