使用 Samba 加密 SMB 流量
我們在 Ubuntu 14.04 LTS 上使用 Samba 作為具有漫遊配置文件的 PDC(主域控制器)。一切正常,除非我們嘗試通過設置強制加密:
server signing = mandatory smb encrypt = mandatory在
[global]/etc/samba/smb.conf 部分。這樣做之後,win 8.0和win 8.1的客戶(其他都沒試過)抱怨:Die Vertrauensstellung zwischen dieser Arbeitsstation und der primären Domäne konnte nicht hergestellt werden.此文的英文翻譯:The trust relationship between this workstation and the primary domain could not be established.如果我們僅將這兩個選項添加到
server signingsmb.conf部分,則表明實際流量未加密!smb encrypt``[profiles]``tcpdump完整的 smb.conf:
[global] workgroup = DOMAIN server string = %h PDC netbios name = HOSTNAME wins support = true dns proxy = no allow dns updates = False dns forwarder = IP deadtime = 15 log level = 2 log file = /var/log/samba/log.%m max log size = 5000 debug pid = yes debug uid = yes syslog = yes utmp = yes security = user domain logons = yes domain master = yes os level = 64 logon path = \\%N\profiles\%U logon home = \\%N\%U logon drive = H: logon script = passdb backend = ldapsam:ldap://localhost ldap ssl = start tls ldap admin dn = cn=admin,dc=DOMAIN,dc=de ldap delete dn = no encrypt passwords = yes server signing = mandatory smb encrypt = mandatory ## Sync UNIX password with Samba password ldap password sync = yes ldap suffix = dc=intra,dc=DOMAIN,dc=de ldap user suffix = ou=People ldap group suffix = ou=Groups ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap add user script = /usr/sbin/smbldap-useradd -m '%u' -t 1 rename user script = /usr/sbin/smbldap-usermod -r '%unew' '%uold' delete user script = /usr/sbin/smbldap-userdel '%u' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' add group script = /usr/sbin/smbldap-groupadd -p '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' add machine script = /usr/sbin/smbldap-useradd -W '%m' -t 1 [homes] comment = Home Directories valid users = %S read only = No browseable = No [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon admin users = root guest ok = Yes browseable = No [profiles] comment = Roaming Profile Share path = /var/lib/samba/profiles read only = No profile acls = Yes browsable = No valid users = %U create mode = 0600 directory mode = 0700有什麼幫助嗎?
smb.conf 手冊頁需要更新!它指的是舊的特定於 Samba 的加密機制,僅適用於 SMB1,並通過 unix 擴展完成。這可以被
smbclient.如今,“
smb encrypt”選項還控製作為 SMB 3.0 版和更新版本一部分的 SMB 級加密。Windows 8(和更高版本)客戶端應使用這些設置加密流量。您是否嘗試在 Samba 域成員或獨立伺服器上使用相同的設置(
smb encrypt = mandatory在該部分中)?[global]確保
smb encrypt = auto在[global]部分(而不是[profiles]部分)中設置。然後仍然宣布加密的普遍可用性。這很可能是 Samba 中的一個錯誤。所以這可能應該在 samba 的samba-technial 郵件列表或samba 的 bugzilla上討論。如果您使用的是 Ubuntu 版本的 Samba,那麼您可能還想查看軟體包頁面。我懷疑這是一個真正的 Samba 上游問題。