背景:
我有一个 samba cifs 服务器。它没有加入域,但具有 MIT kerberosV 领域的密钥表。
Kerberized 挂载(例如mount -t cifs //cifs.example.com/groups /mnt/cifs -o sec=krb5i
)在 Linux 客户端上工作。来自 AD 的 Kerberized 挂载已加入 Windows 机器(加入到配置了对 Kerberos 领域的信任的域)。基于密码的挂载不适用于 Linux 客户端(没什么大不了的)。
非 AD 的基于密码的挂载加入了 Windows 客户端类型的工作。用资源管理器去\\cifs.example.com\groups
不行,也不会出现密码提示。但是,如果\\cifs.example.com\groups
作为盘符挂载,则对话框不会完成,但驱动器映射将建立并工作,此时可以取消对话框,同时保留挂载。
问题:
- 如何在未加入 AD 的 Windows 机器上使 UNC 路径提示输入密码?
配置:
主机名:cifs.example.com 领域:EXAMPLE.COM 发行版:CentOS 发行版 6.5(最终版)
samba 版本:samba-3.6.9-167.el6_5.x86_64
配置文件
syslog only = yes
syslog = 3
server string = %h server (Samba, CentOS)
workgroup = EXAMPLE.COM
security = ads
realm = EXAMPLE.COM
create krb5 conf = no
kerberos method = secrets and keytab
server signing = auto
smb encrypt = auto
smb ports = 445
use sendfile = yes
map to guest = Bad User
guest account = nobody
wins support = no
dns proxy = no
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
hide files = /Desktop.ini/$RECYCLE.BIN/Thumbs.db/~$.*/
[home]
path = /export/home/
writeable = yes
guest ok = no
browseable = no
create mask = 0600
directory mask = 0700
[groups]
path = /export/groups
writeable = yes
guest ok = no
browseable = yes
create mask = 0660
directory mask = 0770
*
列表-k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
8 host/[email protected]
8 host/[email protected]
8 host/[email protected]
8 host/[email protected]
8 cifs/[email protected]
8 cifs/[email protected]
8 cifs/[email protected]
8 cifs/[email protected]
getebool -a | grep -e cifs -e 桑巴
allow_ftpd_use_cifs --> off
cobbler_use_cifs --> off
git_cgi_use_cifs --> off
git_system_use_cifs --> off
httpd_use_cifs --> off
qemu_use_cifs --> on
rsync_use_cifs --> off
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_portmapper --> off
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
sanlock_use_samba --> off
tftp_use_cifs --> off
use_samba_home_dirs --> off
virt_use_samba --> off
/etc/pam.d/samba
#%PAM-1.0
auth required pam_nologin.so
auth include password-auth
account include password-auth
session include password-auth
password include password-auth
/etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
需要
max protocol
从默认更改NT1
为最大协议 =SMB2
。