Ubuntu
在 Win Server 2012 上未獲得 Ubuntu Samba 共享的憑據提示
我使用 system-config-samba 在 Ubuntu 中設置了一個具有讀/寫權限的共享。我將我的使用者配置為也是 smbuser。
在我所有的其他系統(2 Win10、1 Win8、1 Ubuntu)上,系統提示我輸入使用者名和密碼(因為我應該
guest ok = no
在 smb.conf 中輸入,並且只有一個有效使用者)。問題是 Win Server 2012 沒有收到此提示,更糟糕的是,它可以以某種方式繞過身份驗證並讀取目標電腦上的所有共享。
起初我認為這可能是 Server 2012 中的使用者名與 Ubuntu 機器和 smbuser 相同的故障,但即使更改了 Win 伺服器使用者名,問題仍然存在。
無論我怎麼看,這似乎都是某種大規模的安全漏洞。我已經確認沒有儲存的憑據可能會被使用。
smb.conf 包括:
usershare allow guests = no username map = /etc/samba/smbusers security = user encrypt passwords = yes guest ok = no guest account = nobody [ShareName] path = /media/[user]/[ext4_drive]/[share folder] writeable = yes browseable = yes guest ok = no valid users = [user]
更新:
/var/log/samba/log:
[2015/10/29 14:49:30.544283, 2] ../source3/param/loadparm.c:3581(do_section) Processing section "[public]" [2015/10/29 14:49:30.544373, 0] ../source3/param/loadparm.c:3188(lp_do_parameter) Global parameter usershare allow guests found in service section! [2015/10/29 14:49:30.544402, 0] ../source3/param/loadparm.c:3188(lp_do_parameter) Global parameter username map found in service section! [2015/10/29 14:49:30.544428, 0] ../source3/param/loadparm.c:3188(lp_do_parameter) Global parameter security found in service section! [2015/10/29 14:49:30.544452, 0] ../source3/param/loadparm.c:3188(lp_do_parameter) Global parameter encrypt passwords found in service section! [2015/10/29 14:49:30.544489, 0] ../source3/param/loadparm.c:2376(service_ok) WARNING: No path in service public - making it unavailable! [2015/10/29 14:49:30.544513, 1] ../source3/param/loadparm.c:2383(service_ok) NOTE: Service public is flagged unavailable. [2015/10/29 14:49:30.544537, 2] ../source3/param/loadparm.c:3581(do_section) Processing section "[printers]" [2015/10/29 14:49:30.544577, 0] ../source3/param/loadparm.c:2363(service_ok) WARNING: [printers] service MUST be printable! [2015/10/29 14:49:30.544603, 0] ../source3/param/loadparm.c:2376(service_ok) WARNING: No path in service printers - making it unavailable! [2015/10/29 14:49:30.544626, 1] ../source3/param/loadparm.c:2383(service_ok) NOTE: Service printers is flagged unavailable. [2015/10/29 14:49:30.544650, 2] ../source3/param/loadparm.c:3581(do_section) Processing section "[ShareName]" [2015/10/29 14:49:30.544677, 0] ../source3/param/loadparm.c:3188(lp_do_parameter) Global parameter security found in service section! [2015/10/29 14:49:30.544860, 2] ../source3/lib/interface.c:341(add_interface) added interface eth1 ip=[IP] bcast=[BCAST] netmask=[MASK] [2015/10/29 14:51:50.380113, 2] ../source3/smbd/open.c:972(open_file) [USER] opened file test.txt read=No write=No (numopen=3) [2015/10/29 14:51:50.381445, 2] ../source3/smbd/close.c:780(close_normal_file) [USER] closed file test.txt (numopen=2) NT_STATUS_OK [2015/10/29 14:51:51.428034, 2] ../source3/smbd/open.c:972(open_file) [USER] opened file test.txt read=Yes write=No (numopen=2) [2015/10/29 14:51:51.433698, 2] ../source3/smbd/open.c:972(open_file) [USER] opened file test - Copy.txt read=Yes write=Yes (numopen=3) [2015/10/29 14:52:06.492354, 2] ../source3/smbd/close.c:780(close_normal_file) [USER] closed file test.txt (numopen=3) NT_STATUS_OK [2015/10/29 14:52:06.492925, 2] ../source3/smbd/close.c:780(close_normal_file) [USER] closed file test - Copy.txt (numopen=2) NT_STATUS_OK
您必須找到 Windows 機器正在使用的憑據。您可以嘗試兩種不同(互補)的方法:
- 從 Win2012 機器創建一個文件,然後在 Linux 機器上,找到哪個使用者擁有新創建的文件
- 啟用 samba 日誌,在文件中添加
log level = 2
指令。/etc/samba/smb.conf
那麼,看看下面/var/log/samba/
通過Win2012機器找到憑證使用者後應該很容易理解它發生了什麼。
問題的本質是使用者名和密碼在 Ubuntu 系統和 Windows Server 中都是相同的。
不確定這是方便還是安全漏洞。