我在尝试浏览 Samba 共享时收到以下错误:
session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN
我用于将独立服务器绑定smbd到 MIT Kerberos 和 OpenLDAP 设置的 Samba 配置曾经可以正常工作(在 Ubuntu 20.04 上确实如此,不记得在 Ubuntu 22.04 上是否也如此):
<smb.conf>
[global]
# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = EXAMPLE
# The 'auto' setting here configures Samba based on the value of the
# 'security' setting.
server role = auto
# Configure Samba to call out to Kerberos for all authentication. Because we're
# not also configuring a passdb, Samba will look to the system accounts for all
# authorization info (e.g. UIDs, groups, etc.). This setup was taken from
# https://help.ubuntu.com/lts/serverguide/samba-ldap.html.
security = ads
realm = EXAMPLE.COM
kerberos method = dedicated keytab
dedicated keytab file = /etc/samba/smbd.keytab
idmap config * : backend = tdb
idmap config * : range = 20001-30000
idmap config {{ domain | upper }} : backend = rfc2307
idmap config {{ domain | upper }} : range = 10000-20000
然后我可以获取 Kerberos 票证并浏览和/或挂载 Samba 共享,例如:
$ kinit
Password for [email protected]:
$ /usr/bin/smbclient //neatbox.example.com/share --use-kerberos=required --no-pass --directory somepath --command ls
. D 0 Fri May 6 07:10:08 2022
.. D 0 Fri May 6 07:10:08 2022
stuff D 0 Fri May 6 07:10:08 2022
otherstuff D 0 Fri May 6 07:10:13 2022
957134040 blocks of size 1024. 620537476 blocks available
然而,很久以前,这种方法就不再起作用了(比如一两年前;只是直到现在才有时间坐下来大惊小怪;养育子女,就像很多,你知道吗?)。现在我明白了:
$ /usr/bin/smbclient //neatbox.example.com/share --use-kerberos=required --no-pass --directory somepath --command ls
session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN
我现在花了几个晚上研究,我认为 Samba 4.14 周围有什么东西坏了或者被删除了?关于 PAC 的一些事情,它显然是 Kerberos 票证的一部分......不知何故?[1,2,3] 我不知道,我不是 Kerberos 专家;像大多数人一样,我只是在键盘上敲打一些东西,直到一切正常为止。
所以这是我的主要问题:Samba 是否像以前一样支持通过 MIT Kerberos 和 OpenLDAP 进行身份验证,或者现在已弃用/不受支持?
杂项
在启动/重新启动后,日志smbd中始终包含以下内容:
$ sudo systemctl status smbd
...
Dec 24 20:53:29 eddings systemd[1]: Starting Samba SMB Daemon...
Dec 24 20:53:29 eddings smbd[782101]: [2023/12/24 20:53:29.593145, 0] ../../source3/smbd/server.c:1734(main)
Dec 24 20:53:29 eddings smbd[782101]: smbd version 4.15.13-Ubuntu started.
Dec 24 20:53:29 eddings smbd[782101]: Copyright Andrew Tridgell and the Samba Team 1992-2021
Dec 24 20:53:29 eddings systemd[1]: Started Samba SMB Daemon.
Dec 24 20:53:30 eddings smbd[782101]: [2023/12/24 20:53:30.244701, 0] ../../source3/printing/nt_printing.c:233(nt_printing_init)
Dec 24 20:53:30 eddings smbd[782101]: nt_printing_init: error checking published printers: WERR_ACCESS_DENIED
有时,不可重复地,它也会导致一堆以下错误:
Dec 24 11:06:27 eddings smbd[766136]: [2023/12/24 11:06:27.972690, 0] ../../source3/auth/auth_winbind.c:120(check_winbind_security)
Dec 24 11:06:27 eddings smbd[766136]: check_winbind_security: winbindd not running - but required as domain member: NT_STATUS_NO_LOGON_SERVERS
不确定它们是否相关,但smbclient失败似乎并没有触发它们,所以......它们可能不相关。
[1] https://bugzilla.samba.org/show_bug.cgi?id=14901(我尝试了那里的username map script和local nt token from设置,但它不起作用)