主页 / server / 问题 / 833258
Accepted
wazoox
Asked: 2017-02-18 10:32:34 +0800 CST

Samba 4:已加入域,但所有用户都映射到没人,Windows 客户端无法访问共享

  • 772

我有一个 Debian/Jessie Samba 4.2.14 作为 AD 成员运行。ADC 是一个 Windows2008R2 服务器。加入工作没有问题。

# net ads testjoin
Join is OK

wbinfo -u并且wbinfo -g工作完美,并按预期提供来自 AD 的用户和组列表。wbinfo -i <user>也可以:

# wbinfo -i TESTAD\\testuser
TESTAD\testuser:*:4294967295:4294967295:testuser:/home/TESTAD/testuser:/bin/false

编辑:这里出了点问题,因为wbinfo -i将所有用户和组映射到 id 4294967295,正如@TheSkunk 所说,2^32 -1。

编辑2: wbinfo --sid-to-uid TESTAD\\testuser失败。当然,我必须明确设置一些idmap参数(默认值显然根本不起作用)但是如何?

编辑 3:我已将这两行添加到 smb.conf:

idmap config * : backend = tdb
idmap config * : range = 10000-30000

现在 ẁbinfo -i TESTDOMAIN\testuser reports a valid id, and a different one for each and every user. However I still have the same problems (all users mapping to nobody,id andgetent` 不知道 AD 用户等)。

然而getent passwd TESTAD\\testuser失败了:

# getent passwd TESTAD\\testuser
# echo $? 
2

我可以使用任何 AD 帐户连接smbclient到服务器:

# smbclient //srv1/data -U TESTAD\\testuser
Enter TESTAD\testuser's password: 
Domain=[TESTAD] OS=[Windows 6.1] Server=[Samba 4.2.14-Debian]
smb: \> ls
  .                                   D        0  Fri Feb 17 16:23:04 2017
  ..                                  D        0  Wed Feb  1 16:47:02 2017
  test.txt                            N        5  Fri Feb 17 14:38:21 2017
  popo                                D        0  Fri Feb 17 16:23:04 2017

                117125466112 blocks of size 1024. 117052392484 blocks available
smb: \>

但是,连接被映射到nobody/nogroup,并且创建的文件也归其所有nobody。Windows 机器无法使用任何 AD 帐户进行连接。但是,如果我创建一个本地帐户smbpasswd -a <user>,他们可以使用它进行连接。但是,它们的连接参数、文件等都是映射到的,nobody尽管该帐户也存在于本地。

这是当前的smb.conf(尽可能接近默认值):

[global]
        workgroup = TESTAD
        realm = TESTAD.lan
        server role = member server
        security = ADS
        map to guest = Bad User
        obey pam restrictions = Yes
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        unix password sync = Yes
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        dns proxy = No
        usershare allow guests = Yes
        panic action = /usr/share/samba/panic-action %d
        idmap config * : backend = tdb
        inherit permissions = Yes
        inherit acls = Yes


[DATA]
        path = /mnt/raid/
        read only = No
        guest ok = Yes

这是/etc/nsswitch.conf(我尝试从阴影中添加和删除'winbindd,根本没有改变):

# cat /etc/nsswitch.conf 
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat winbind
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns wins
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

我不明白为什么身份验证似乎永远不会通过 winbind。我越来越绝望了,有什么想法吗?

authentication linux-networking samba4 winbind

4 个回答

  1. Best Answer

    我找到了核心问题:缺少包。不幸的是,要做到正确并不容易:这是最终的工作配置(感谢 samba.org 的 Rowland Penny):

    确保您安装了所有必要的软件包(缺少的是 libnss-winbind):

    apt-get install samba acl attr quota fam winbind libpam-winbind \
libpam-krb5 libnss-winbind krb5-config krb5-user ntp dnsutils ldb-tools

    停止服务

    service smbd stop
service nmbd stop
service winbind stop

    设置一个合适的 smb.conf(特别是 idmap 参数):

    [global]
    workgroup = TESTAD
    security = ADS
    realm = TESTAD.LAN

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
    server string = Data %h

    winbind use default domain = yes
    winbind expand groups = 4
    winbind nss info = rfc2307
    winbind refresh tickets = Yes
    winbind offline logon = yes
    winbind normalize names = Yes

    ## map ids outside of domain to tdb files.
    idmap config *:backend = tdb
    idmap config *:range = 2000-9999
    ## map ids from the domain  the ranges may not overlap !
    idmap config TESTAD : backend = rid
    idmap config TESTAD : range = 10000-999999
    template shell = /bin/bash
    template homedir = /home/TESTAD/%U

    domain master = no
    local master = no
    preferred master = no
    os level = 20
    map to guest = bad user
    host msdfs = no

    # user Administrator workaround, without it you are unable to set privileges
    username map = /etc/samba/user.map

    # For ACL support on domain member
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

    # Share Setting Globally
    unix extensions = no
    reset on zero vc = yes
    veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
    hide unreadable = yes

    # disable printing completely
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

    在该配置中,需要一个额外的 /etc/samba/user.map 文件,其中包含以下行:

    !root = TESTAD\Administrator TESTAD\administrator Administrator administrator

    不要忘记正确填写/etc/krb5.conf:

    [libdefaults]
    default_realm = TESTAD.LAN
    dns_lookup_realm = false
    dns_lookup_kdc = true

    注意,krb5.conf 必须由 root 拥有并且每个人都可以读取(644 权限)。

    编辑 /etc/nsswitch.conf 并将 winbind 添加到 passwd 和 group 行:

    # /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat files winbind
group:          compat files winbind
shadow:         compat files 

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

    现在加入域:

    # net ads join -U Administrator
Using short domain name -- TESTAD
Joined 'DEBMEMBER' to dns domain 'TESTAD.example.com'

    最后启动服务:

    service smbd start
service nmbd start
service winbind start

    getent passwd现在应该与 AD 用户一起使用:

    # getent passwd testuser
testuser:*:11107:10513:testuser:/home/TESTAD/testuser:/bin/bash

    CAVEAT因为我之前加入了 AD 而没有安装必要的库,所以我必须在此设置后重新启动系统才能让系统正确验证用户身份!

    • 7

  2. 4294967295 表示 2^32 - 这是由 winbind 守护程序生成的用于从 AD 转换 xid 的 GID 或 UID 的计数器溢出。这与访客映射无关...如果您使用 idmap config YOUR_DOMAIN : backend = ad ,则广告意味着信息不仅存储在本地,而且在运行时将其复制到所有客户端并存储在它们上(但这是我目前的任务)。广告意味着,如果一个客户迷路了,您已经将所有 uid/gid 映射信息存储在其他客户上。如果您恢复客户端,所有映射将再次相同。问题是,如果你有这个溢出一次,你不能轻易摆脱它,因为所有客户端都在复制它(运行windbind),也许(我目前正在尝试找出它)还有 DC。

    这是我正在使用的部分(工作正常,但我通过广告在 idmaps 上遇到了其他问题):

    winbind nss info = rfc2307
idmap config * : backend = tbd
idmap config * : range = 1000-2999

idmap config MY_DOMAIN : backend =  ad
idmap config MY_DOMAIN : schema_mode = rfc2307
idmap config MY_DOMAIN : range = 3000-30000
idmap_ldb:use rfc2307 = yes

winbind refresh tickets = yes
winbind use default domain = yes
winbind enum users  = yes
winbind enum groups = yes

winbind cache time = 60  #higher might make you wait long for updates
    • 2

  3. 我自己来到这里,在寻找一些好的指导时,我想我应该在这篇文章中添加一个更新......

    展望未来,我们的目标是在 Linux 上使用sssd而不是winbind用于 Active Directory 集成。虽然sssd不提供 的所有功能winbind,但它使用 Kerberos 身份验证而不是 NT Lan Manager (NTLM) 身份验证。参考:红帽 Windows 集成指南,第 4.2 章

    我们正在尝试减少 NTLM 身份验证的使用以支持 Kerberos,因为后者被认为是更安全的协议。

    话虽如此,我们已将 SAMBA 文件共享配置如下:-

    1. 安装realmdsambasssd所有依赖项。也许更多?

    2. 加入领域:realm join <domain name>

      此命令将使用域凭据将机器加入域。然后这将自动配置nsswitch.conf,/etc/sssd/sssd.conf/etc/krb5.conf, 并获得一个机器密钥表, 在/etc/krb5.keytab.

    3. acl确保使用 中的选项安装文件系统/etc/fstab,例如

      UUID=foo-bar-baz /mnt/share ext4 defaults,acl 0 0

    4. 正确配置 samba。有这么多的选择,这是一个有点黑暗的艺术。YMMV,但对我有用的如下。任何需要<>需要为您自己的网络配置的东西。

    #/etc/samba/smb.conf
[global]
    # SMB settings
    security = ads
    workgroup = <workgroup>
    netbios name = <server name>
    server string = Samba %v on %L (%h)

    # NMB settings
    local master = no
    dns proxy = no

    # Authentication / Kerberos settings
    realm = <realm / domain name>
    password server = *
    kerberos method = secrets and keytab
    dedicated keytab file = /etc/krb5.keytab
    encrypt passwords = yes
    client use spnego = yes
    client signing = yes

    # ID mapping
    idmap config * : backend = autorid
    idmap config * : range = 1000000-1999999

    # Windows Extended ACLs
    vfs objects = acl_xattr
    map acl inherit = yes
    nt acl support = yes
    # This next one apparently incurs a significant performance hit without
    # additional functionality, but can help compatibility.
    # It adds the DOS Read-only, Archive and Hidden bits to file attributes.
    # store dos attributes = yes

[share]
    comment = <My Share>
    path = </mnt/share>
    valid users = @"<Domain Group>", <domain_user>
    # ... Other share-specific options
    1. 将域用户或组设置为 Unix 文件对象上的组。删除所有人的访问权限。
    > chown root:"Domain Users" /mnt/share
> chmod 770 /mnt/share
    1. 现在,希望您能够从已加入域的 Windows PC 访问文件共享,并使用 Windows 文件夹属性设置其权限。

    如果您以某种方式将自己锁定在共享之外(就像我自己所做的那样),可以使用以下 Linux 命令查看和更改 Windows 权限:-

    # get ACL permissions
> getfacl /mnt/share
# Set This Folder Only access on a share.
> setfacl -m group:"<domain>\<group>":rwx /mnt/share
# Set This Folder, Subdirectories and Files permissions on a folder
> set facl -m default:group:"<domain>\<group>":rwx /mnt/share
    • 1

  4. 我在新的 server02 上出现错误“client_input_channel_req:channel 0 rtype exit-status reply 0”,在 server01 上没有。在我的情况下,解决方案是添加两行我没有添加到 /etc/samba/smb.conf 中的错误:

    模板外壳 = /bin/bash

    模板主目录 = /home/%D/%u

    现在域用户已登录 server02。

    此致。

    • -1

相关问题