Authentication

具有遠端 LDAP 身份驗證的 Samba 無法正確查看使用者

  • October 23, 2012

我正在嘗試設置一個由遠端 LDAP 伺服器驗證的 samba 伺服器,但我遇到了一些我不知道如何解決的問題。

我能夠創建一個getent passwdat samba 伺服器,並且可以看到所有使用者ldapserver,但是當我嘗試\\SAMBASERVER在我的 windows 框中訪問時,我在以下位置有這個/var/log/samba/log.mywindowsbox

<...snip...>
[2012/10/19 13:05:22.449684,  2] smbd/sesssetup.c:1413(setup_new_vc_session)
 setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2012/10/19 13:05:22.449692,  3] smbd/sesssetup.c:1212(reply_sesssetup_and_X_spnego)
 Doing spnego session setup
[2012/10/19 13:05:22.449701,  3] smbd/sesssetup.c:1254(reply_sesssetup_and_X_spnego)
 NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
[2012/10/19 13:05:22.449717,  3] libsmb/ntlmssp.c:747(ntlmssp_server_auth)
 Got user=[lucas] domain=[BUSINESS] workstation=[MYWINDOWSBOX] len1=24 len2=24
[2012/10/19 13:05:22.449747,  3] auth/auth.c:216(check_ntlm_password)
 check_ntlm_password:  Checking password for unmapped user [BUSINESS]\[lucas]@[MYWINDOWSBOX] with the new password interface
[2012/10/19 13:05:22.449759,  3] auth/auth.c:219(check_ntlm_password)
 check_ntlm_password:  mapped user is: [SAMBASERVER]\[lucas]@[MYWINDOWSBOX]
[2012/10/19 13:05:22.449773,  3] smbd/sec_ctx.c:210(push_sec_ctx)
 push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2012/10/19 13:05:22.449783,  3] smbd/uid.c:429(push_conn_ctx)
 push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2012/10/19 13:05:22.449791,  3] smbd/sec_ctx.c:310(set_sec_ctx)
 setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2012/10/19 13:05:22.449922,  2] lib/smbldap.c:950(smbldap_open_connection)
 smbldap_open_connection: connection opened
[2012/10/19 13:05:23.001517,  3] lib/smbldap.c:1166(smbldap_connect_system)
 ldap_connect_system: successful connection to the LDAP server
[2012/10/19 13:05:23.007713,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
 pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/10/19 13:05:23.007733,  3] auth/auth_sam.c:399(check_sam_security)
 check_sam_security: Couldn't find user 'lucas' in passdb.
[2012/10/19 13:05:23.007743,  2] auth/auth.c:314(check_ntlm_password)
 check_ntlm_password:  Authentication for user [lucas] -> [lucas] FAILED with error NT_STATUS_NO_SUCH_USER
[2012/10/19 13:05:23.007760,  3] smbd/error.c:80(error_packet_set)
 error packet at smbd/sesssetup.c(111) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2012/10/19 13:05:23.010469,  3] smbd/process.c:1489(process_smb)
 Transaction 3 of length 142 (0 toread)
<...snip...>

/etc/samba/smb.conf文件如下:

[global]
dos charset = 850
unix charset = LOCALE

workgroup = BUSINESS
netbios name = SAMBASERVER

bind interfaces only = true
interfaces = lo eth0 eth1
smb ports = 139
hosts deny = All
hosts allow = 192.168.78. 192.168.255. 127.0.0.1 10.149.122. 192.168.0.
name resolve order = wins bcast hosts

log level = 3
syslog = 0
log file = /var/log/samba/log.%m
max log size = 100000 

domain logons = No
wins support = Yes
wins proxy = No
client ntlmv2 auth = Yes
lanman auth = Yes
ntlm auth = Yes
dns proxy = Yes
time server = Yes

security = user
encrypt passwords = Yes
obey pam restrictions = Yes
ldap password sync = Yes
unix password sync = Yes

passdb backend = ldapsam:"ldap://192.168.78.206"
ldap ssl = off
ldap admin dn = uid=root,ou=Users,dc=business,dc=intranet

ldap suffix =
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
ldap delete dn = Yes


add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
add machine script = /usr/sbin/smbldap-useradd -W -t5 "%u"

idmap backend = ldap:"ldap://192.168.78.206"
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431

load printers = No
printcap name = /dev/null

map acl inherit = Yes
map untrusted to domain = Yes
enable privileges = Yes

veto files = /lost+found/ /publicftp/

所以,\\SAMBASERVER說他找不到我的使用者,但我可以通過getent passwd. 我可以做些什麼來SAMBASERVER查看和驗證我的使用者?

提前致謝!

我發現出了什麼問題。我只是把這個配置:

ldap admin dn = uid=root,ou=Users,dc=business,dc=intranet

並做了一個service smb restart,我能夠通過smbldap-userlist. 身份驗證也工作得很好。

引用自:https://serverfault.com/questions/440177

相關問答

Authentication

無法在使用 ldap auth for samba 的系統上添加本地使用者

  • March 6, 2014
檢視問答
Ldap

使用 SSSD 的 LDAP 客戶端身份驗證:組問題

  • October 29, 2021
檢視問答
Linux

嘗試從 Windows 客戶端連接時出現 Samba 身份驗證問題

  • August 25, 2021
檢視問答
Configuration

OpenLDAP 2.4 上的 smbk5pwd 覆蓋

  • January 26, 2021
檢視問答
Windows-7

使用者無法連接到 Windows 上的 samba 共享(其他人可以)

  • January 19, 2021
檢視問答
Ldap

如何將我的 FreeNAS 文件伺服器連接到我的 Mac OS X 目錄伺服器?

  • October 28, 2020
檢視問答