Windows

無法從 Windows 訪問 Samba 共享

  • May 17, 2013

我是 SLES 和 Samba 的新手,所以我需要一些幫助。我在 SUSE 11 上成功設置了 Samba。我能夠創建一個沒有使用者限制的共享,我設法從 Windows 訪問。但我只想允許特定的使用者組訪問共享。所以我使用“有效使用者”、“閱讀列表”和“寫入列表”。但是,一旦我將有效使用者添加到我的配置文件中,我將無法再訪問該共享。即使我輸入了正確的憑據,我也會收到拒絕訪問錯誤。我嘗試使用 root,使用本地使用者帳戶,使用 AD 域使用者。這些都不起作用。你能給我一個關於如何解決這個問題的建議嗎?這是我的 smb.conf 文件:

# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
# Date: 2012-02-03
[global]
   workgroup = *******
   passdb backend = tdbsam
   printing = cups
   printcap name = cups
   printcap cache time = 750
   cups options = raw
   map to guest = Bad User
   include = /etc/samba/dhcp.conf
   logon path = \\%L\profiles\.msprofile
   logon home = \\%L\%U\.9xprofile
   logon drive = P:
   usershare allow guests = No
   idmap gid = 10000-20000
   idmap uid = 10000-20000
   realm = ********
   security = ADS
   template homedir = /home/%D/%U
   template shell = /bin/bash
   usershare max shares = 100
   winbind refresh tickets = yes
   wins support = No
[homes]
   comment = Home Directories
   valid users = %S, %D%w%S
   browseable = No
   read only = No
   inherit acls = Yes
[profiles]
   comment = Network Profiles Service
   path = %H
   read only = No
   store dos attributes = Yes
   create mask = 0600
   directory mask = 0700
[users]
   comment = All users
   path = /home
   read only = No
   inherit acls = Yes
   veto files = /aquota.user/groups/shares/
[groups]
   comment = All groups
   path = /home/groups
   read only = No
   inherit acls = Yes
[printers]
   comment = All Printers
   path = /var/tmp
   printable = Yes
   create mask = 0600
   browseable = No

[Share]
   inherit acls = Yes
   path = /share/Share
   read only = No
   browseable = Yes
   valid users = @****+Group1, *****+user1

這是日誌文件的輸出,當我嘗試訪問共享時:

[2013/05/17 15:39:18.753943,  3] lib/access.c:338(allow_access)
 Allowed connection from IP Address(IP Address)
[2013/05/17 15:39:18.754178,  3] smbd/oplock.c:922(init_oplocks)
 init_oplocks: initializing messages.
[2013/05/17 15:39:18.754281,  3] smbd/oplock_linux.c:226(linux_init_kernel_oplocks)
 Linux kernel oplocks enabled
[2013/05/17 15:39:18.754396,  3] smbd/process.c:1662(process_smb)
 Transaction 0 of length 137 (0 toread)
[2013/05/17 15:39:18.754447,  3] smbd/process.c:1467(switch_message)
 switch message SMBnegprot (pid 11575) conn 0x0
[2013/05/17 15:39:18.754827,  3] smbd/negprot.c:598(reply_negprot)
 Requested protocol [PC NETWORK PROGRAM 1.0]
[2013/05/17 15:39:18.754882,  3] smbd/negprot.c:598(reply_negprot)
 Requested protocol [LANMAN1.0]
[2013/05/17 15:39:18.754922,  3] smbd/negprot.c:598(reply_negprot)
 Requested protocol [Windows for Workgroups 3.1a]
[2013/05/17 15:39:18.754959,  3] smbd/negprot.c:598(reply_negprot)
 Requested protocol [LM1.2X002]
[2013/05/17 15:39:18.754996,  3] smbd/negprot.c:598(reply_negprot)
 Requested protocol [LANMAN2.1]
[2013/05/17 15:39:18.755035,  3] smbd/negprot.c:598(reply_negprot)
 Requested protocol [NT LM 0.12]
[2013/05/17 15:39:18.755163,  3] smbd/negprot.c:419(reply_nt1)
 using SPNEGO
[2013/05/17 15:39:18.755204,  3] smbd/negprot.c:704(reply_negprot)
 Selected protocol NT LM 0.12
[2013/05/17 15:39:18.757824,  3] smbd/process.c:1662(process_smb)
 Transaction 1 of length 142 (0 toread)
[2013/05/17 15:39:18.757917,  3] smbd/process.c:1467(switch_message)
 switch message SMBsesssetupX (pid 11575) conn 0x0
[2013/05/17 15:39:18.757970,  3] smbd/sesssetup.c:1333(reply_sesssetup_and_X)
 wct=12 flg2=0xc807
[2013/05/17 15:39:18.758013,  2] smbd/sesssetup.c:1279(setup_new_vc_session)
 setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2013/05/17 15:39:18.758051,  3] smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego)
 Doing spnego session setup
[2013/05/17 15:39:18.758091,  3] smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego)
 NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
[2013/05/17 15:39:18.758159,  3] smbd/sesssetup.c:660(reply_spnego_negotiate)
 reply_spnego_negotiate: Got secblob of size 40
[2013/05/17 15:39:18.758344,  3] ../libcli/auth/ntlmssp.c:34(debug_ntlmssp_flags)
 Got NTLMSSP neg_flags=0xe2088297
[2013/05/17 15:39:18.762052,  3] smbd/process.c:1662(process_smb)
 Transaction 2 of length 486 (0 toread)
[2013/05/17 15:39:18.762108,  3] smbd/process.c:1467(switch_message)
 switch message SMBsesssetupX (pid 11575) conn 0x0
[2013/05/17 15:39:18.762152,  3] smbd/sesssetup.c:1333(reply_sesssetup_and_X)
 wct=12 flg2=0xc807
[2013/05/17 15:39:18.762190,  2] smbd/sesssetup.c:1279(setup_new_vc_session)
 setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2013/05/17 15:39:18.762225,  3] smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego)
 Doing spnego session setup
[2013/05/17 15:39:18.762262,  3] smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego)
 NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
[2013/05/17 15:39:18.762313,  3] ../libcli/auth/ntlmssp_server.c:348(ntlmssp_server_preauth)
 Got user=[user1] domain=[DOMAINNAME] workstation=[WORKSTATIONNAME] len1=24 len2=246

很抱歉沒有寫這篇評論,但我的代表還不夠高。

我看到的是您使用 + 作為域和組的分隔符,但您沒有在配置中將 + 設置為 winbind 分隔符。

winbind separator = +

此外,您將 passdb 後端設置為本地數據庫 tdbsam。這可能是您的 AD 身份驗證失敗的原因。

嘗試設置以下內容:

workgroup = [SHORTDOMAINNAME]
realm = [KERBEROS REALM / LONG DOMAIN NAME]
password server = [fqdn of your pdc]
winbind use default domain = yes
encrypt passwords = yes
security = ads

領域和工作組應該全部大寫並匹配您的“krb5.conf”文件

krb5.conf:

[libdefaults]
   default_realm = [KERBEROS REALM / LONG DOMAIN NAME]
   dns_lookup_realm = true
   dns_lookup_kdc = true
   default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1
   default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1
   clockskew = 300
   forwardable = true
   proxiable = true

[realms]
   [KERBEROS REALM / LONG DOMAIN NAME] = {
           kdc = [fqdn of your pdc]
           default_domain = [long domain name lowercase]
   }
[domain_realm]
   .[long domain name lowercase] = [KERBEROS REALM / LONG DOMAIN NAME]
   [long domain name lowercase] = [KERBEROS REALM / LONG DOMAIN NAME]

您還可以檢查是否一切正常

wbinfo -u 

你應該看到使用者列表

wbinfo -g 

查看組列表。

如果您有名稱中包含空格的組,請不要忘記將它們放在“有效使用者中”

希望能幫助到你

引用自:https://serverfault.com/questions/508535