Linux

Windows 域上的 Samba 文件伺服器無法對使用者進行身份驗證 - 給出“憑據鏈檢查失敗”

  • April 27, 2016

我有兩個執行 Samba 的 TurnKey Linux Fileserver 13(基本上是 Debian 7.3)來共享我們主要是 Windows LAN 上的文件夾。Samba 配置為使用我們域控制器上的 Active Directory 對使用者進行身份驗證。

直到最近這一切都很好,現在兩個 Samba 伺服器都無法驗證某些使用者。其他一直在使用伺服器的使用者仍然可以正常連接和訪問文件(記憶體憑據?)。以下是登錄嘗試失敗時在 Samba 日誌中記錄的典型範例:

[2016/04/26 20:08:15.768961,  0] rpc_client/cli_netlogon.c:459(rpccli_netlogon_sam_network_logon)
 rpccli_netlogon_sam_network_logon: credentials chain check failed
[2016/04/26 20:08:15.769053,  0] auth/auth_domain.c:331(domain_client_validate)
 domain_client_validate: unable to validate password for user lholdeman in domain meg to Domain controller DC01.MEG.LOCAL. Error was NT_STATUS_ACCESS_DENIED.

我不知道我們的域控制器發生了什麼變化,我很確定我們的域控制器允許 Samba 連接以驗證使用者,因為我在 VirtualBox 中快速設置了完全相同的作業系統/軟體,複製了我的所有生產配置結束,並使用在生產機器上不起作用的相同域憑據成功登錄到臨時 Samba 設置。

這也是我的 Samba 配置的副本:

[global]
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   obey pam restrictions = yes
   admin users = root
   #read prediction = yes
   passwd program = /usr/bin/passwd %u
   dns proxy = no
   netbios name = PAFILES
   default = companyfiles
   workgroup = MEG
   os level = 20
   auto services = companyfiles
   security = ads
   delete user script = /usr/sbin/userdel -r '%u'
   max log size = 1000
   directory mode = 777
   log file = /var/log/samba/samba.log
   read raw = no
   guest account = nobody
   write raw = no
   add group script = /usr/sbin/groupadd '%g'
   socket options = TCP_NODELAY
   delete group script = /usr/sbin/groupdel '%g'
   add user to group script = /usr/sbin/usermod -G '%g' '%u'
   force directory mode = 777
   wins server = DC01.MEG.LOCAL
   #null passwords = yes
   encrypt passwords = true
   winbind trusted domains only = yes
   winbind use default domain = yes
   realm = MEG.LOCAL
   passdb backend = tdbsam
   unix extensions = no
   wide links = yes
   server string = TurnKey Linux FileServer
   password server = DC01.MEG.LOCAL
   unix password sync = yes
   force create mode = 777
   add user script = /usr/sbin/useradd -m '%u' -g users -G users
   syslog = 0
   create mode = 777
   panic action = /usr/share/samba/panic-action %d
   pam password change = yes



[companyfiles]
   shadow:basedir = /srv/storage
   force directory mode = 777
   recycle:keeptree = yes
   shadow:sort = desc
   vfs objects = shadow_copy2
   writeable = yes
   delete readonly = yes
   path = /srv/storage
   shadow:snapdir = ../snapshots/storage
   force create mode = 777
   comment = Public Share
   create mode = 0777
   recycle:repository = Recycle Bin
   recycle:versions = yes
   directory mode = 0777

關於我下一步可能嘗試什麼的任何想法?謝謝!

4 月 12 日發布的更新中包含 Samba 的上游錯誤,以響應廣為宣傳的“Badlock”漏洞,導致您所看到的行為。Debian 錯誤在這裡:https ://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820981 Red Hat 有一個工作更新檔,但截至今天(4 月 27 日)尚未發布:https: //bugzilla.redhat.com/show_bug.cgi?id=1326918

目前,您唯一的選擇似乎是降級到以前的 Samba 版本,或者等待發行版的更新檔。

引用自:https://serverfault.com/questions/773151