Security

使用 Samba 加密 SMB 流量

  • August 26, 2017

我們在 Ubuntu 14.04 LTS 上使用 Samba 作為具有漫遊配置文件的 PDC(主域控制器)。一切正常,除非我們嘗試通過設置強制加密:

   server signing = mandatory
   smb encrypt = mandatory

[global]/etc/samba/smb.conf 部分。這樣做之後,win 8.0和win 8.1的客戶(其他都沒試過)抱怨:Die Vertrauensstellung zwischen dieser Arbeitsstation und der primären Domäne konnte nicht hergestellt werden.此文的英文翻譯:The trust relationship between this workstation and the primary domain could not be established.

如果我們僅將這兩個選項添加到server signingsmb.conf部分,則表明實際流量未加密!smb encrypt``[profiles]``tcpdump

完整的 smb.conf:

[global]
   workgroup = DOMAIN
   server string = %h PDC
   netbios name = HOSTNAME
   wins support = true
   dns proxy = no
   allow dns updates = False
   dns forwarder = IP

   deadtime = 15

   log level = 2
   log file = /var/log/samba/log.%m
   max log size = 5000
   debug pid = yes
   debug uid = yes
   syslog = yes
   utmp = yes

   security = user
   domain logons = yes
   domain master = yes
   os level = 64
   logon path = \\%N\profiles\%U
   logon home = \\%N\%U
   logon drive = H:
   logon script =

   passdb backend = ldapsam:ldap://localhost
   ldap ssl = start tls
   ldap admin dn = cn=admin,dc=DOMAIN,dc=de
   ldap delete dn = no

   encrypt passwords = yes
   server signing = mandatory
   smb encrypt = mandatory

   ## Sync UNIX password with Samba password
   ldap password sync = yes

   ldap suffix = dc=intra,dc=DOMAIN,dc=de
   ldap user suffix = ou=People
   ldap group suffix = ou=Groups
   ldap machine suffix = ou=Computers
   ldap idmap suffix = ou=Idmap

   add user script = /usr/sbin/smbldap-useradd -m '%u' -t 1
   rename user script = /usr/sbin/smbldap-usermod -r '%unew' '%uold'
   delete user script = /usr/sbin/smbldap-userdel '%u'
   set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
   add group script = /usr/sbin/smbldap-groupadd -p '%g'
   delete group script = /usr/sbin/smbldap-groupdel '%g'
   add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
   delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
   add machine script = /usr/sbin/smbldap-useradd -W '%m' -t 1

[homes]
   comment = Home Directories
   valid users = %S
   read only = No
   browseable = No

[netlogon]
   comment = Network Logon Service
   path = /var/lib/samba/netlogon
   admin users = root
   guest ok = Yes
   browseable = No

[profiles]
   comment = Roaming Profile Share
   path = /var/lib/samba/profiles
   read only = No
   profile acls = Yes
   browsable = No
   valid users = %U
   create mode = 0600
   directory mode = 0700

有什麼幫助嗎?

smb.conf 手冊頁需要更新!它指的是舊的特定於 Samba 的加密機制,僅適用於 SMB1,並通過 unix 擴展完成。這可以被smbclient.

如今,“ smb encrypt”選項還控製作為 SMB 3.0 版和更新版本一部分的 SMB 級加密。Windows 8(和更高版本)客戶端應使用這些設置加密流量。

您是否嘗試在 Samba 域成員或獨立伺服器上使用相同的設置(smb encrypt = mandatory在該部分中)?[global]

確保smb encrypt = auto[global]部分(而不是[profiles]部分)中設置。然後仍然宣布加密的普遍可用性。


這很可能是 Samba 中的一個錯誤。所以這可能應該在 samba 的samba-technial 郵件列表samba 的 bugzilla上討論。如果您使用的是 Ubuntu 版本的 Samba,那麼您可能還想查看軟體包頁面。我懷疑這是一個真正的 Samba 上游問題。

引用自:https://serverfault.com/questions/657942