Windows
無法從 Windows 訪問 Samba 共享
我是 SLES 和 Samba 的新手,所以我需要一些幫助。我在 SUSE 11 上成功設置了 Samba。我能夠創建一個沒有使用者限制的共享,我設法從 Windows 訪問。但我只想允許特定的使用者組訪問共享。所以我使用“有效使用者”、“閱讀列表”和“寫入列表”。但是,一旦我將有效使用者添加到我的配置文件中,我將無法再訪問該共享。即使我輸入了正確的憑據,我也會收到拒絕訪問錯誤。我嘗試使用 root,使用本地使用者帳戶,使用 AD 域使用者。這些都不起作用。你能給我一個關於如何解決這個問題的建議嗎?這是我的 smb.conf 文件:
# smb.conf is the main Samba configuration file. You find a full commented # version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the # samba-doc package is installed. # Date: 2012-02-03 [global] workgroup = ******* passdb backend = tdbsam printing = cups printcap name = cups printcap cache time = 750 cups options = raw map to guest = Bad User include = /etc/samba/dhcp.conf logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P: usershare allow guests = No idmap gid = 10000-20000 idmap uid = 10000-20000 realm = ******** security = ADS template homedir = /home/%D/%U template shell = /bin/bash usershare max shares = 100 winbind refresh tickets = yes wins support = No [homes] comment = Home Directories valid users = %S, %D%w%S browseable = No read only = No inherit acls = Yes [profiles] comment = Network Profiles Service path = %H read only = No store dos attributes = Yes create mask = 0600 directory mask = 0700 [users] comment = All users path = /home read only = No inherit acls = Yes veto files = /aquota.user/groups/shares/ [groups] comment = All groups path = /home/groups read only = No inherit acls = Yes [printers] comment = All Printers path = /var/tmp printable = Yes create mask = 0600 browseable = No [Share] inherit acls = Yes path = /share/Share read only = No browseable = Yes valid users = @****+Group1, *****+user1
這是日誌文件的輸出,當我嘗試訪問共享時:
[2013/05/17 15:39:18.753943, 3] lib/access.c:338(allow_access) Allowed connection from IP Address(IP Address) [2013/05/17 15:39:18.754178, 3] smbd/oplock.c:922(init_oplocks) init_oplocks: initializing messages. [2013/05/17 15:39:18.754281, 3] smbd/oplock_linux.c:226(linux_init_kernel_oplocks) Linux kernel oplocks enabled [2013/05/17 15:39:18.754396, 3] smbd/process.c:1662(process_smb) Transaction 0 of length 137 (0 toread) [2013/05/17 15:39:18.754447, 3] smbd/process.c:1467(switch_message) switch message SMBnegprot (pid 11575) conn 0x0 [2013/05/17 15:39:18.754827, 3] smbd/negprot.c:598(reply_negprot) Requested protocol [PC NETWORK PROGRAM 1.0] [2013/05/17 15:39:18.754882, 3] smbd/negprot.c:598(reply_negprot) Requested protocol [LANMAN1.0] [2013/05/17 15:39:18.754922, 3] smbd/negprot.c:598(reply_negprot) Requested protocol [Windows for Workgroups 3.1a] [2013/05/17 15:39:18.754959, 3] smbd/negprot.c:598(reply_negprot) Requested protocol [LM1.2X002] [2013/05/17 15:39:18.754996, 3] smbd/negprot.c:598(reply_negprot) Requested protocol [LANMAN2.1] [2013/05/17 15:39:18.755035, 3] smbd/negprot.c:598(reply_negprot) Requested protocol [NT LM 0.12] [2013/05/17 15:39:18.755163, 3] smbd/negprot.c:419(reply_nt1) using SPNEGO [2013/05/17 15:39:18.755204, 3] smbd/negprot.c:704(reply_negprot) Selected protocol NT LM 0.12 [2013/05/17 15:39:18.757824, 3] smbd/process.c:1662(process_smb) Transaction 1 of length 142 (0 toread) [2013/05/17 15:39:18.757917, 3] smbd/process.c:1467(switch_message) switch message SMBsesssetupX (pid 11575) conn 0x0 [2013/05/17 15:39:18.757970, 3] smbd/sesssetup.c:1333(reply_sesssetup_and_X) wct=12 flg2=0xc807 [2013/05/17 15:39:18.758013, 2] smbd/sesssetup.c:1279(setup_new_vc_session) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2013/05/17 15:39:18.758051, 3] smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego) Doing spnego session setup [2013/05/17 15:39:18.758091, 3] smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego) NativeOS=[] NativeLanMan=[] PrimaryDomain=[] [2013/05/17 15:39:18.758159, 3] smbd/sesssetup.c:660(reply_spnego_negotiate) reply_spnego_negotiate: Got secblob of size 40 [2013/05/17 15:39:18.758344, 3] ../libcli/auth/ntlmssp.c:34(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0xe2088297 [2013/05/17 15:39:18.762052, 3] smbd/process.c:1662(process_smb) Transaction 2 of length 486 (0 toread) [2013/05/17 15:39:18.762108, 3] smbd/process.c:1467(switch_message) switch message SMBsesssetupX (pid 11575) conn 0x0 [2013/05/17 15:39:18.762152, 3] smbd/sesssetup.c:1333(reply_sesssetup_and_X) wct=12 flg2=0xc807 [2013/05/17 15:39:18.762190, 2] smbd/sesssetup.c:1279(setup_new_vc_session) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2013/05/17 15:39:18.762225, 3] smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego) Doing spnego session setup [2013/05/17 15:39:18.762262, 3] smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego) NativeOS=[] NativeLanMan=[] PrimaryDomain=[] [2013/05/17 15:39:18.762313, 3] ../libcli/auth/ntlmssp_server.c:348(ntlmssp_server_preauth) Got user=[user1] domain=[DOMAINNAME] workstation=[WORKSTATIONNAME] len1=24 len2=246
很抱歉沒有寫這篇評論,但我的代表還不夠高。
我看到的是您使用 + 作為域和組的分隔符,但您沒有在配置中將 + 設置為 winbind 分隔符。
winbind separator = +
此外,您將 passdb 後端設置為本地數據庫 tdbsam。這可能是您的 AD 身份驗證失敗的原因。
嘗試設置以下內容:
workgroup = [SHORTDOMAINNAME] realm = [KERBEROS REALM / LONG DOMAIN NAME] password server = [fqdn of your pdc] winbind use default domain = yes encrypt passwords = yes security = ads
領域和工作組應該全部大寫並匹配您的“krb5.conf”文件
krb5.conf:
[libdefaults] default_realm = [KERBEROS REALM / LONG DOMAIN NAME] dns_lookup_realm = true dns_lookup_kdc = true default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1 default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1 clockskew = 300 forwardable = true proxiable = true [realms] [KERBEROS REALM / LONG DOMAIN NAME] = { kdc = [fqdn of your pdc] default_domain = [long domain name lowercase] } [domain_realm] .[long domain name lowercase] = [KERBEROS REALM / LONG DOMAIN NAME] [long domain name lowercase] = [KERBEROS REALM / LONG DOMAIN NAME]
您還可以檢查是否一切正常
wbinfo -u
你應該看到使用者列表
wbinfo -g
查看組列表。
如果您有名稱中包含空格的組,請不要忘記將它們放在“有效使用者中”
希望能幫助到你