Linux
Windows 域上的 Samba 文件伺服器無法對使用者進行身份驗證 - 給出“憑據鏈檢查失敗”
我有兩個執行 Samba 的 TurnKey Linux Fileserver 13(基本上是 Debian 7.3)來共享我們主要是 Windows LAN 上的文件夾。Samba 配置為使用我們域控制器上的 Active Directory 對使用者進行身份驗證。
直到最近這一切都很好,現在兩個 Samba 伺服器都無法驗證某些使用者。其他一直在使用伺服器的使用者仍然可以正常連接和訪問文件(記憶體憑據?)。以下是登錄嘗試失敗時在 Samba 日誌中記錄的典型範例:
[2016/04/26 20:08:15.768961, 0] rpc_client/cli_netlogon.c:459(rpccli_netlogon_sam_network_logon) rpccli_netlogon_sam_network_logon: credentials chain check failed [2016/04/26 20:08:15.769053, 0] auth/auth_domain.c:331(domain_client_validate) domain_client_validate: unable to validate password for user lholdeman in domain meg to Domain controller DC01.MEG.LOCAL. Error was NT_STATUS_ACCESS_DENIED.
我不知道我們的域控制器發生了什麼變化,我很確定我們的域控制器允許 Samba 連接以驗證使用者,因為我在 VirtualBox 中快速設置了完全相同的作業系統/軟體,複製了我的所有生產配置結束,並使用在生產機器上不起作用的相同域憑據成功登錄到臨時 Samba 設置。
這也是我的 Samba 配置的副本:
[global] passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . obey pam restrictions = yes admin users = root #read prediction = yes passwd program = /usr/bin/passwd %u dns proxy = no netbios name = PAFILES default = companyfiles workgroup = MEG os level = 20 auto services = companyfiles security = ads delete user script = /usr/sbin/userdel -r '%u' max log size = 1000 directory mode = 777 log file = /var/log/samba/samba.log read raw = no guest account = nobody write raw = no add group script = /usr/sbin/groupadd '%g' socket options = TCP_NODELAY delete group script = /usr/sbin/groupdel '%g' add user to group script = /usr/sbin/usermod -G '%g' '%u' force directory mode = 777 wins server = DC01.MEG.LOCAL #null passwords = yes encrypt passwords = true winbind trusted domains only = yes winbind use default domain = yes realm = MEG.LOCAL passdb backend = tdbsam unix extensions = no wide links = yes server string = TurnKey Linux FileServer password server = DC01.MEG.LOCAL unix password sync = yes force create mode = 777 add user script = /usr/sbin/useradd -m '%u' -g users -G users syslog = 0 create mode = 777 panic action = /usr/share/samba/panic-action %d pam password change = yes [companyfiles] shadow:basedir = /srv/storage force directory mode = 777 recycle:keeptree = yes shadow:sort = desc vfs objects = shadow_copy2 writeable = yes delete readonly = yes path = /srv/storage shadow:snapdir = ../snapshots/storage force create mode = 777 comment = Public Share create mode = 0777 recycle:repository = Recycle Bin recycle:versions = yes directory mode = 0777
關於我下一步可能嘗試什麼的任何想法?謝謝!
4 月 12 日發布的更新中包含 Samba 的上游錯誤,以響應廣為宣傳的“Badlock”漏洞,導致您所看到的行為。Debian 錯誤在這裡:https ://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820981 Red Hat 有一個工作更新檔,但截至今天(4 月 27 日)尚未發布:https: //bugzilla.redhat.com/show_bug.cgi?id=1326918
目前,您唯一的選擇似乎是降級到以前的 Samba 版本,或者等待發行版的更新檔。