84104's questions

如何使用/etc/export.d/导出文件系统？

我正在尝试通过 nfs 导出 sge 单元的配置。但是，导出似乎不起作用。

# cat /etc/exports.d/sge-example.com
/opt/sge/example.com 192.0.2.0/24(ro)
# exportfs -rv
exportfs: No file systems exported!
# strace exportfs -rv 2>&1
execve("/usr/sbin/exportfs", ["exportfs", "-rv"], [/* 27 vars */]) = 0
brk(NULL)                               = 0x55d9bfde2000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb67e9e0000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=28419, ...}) = 0
mmap(NULL, 28419, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fb67e9d9000
close(3)                                = 0
open("/lib64/libwrap.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\3403\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=42520, ...}) = 0
mmap(NULL, 2138208, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fb67e5b5000
mprotect(0x7fb67e5be000, 2093056, PROT_NONE) = 0
mmap(0x7fb67e7bd000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x8000) = 0x7fb67e7bd000
mmap(0x7fb67e7bf000, 96, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fb67e7bf000
close(3)                                = 0
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20\35\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=2127336, ...}) = 0
mmap(NULL, 3940800, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fb67e1f2000
mprotect(0x7fb67e3aa000, 2097152, PROT_NONE) = 0
mmap(0x7fb67e5aa000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1b8000) = 0x7fb67e5aa000
mmap(0x7fb67e5b0000, 16832, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fb67e5b0000
close(3)                                = 0
open("/lib64/libnsl.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240@\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=113584, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb67e9d8000
mmap(NULL, 2198200, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fb67dfd9000
mprotect(0x7fb67dfef000, 2093056, PROT_NONE) = 0
mmap(0x7fb67e1ee000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15000) = 0x7fb67e1ee000
mmap(0x7fb67e1f0000, 6840, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fb67e1f0000
close(3)                                = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb67e9d6000
arch_prctl(ARCH_SET_FS, 0x7fb67e9d6740) = 0
mprotect(0x7fb67e5aa000, 16384, PROT_READ) = 0
mprotect(0x7fb67e1ee000, 4096, PROT_READ) = 0
mprotect(0x7fb67e7bd000, 4096, PROT_READ) = 0
stat("/etc/sysconfig/64bit_strstr_via_64bit_strstr_sse2_unaligned", 0x7ffffa926630) = -1 ENOENT (No such file or directory)
mprotect(0x55d9be0a5000, 4096, PROT_READ) = 0
mprotect(0x7fb67e9e1000, 4096, PROT_READ) = 0
munmap(0x7fb67e9d9000, 28419)           = 0
getpid()                                = 12763
rt_sigaction(SIGUSR1, {0x55d9bde9d580, [USR1], SA_RESTORER|SA_RESTART, 0x7fb67e227270}, {SIG_DFL, [], 0}, 8) = 0
rt_sigaction(SIGUSR2, {0x55d9bde9d580, [USR2], SA_RESTORER|SA_RESTART, 0x7fb67e227270}, {SIG_DFL, [], 0}, 8) = 0
stat("/etc/nfs.conf", {st_mode=S_IFREG|0644, st_size=953, ...}) = 0
open("/etc/nfs.conf", O_RDONLY)         = 3
brk(NULL)                               = 0x55d9bfde2000
brk(0x55d9bfe03000)                     = 0x55d9bfe03000
brk(NULL)                               = 0x55d9bfe03000
read(3, "#\n# This is a general conifgurat"..., 953) = 953
close(3)                                = 0
access("/proc/fs/nfs/filehandle", F_OK) = -1 ENOENT (No such file or directory)
access("/proc/fs/nfsd/filehandle", F_OK) = 0
open("/var/lib/nfs/export-lock", O_RDWR|O_CREAT, 0666) = 3
fcntl(3, F_SETLKW, {l_type=F_WRLCK, l_whence=SEEK_CUR, l_start=0, l_len=0}) = 0
open("/etc/exports", O_RDONLY)          = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb67e9df000
read(4, "", 4096)                       = 0
read(4, "", 4096)                       = 0
close(4)                                = 0
munmap(0x7fb67e9df000, 4096)            = 0
openat(AT_FDCWD, "/etc/exports.d", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 4
getdents(4, /* 3 entries */, 32768)     = 72
getdents(4, /* 0 entries */, 32768)     = 0
close(4)                                = 0
write(2, "exportfs: ", 10exportfs: )              = 10
write(2, "No file systems exported!", 25No file systems exported!) = 25
write(2, "\n", 1
)                       = 1
open("/var/lib/nfs/.etab.lock", O_RDWR|O_CREAT, 0600) = 4
fcntl(4, F_SETLKW, {l_type=F_WRLCK, l_whence=SEEK_SET, l_start=0, l_len=0}) = 0
open("/var/lib/nfs/etab.tmp", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 5
close(5)                                = 0
open("/var/lib/nfs/etab.tmp", O_RDONLY) = 5
open("/var/lib/nfs/etab", O_RDONLY)     = 6
read(5, "", 4096)                       = 0
read(6, "", 4096)                       = 0
close(5)                                = 0
close(6)                                = 0
unlink("/var/lib/nfs/etab.tmp")         = 0
close(4)                                = 0
stat("/var/lib/nfs/etab", {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
open("/proc/net/rpc/auth.unix.ip/flush", O_RDWR) = 4
write(4, "1525480721\n", 11)            = 11
close(4)                                = 0
open("/proc/net/rpc/auth.unix.gid/flush", O_RDWR) = 4
write(4, "1525480721\n", 11)            = 11
close(4)                                = 0
open("/proc/net/rpc/nfsd.fh/flush", O_RDWR) = 4
write(4, "1525480721\n", 11)            = 11
close(4)                                = 0
open("/proc/net/rpc/nfsd.export/flush", O_RDWR) = 4
write(4, "1525480721\n", 11)            = 11
close(4)                                = 0
fcntl(3, F_SETLK, {l_type=F_UNLCK, l_whence=SEEK_CUR, l_start=0, l_len=0}) = 0
exit_group(0)                           = ?
+++ exited with 0 +++

如果我直接在/etc/exports.

我正在更换我们的 DNS 服务器。作为其中的一部分，我们静态配置的服务器接口的 DNS 条目需要更新。但是，我遇到了障碍。接口当前定义了 2 个条目，我想用 3 个条目替换它们。

该剧本使用replace. 它将替换 DNS1 和 DNS2，但不能添加 DNS3。lineinfile有类似的问题。

---
- hosts: canary
  vars:
   nameservers: [ '', 192.0.2.1, 192.0.2.2, 192.0.2.3 ]
  tasks:
  - name: nameservers
    replace:
     path: /etc/sysconfig/network-scripts/ifcfg-{{ansible_default_ipv4.interface}}
     replace: \1="{{ item.1 }}"
     regexp: (DNS{{ item.0 }}).+
    with_indexed_items:
    - "{{ nameservers }}" 
    when: ansible_distribution == "CentOS" and "nameservers" not in group_names
    tags:
    - debug

尽管进行了设置olcTLSProtocolMin: 3.1，但我的 CentOS7 OpenLDAP 服务器只提供了 TLS1.2。

我目前需要 TLSv1.0 来支持无法替换的遗留应用程序。

如何在 CentOS7 下使 TLSv1.0 在 OpenLDAP 上可用？

$ ldapsearch -b cn=config cn=config  olcTLSCipherSuite olcTLSProtocolMin
dn: cn=config
olcTLSCipherSuite: HIGH:!3DES:!aNull:!MD5:@STRENGTH
olcTLSProtocolMin: 3.1

$ nmap -Pn --script ssl-enum-ciphers -p 636 ldap.example.com
Nmap scan report for ldap.example.com (198.51.100.1).
Host is up (0.00068s latency).
rDNS record for 198.51.100.1: ldap.example.com
PORT    STATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 0.73 seconds

尝试添加默认的“RICOH 类驱动程序”时，我被错误“不支持此操作”阻止。事实上，虽然我想要的是 Ricoh 驱动程序，但无论我尝试添加哪个驱动程序，我都会收到相同的错误。

我应该如何将此驱动程序添加到 Windows Server 2016 Core？我目前正在通过 Windows 10 的打印管理工具进行交互。服务器和客户端都加入了同一个编辑域。

如何sssd在所有配置的域中搜索组成员身份？

根据下面的配置，alice(@bar) 和 bob(@foo) 都应该是 testgroup(@bar) 的成员。但是，只有 alice 被 sssd 视为 testgroup 的成员。

查看 tcpdump 捕获，似乎 alice 仅(&(&(member=uid=alice,ou=users,dc=bar,dc=example,dc=com)(objectClass=posixGroup))(cn=*))在 scope 内搜索ou=groups,dc=bar,dc=example,dc=com，而 bob 仅(&(&(member=uid=bob,ou=users,dc=foo,dc=example,dc=com)(objectClass=posixGroup))(cn=*))在 scope 内搜索ou=groups,dc=foo,dc=example,dc=com。

如何更改 sssd（或我的 OpenLDAP 后端）的行为以允许跨域成员身份？

dn: cn=testgroup,ou=groups,dc=bar,dc=example,dc=com
objectClass: groupOfNames
objectClass: posixGroup
cn: testgroup
gidNumber: 54321
member: uid=alice,ou=users,dc=bar,dc=example,dc=com
member: uid=bob,ou=users,dc=foo,dc=example,dc=com


[sssd]
config_file_version = 2
services = nss, pam, autofs
domains = FOO.EXAMPLE.COM, BAR.EXAMPLE.COM

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[autofs]

[domain/FOO.EXAMPLE.COM]
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_uri = _srv_
ldap_search_base = dc=foo,dc=example,dc=com
ldap_user_search_base = ou=users,dc=foo,dc=example,dc=com?onelevel?
ldap_group_search_base = ou=groups,dc=foo,dc=example,dc=com?onelevel?
ldap_schema = rfc2307bis
ldap_sasl_mech = GSSAPI
krb5_realm = FOO.EXAMPLE.COM

ldap_autofs_entry_key = automountKey
ldap_autofs_map_name = automountMapName
ldap_autofs_search_base = ou=automount,dc=foo,dc=example,dc=com

[domain/BAR.EXAMPLE.COM]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = _srv_
ldap_search_base = dc=bar,dc=example,dc=com
ldap_user_search_base = ou=users,dc=bar,dc=example,dc=com?onelevel?
ldap_group_search_base = ou=groups,dc=bar,dc=example,dc=com?onelevel?
ldap_schema = rfc2307bis
ldap_sasl_mech = GSSAPI

ldap_autofs_entry_key = automountKey
ldap_autofs_map_name = automountMapName
ldap_autofs_search_base = ou=automount,dc=bar,dc=example,dc=com

我正在将密封的 MSA 从使用迁移pam_ldap到pam_sss(sssd-ldap)。但是，pam_sss 似乎无法在没有uidNumbers. 我曾认为 ldap_user_object_class从posixAccountto更改top可以解决此问题，但事实并非如此。具有 uidNumbers 的用户似乎很好。虽然可以预料 sssd 需要 uidNumbers nss，但我不明白为什么需要它们pam。

系统日志设施认证：

Aug  6 11:23:03 centos7-msa-test saslauthd[644]: pam_sss(smtp:auth): received for user non-posix-user: 10 (User not known to the underlying authentication module)

# cat /etc/pam.d/smtp
#%PAM-1.0
auth    sufficient  pam_sss.so
account sufficient  pam_sss.so

# cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = pam
domains = example.com-ldap
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/example.com-ldap]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://ldap.example.com, _srv_
ldap_user_object_class = top
ldap_search_base = dc=example,dc=com
ldap_user_search_base = ou=users,dc=example,dc=com?onelevel?
ldap_group_search_base = ou=groups,dc=example,dc=com?onelevel?
ldap_schema = rfc2307bis
ldap_id_use_start_tls = true
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ca-bundle.crt

$ ldapsearch -ZZ -h ldap.example.com -b ou=users,dc=example,dc=com -s one"(&(uid=non-posix-user)(objectClass=top))"
dn: uid=non-posix-user
objectClass: organizationalRole
objectClass: inetLocalMailRecipient
objectClass: simpleSecurityObject
objectClass: uidObject
cn: non-posix-user
mailLocalAddress: [email protected]
mailRoutingAddress: [email protected]
mailHost: mailstore.example.com
roleOccupant: uid=posixuser1,ou=users,dc=example,dc=com
roleOccupant: uid=posixuser2,ou=users,dc=example,dc=com
userPassword:: e1NBU0x9bm9uLXBvc2l4LXVzZXJARVhBTVBMRS5DT00K
uid: non-posix-user

Postfix 无法针对 cyrus saslauthd 进行身份验证。但是，saslauthd 本身愿意进行身份验证。我错过了什么？

从系统日志mail设施：

Aug  5 14:47:26 centos7-msa-test postfix/postfix-script[20286]: starting the Postfix mail system
Aug  5 14:47:26 centos7-msa-test postfix/master[20288]: daemon started -- version 2.10.1, configuration /etc/postfix
Aug  5 14:47:34 centos7-msa-test postfix/submission/smtpd[20291]: connect from client.example.com[192.0.2.2]
Aug  5 14:47:34 centos7-msa-test postfix/submission/smtpd[20291]: Anonymous TLS connection established from client.example.com[192.0.2.2]: TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits
Aug  5 14:47:34 centos7-msa-test postfix/submission/smtpd[20291]: warning: SASL authentication failure: Internal Error -4 in server.c near line 1757
Aug  5 14:47:34 centos7-msa-test postfix/submission/smtpd[20291]: warning: SASL authentication failure: Internal Error -4 in server.c near line 1757
Aug  5 14:47:34 centos7-msa-test postfix/submission/smtpd[20291]: warning: SASL authentication failure: Internal Error -4 in server.c near line 1757
Aug  5 14:47:34 centos7-msa-test postfix/submission/smtpd[20291]: warning: xsasl_cyrus_server_get_mechanism_list: no mechanism available
Aug  5 14:47:34 centos7-msa-test postfix/submission/smtpd[20291]: fatal: no SASL authentication mechanisms
Aug  5 14:47:35 centos7-msa-test postfix/master[20288]: warning: process /usr/libexec/postfix/smtpd pid 20291 exit status 1
Aug  5 14:47:35 centos7-msa-test postfix/master[20288]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling

测试saslauthd：

# testsaslauthd -u $user -p $password -s smtp
0: OK "Success."

smtpd.conf：

# cat /etc/sasl2/smtpd.conf`
pwcheck_method: saslauthd
mech_list: plain login

后缀 sasl 设置：

# postconf | grep -e cyrus_sasl -e smtpd_sasl
cyrus_sasl_config_path =
send_cyrus_sasl_authzid = no
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_exceptions_networks =
smtpd_sasl_local_domain =
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = cyrus

我正在尝试使用ldapsearch（或任何其他openldap utilities）DNS SRV 资源记录，但未能成功。但是，我相信这应该是可能的，并且我使用了正确的语法。

如何将 ldapsearch 与 DNS SRV RR 一起使用？

$ dig -t srv _ldap._tcp.example.com +short
0 0 389 ldap1.example.com.
0 0 389 ldap2.example.com.
$ ldapsearch -H "dc=example,dc=com" uid=test
Could not parse LDAP URI(s)=dc=example,dc=com
$ ldapsearch -H "ldap:///dc=example,dc=com" uid=test
Could not parse LDAP URI(s)=ldap:///dc=example,dc=com

运行# yum update zfs并重新启动后，我的CentOS 6 ZFS on Linux系统无法再看到它的 zpool 或与之交互。

# zpool status
no pools available
# zpool import
zpool: ../../lib/libzfs/libzfs_import.c:356: Assertion `nvlist_lookup_uint64(zhp->zpool_config, ZPOOL_CONFIG_POOL_GUID, &theguid) == 0' failed.
Aborted
# dmesg | grep -i spl 
SPL: Loaded module v0.6.2-1 
SPL: using hostid 0x43a4c8a0

这是一个金丝雀系统，所以我不担心它的内容，但我有其他机器我最终想安全升级。我做错了什么，更重要的是，我怎样才能为重要的系统做正确的事情？

背景：

我有一个 samba cifs 服务器。它没有加入域，但具有 MIT kerberosV 领域的密钥表。

Kerberized 挂载（例如mount -t cifs //cifs.example.com/groups /mnt/cifs -o sec=krb5i）在 Linux 客户端上工作。来自 AD 的 Kerberized 挂载已加入 Windows 机器（加入到配置了对 Kerberos 领域的信任的域）。基于密码的挂载不适用于 Linux 客户端（没什么大不了的）。

非 AD 的基于密码的挂载加入了 Windows 客户端类型的工作。用资源管理器去\\cifs.example.com\groups不行，也不会出现密码提示。但是，如果\\cifs.example.com\groups作为盘符挂载，则对话框不会完成，但驱动器映射将建立并工作，此时可以取消对话框，同时保留挂载。

问题：

1. 如何在未加入 AD 的 Windows 机器上使 UNC 路径提示输入密码？

配置：

主机名：cifs.example.com 领域：EXAMPLE.COM 发行版：CentOS 发行版 6.5（最终版）
samba 版本：samba-3.6.9-167.el6_5.x86_64

配置文件

syslog only = yes
syslog = 3

server string = %h server (Samba, CentOS)
workgroup = EXAMPLE.COM
security = ads
realm = EXAMPLE.COM
create krb5 conf = no
kerberos method = secrets and keytab
server signing = auto
smb encrypt = auto
smb ports = 445
use sendfile = yes

map to guest = Bad User
guest account = nobody

wins support = no
dns proxy = no

load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

hide files = /Desktop.ini/$RECYCLE.BIN/Thumbs.db/~$.*/

[home]
path = /export/home/
writeable = yes
guest ok = no
browseable = no
create mask = 0600
directory mask = 0700

[groups]
path = /export/groups
writeable = yes
guest ok = no
browseable = yes
create mask = 0660
directory mask = 0770

*

列表-k

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   8 host/[email protected]
   8 host/[email protected]
   8 host/[email protected]
   8 host/[email protected]
   8 cifs/[email protected]
   8 cifs/[email protected]
   8 cifs/[email protected]
   8 cifs/[email protected]

getebool -a | grep -e cifs -e 桑巴

allow_ftpd_use_cifs --> off
cobbler_use_cifs --> off
git_cgi_use_cifs --> off
git_system_use_cifs --> off
httpd_use_cifs --> off
qemu_use_cifs --> on
rsync_use_cifs --> off
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_portmapper --> off
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
sanlock_use_samba --> off
tftp_use_cifs --> off
use_samba_home_dirs --> off
virt_use_samba --> off

/etc/pam.d/samba

#%PAM-1.0
auth       required pam_nologin.so
auth       include  password-auth
account    include  password-auth
session    include  password-auth
password   include  password-auth

/etc/pam.d/password-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

背景
尝试降级 Windows 2012 域控制器时，我遇到以下警告：

无法联系其他域控制器，但目录中存在其他域控制器对象。如果您确定这是该域的最后一个域控制器并且想要继续，请确认这是该域中的该域控制器。

但是，这不是域的最后一个域控制器。

如果我检查Force the removal of this domain controller我会被警告：

除非这是域中的最后一个域控制器，否则您必须在删除后手动执行元数据清理。

问题
如何安全地降级此域控制器？为什么它声称它无法联系其他域控制器？使用“手动”元数据清理强制删除有多安全？

更新

追踪来自 的消息dcdiag，我发现当前持有 PDCe 角色的其他 DC 没有任何 SYSVOL 共享，并且它\Windows\SYSVOL\sysvol\domain.example.com是空的。我相信这是导致问题的原因，但我不确定如何进行。

更多细节
DomainMode : Windows2012Domain
ForestMode : Windows2003Forest

此域控制器是该域的第一个域控制器，因此拥有 InfrastructureMaster、PDCEmulator 和 RIDMaster 角色。Move-ADDirectoryServerOperationMasterRole但是，在任何降级尝试之前，这些角色被转移到另一个域控制器，没有明显的事故。

域控制器是全局编录和 AD DNS 服务器，另一个域控制器也是如此，它现在拥有 FSMO 角色，森林的域控制器也是如此。

在其他域控制器上不会触发相同的警告。

repadmin /replsummary显示没有明显的问题。

没有自定义 Windows 防火墙。域控制器位于同一个 VLAN 上，并且没有沿其路径应用特定于接口的 ACL。

我最近将checksum我的一个非重复 zfs 文件系统上的属性更改为sha256from on(fletcher4) 以更好地支持重复复制流的发送，就像在这个命令中一样zfs send -DR -I _starting-snaphot_ _ending-snapshot_。

但是，zfs 手册页有这样的说法send -D：

无论数据集的 dedup 属性如何，都可以使用此标志，但如果文件系统使用支持 dedup 的校验和（例如 sha256），性能会更好。

zfs 联机帮助页也说明了该checksum属性：

更改此属性仅影响新写入的数据。

我不想相信 fletcher4。权衡是，与 SHA256 不同，fletcher4 不是伪随机散列函数，因此不能相信不会发生冲突。因此，它仅适用于与 'verify' 选项结合使用时进行去重，该选项可检测并解决哈希冲突。

如何更新文件系统的校验和，最好不要使系统脱机？

如何使用组策略禁用文件夹重定向的 SID 安全检查？这不是为了削弱安全性，而是为了让 Active Directory 和 Samba 很好地协同工作。

我有一个 kerberized REALM 信任的 Samba 服务器。用户可以读取和写入他们应该能够读取和写入的内容。用户无法读取和写入他们不应该能够读取和写入的内容。但是，如果我尝试将其用于文件夹重定向，则会收到如下错误。

 EventData 

  FromFolder RoamingAppData 
  ToFolder \\samba.example.com\home\username\.AppData 
  Options 0x9219 
  Error Can't create folder "\\samba.example.com\home\username\.AppData" 
  ErrorDetails This security ID may not be assigned as the owner of this object.

漫游配置文件没有同样的问题，但我必须启用：

Computuer Configuration \ Administrative Templates \ System \ User Profiles \ Do not check for user ownership of Roaming Profile Folders

是否有我忽略的文件夹重定向的等效设置？

我想des从下面的主体中删除所有密钥，但不知道如何在没有人输入密码的情况下这样做。

kadmin:  getprinc user
Principal: [email protected]
Expiration date: [never]
Last password change: Thu May 26 08:52:51 PDT 2013
Password expiration date: [none]
Maximum ticket life: 0 days 12:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Jul 16 15:17:18 PDT 2013 (administrator/[email protected])
Last successful authentication: Wed Jul 24 14:40:53 PDT 2013
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 8
Key: vno 3, aes256-cts-hmac-sha1-96, no salt
Key: vno 3, arcfour-hmac, no salt
Key: vno 3, des3-cbc-sha1, no salt
Key: vno 3, des-cbc-crc, no salt
Key: vno 3, des-cbc-md5, no salt
Key: vno 3, des-cbc-md5, Version 5 - No Realm
Key: vno 3, des-cbc-md5, Version 5 - Realm Only
Key: vno 3, des-cbc-md5, AFS version 3
MKey: vno 2
Attributes: REQUIRES_PRE_AUTH
Policy: [none]

此外，该kdc正在使用OpenLDAP后端。

用户成功登录为[email protected]。
然后将用户映射到[email protected]通过
altSecurityIdentities: Kerberos:[email protected]

当用户锁定屏幕时，锁定屏幕为[email protected]，用户没有（随机）密码。
用户可以通过退出主登录屏幕（EXAMPLE.COM默认域/领域在哪里）并在那里登录来返回他们的会话。

有没有办法强制[email protected]作为锁定屏幕用户，或者如果失败，导致锁定屏幕立即进入切换用户屏幕。

我主要对 Windows 7 和 8 感兴趣，但其他版本的知识也会很有用。

存在的理由

到目前为止，我正在尝试在领域受信任的 Ubuntu 12.04LTS ZFS-on-Linux 文件服务器上容纳 Active Directory 域的漫游配置文件。最终目标是拥有一个可互操作的文件服务器来容纳 Linux 的 autofs nfs 主目录和 Windows 的漫游配置文件。对我来说，纯粹使用 Windows 服务器或将 Linux 服务器加入 Active Directory 来做到这一点在政治上是困难的。因此，我正在寻找技术解决方案或证明此类技术解决方案不如打政治斗争站得住脚的证据。

我怀疑我目前的困难与 windows 客户端与 samba 交互而不是 zfs 有关，但我有点超出我的理解范围，所以我没有完全排除它。亲爱的读者，你能指出为什么我做的不正确并解释正确的程序吗？

我认为我知道的

1. 用户可以从 kerberos 领域成功登录到客户端机器。但是，用户使用临时配置文件登录。
2. 在文件服务器上创建了一个配置文件文件夹（大概是通过登录过程），但在新创建的配置文件文件夹中没有创建其他文件。
3. 配置文件文件夹是使用适当的所有者/组自动创建的。
4. 鉴于此，在实例化凭证缓存或授予 krbtgt 之前加载配置文件似乎不太可能。
5. 登录到临时配置文件后，用户可以在文件服务器上创建文件，而无需向文件服务器提供任何（附加）凭证。那就是没有提示。这些文件也由适当的所有者/组创建。

附加信息

这就是我认为您想要了解的所有配置，但我可能是错的。
我很抱歉没有找到一种方法让它可以折叠。

所涉及的系统和机器的简要概述

AD domain: ad.example.com  (Functional Level 2012)
domain controllers: dc1.ad.example.com, dc2.ad.example.com (OS: Windows Server 2012 Std)
mit-krb5 realm: EXAMPLE.COM  
mit-krb5 kdcs: kdc1.example.com, kdc2.example.com (mit-krb5: 1.9.4)
smb/cifs server: zfs.example.com  (OS: Ubuntu 12.04LTS)
client: client.ad.example.com (OS: Windows 8 Enterprise)

桑巴日志

root@zfs:~# cat /var/log/samba/client.log
[2013/06/14 14:37:26.194496,  0] param/loadparm.c:9114(process_usershare_file)
  process_usershare_file: stat of /var/lib/samba/usershares/tank_test failed. Permission denied
[2013/06/14 14:37:26.460344,  0] param/loadparm.c:9114(process_usershare_file)
  process_usershare_file: stat of /var/lib/samba/usershares/tank_test failed. Permission denied
[2013/06/14 14:44:04.352344,  0] param/loadparm.c:9114(process_usershare_file)
  process_usershare_file: stat of /var/lib/samba/usershares/tank_test failed. Permission denied

不知道它在抱怨什么......

root@zfs:~# ls -l /var/lib/samba/usershares/tank_test
-rw-r--r-- 1 root root 110 Jun 14 12:57 /var/lib/samba/usershares/tank_test

文件服务器共享预登录

root@zfs:~# ls -la /tank/test/
total 38
drwxrwxrwt 2 root root 2 Jun 14 09:12 .
drwxr-xr-x 5 root root 5 Jun 13 15:52 ..

文件服务器共享登录后：

root@zfs:~# ls -la /tank/test/
total 57
drwxrwxrwt 3 root root 3 Jun 14 09:16 .
drwxr-xr-x 5 root root 5 Jun 13 15:52 ..
drwxr-xr-x 2 user user 2 Jun 14 09:16 user.V2
root@zfs:~# find /tank/test
/tank/test
/tank/test/user.V2/

登录时用户的凭据缓存

Current LogonId is 0:0x6c79e3

Cached Tickets: (7)

#0> Client: user @ EXAMPLE.COM
    Server: krbtgt/EXAMPLE.COM @ EXAMPLE.COM
    KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
    Ticket Flags 0x60a90000 -> forwardable forwarded renewable pre_authent name_canonicalize 0x80000
    Start Time: 6/14/2013 14:44:24 (local)
    End Time:   6/15/2013 2:44:24 (local)
    Renew Time: 6/21/2013 14:44:24 (local)
    Session Key Type: AES-256-CTS-HMAC-SHA1-96
    Cache Flags: 0x2 -> DELEGATION 
    Kdc Called: kdc2.example.com

#1> Client: user @ EXAMPLE.COM
    Server: krbtgt/AD.EXAMPLE.COM @ EXAMPLE.COM
    KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
    Ticket Flags 0x40a90000 -> forwardable renewable pre_authent name_canonicalize 0x80000
    Start Time: 6/14/2013 14:44:24 (local)
    End Time:   6/15/2013 2:44:24 (local)
    Renew Time: 6/14/2013 14:44:24 (local)
    Session Key Type: AES-256-CTS-HMAC-SHA1-96
    Cache Flags: 0 
    Kdc Called: kdc2.example.com

#2> Client: user @ EXAMPLE.COM
    Server: krbtgt/EXAMPLE.COM @ EXAMPLE.COM
    KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
    Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize 
    Start Time: 6/14/2013 14:44:24 (local)
    End Time:   6/15/2013 2:44:24 (local)
    Renew Time: 6/21/2013 14:44:24 (local)
    Session Key Type: AES-256-CTS-HMAC-SHA1-96
    Cache Flags: 0x1 -> PRIMARY 
    Kdc Called: kdc2.example.com

#3> Client: user @ EXAMPLE.COM
    Server: ldap/dc1.ad.example.com @ AD.EXAMPLE.COM
    KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
    Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize 
    Start Time: 6/14/2013 14:44:31 (local)
    End Time:   6/15/2013 0:44:31 (local)
    Renew Time: 6/14/2013 14:44:24 (local)
    Session Key Type: AES-256-CTS-HMAC-SHA1-96
    Cache Flags: 0 
    Kdc Called: dc1.ad.example.com

#4> Client: user @ EXAMPLE.COM
    Server: LDAP/dc1.ad.example.com/ad.example.com @ AD.EXAMPLE.COM
    KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
    Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize 
    Start Time: 6/14/2013 14:44:25 (local)
    End Time:   6/15/2013 0:44:25 (local)
    Renew Time: 6/14/2013 14:44:24 (local)
    Session Key Type: AES-256-CTS-HMAC-SHA1-96
    Cache Flags: 0 
    Kdc Called: dc1.ad.example.com

#5> Client: user @ EXAMPLE.COM
    Server: cifs/dc1.ad.example.com @ AD.EXAMPLE.COM
    KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
    Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize 
    Start Time: 6/14/2013 14:44:24 (local)
    End Time:   6/15/2013 0:44:24 (local)
    Renew Time: 6/14/2013 14:44:24 (local)
    Session Key Type: AES-256-CTS-HMAC-SHA1-96
    Cache Flags: 0 
    Kdc Called: dc1.ad.example.com

#6> Client: user @ EXAMPLE.COM
    Server: cifs/zfs.example.com @ EXAMPLE.COM
    KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
    Ticket Flags 0x40a90000 -> forwardable renewable pre_authent name_canonicalize 0x80000
    Start Time: 6/14/2013 14:44:24 (local)
    End Time:   6/15/2013 2:44:24 (local)
    Renew Time: 6/14/2013 14:44:24 (local)
    Session Key Type: AES-256-CTS-HMAC-SHA1-96
    Cache Flags: 0 
    Kdc Called: kdc2.example.com

领域信托

ldapsearch -h ad.example.com -LLL cn=EXAMPLE.COM  objectClass trustPartner instancetype trustDirection trustAttributes
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 56
SASL data security layer installed.
dn: CN=EXAMPLE.COM,CN=System,DC=ad,DC=example,DC=com
objectClass: top
objectClass: leaf
objectClass: trustedDomain
instanceType: 4
trustDirection: 3
trustPartner: EXAMPLE.COM
trustAttributes: 1

活动目录用户

ldapsearch -h ad.example.com -LLL samaccountname=user profilePath altSecurityIdentities
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 56
SASL data security layer installed.
dn: CN=Test User,OU=managed users,DC=ad,DC=example,DC=com
profilePath: \\zfs.example.com\tank_test\user
altSecurityIdentities: Kerberos:[email protected]

ZFS 基本信息

root@zfs:~#  zfs get mountpoint,casesensitivity,sharesmb,available tank/test
NAME       PROPERTY         VALUE        SOURCE
tank/test  mountpoint       /tank/test   default
tank/test  casesensitivity  mixed        -
tank/test  sharesmb         on           local
tank/test  available        26.1T        -

ZFS 创建了 smb 共享 root@zfs:~# cat /var/lib/samba/usershares/tank_test #VERSION 2 path=/tank/test comment=Comment: /tank/test usershare_acl=S-1-1-0:F guest_ok =n 共享名=tank_test

Samba 配置

root@zfs:~# grep -v -e ^$ -e ^\; -e ^# /etc/samba/smb.conf
[global]
   workgroup = EXAMPLE.COM
   server string = %h server (Samba, Ubuntu)
   dns proxy = no
   log file = /var/log/samba/%M.log
   max log size = 1000
   syslog = 3
   panic action = /usr/share/samba/panic-action %d
security = ADS
realm = EXAMPLE.COM
kerberos method = system keytab
map to guest = bad user

文件服务器的密钥表

root@zfs:~# ktutil
ktutil:  rkt /etc/krb5.keytab
ktutil:  list -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    2  host/[email protected] (aes256-cts-hmac-sha1-96)
   2    2  host/[email protected] (aes128-cts-hmac-sha1-96)
   3    2  host/[email protected] (arcfour-hmac)
   4    2   nfs/[email protected] (aes256-cts-hmac-sha1-96)
   5    2   nfs/[email protected] (aes128-cts-hmac-sha1-96)
   6    2   nfs/[email protected] (arcfour-hmac)
   7    2  cifs/[email protected] (aes256-cts-hmac-sha1-96)
   8    2  cifs/[email protected] (aes128-cts-hmac-sha1-96)
   9    2  cifs/[email protected] (arcfour-hmac)

服务器的身份映射（通过 sssd）

root@zfs:~# cat /etc/sssd/sssd.conf
# SSSD configuration generated using /usr/lib/sssd/generate-config
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = example.com
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/example.com]
enumerate = false
cache_credentials = true
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_uri = ldap://ldap.example.com
ldap_search_base = dc=example,dc=com
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
krb5_kdcip = kerberos.example.com
krb5_realm = EXAMPLE.COM
krb5_changepw_principle = kadmin/changepw
krb5_auth_timeout = 15

服务器的（相关）包

root@zfs:~# uname -a
Linux zfs 3.5.0-23-generic #35~precise1-Ubuntu SMP Fri Jan 25 17:13:26 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
root@zfs:~# dpkg --get-selections | grep -e samba -e zfs -e krb -e sssd
krb5-config                                     install
krb5-locales                                    install
krb5-user                                       install
libgssapi-krb5-2                                install
libkrb5-26-heimdal                              install
libkrb5-3                                       install
libkrb5support0                                 install
libpam-krb5                                     install
libzfs1                                         install
samba                                           install
samba-common                                    install
samba-common-bin                                install
samba-tools                                     install
sssd                                            install
ubuntu-zfs                                      install
zfs-dkms                                        install
zfsutils                                        install

Windows 客户端会使用 DNS 将主机映射到特定的 kerberos 领域吗？

具体来说，他们使用_kerberos.host.example.com IN TXT OTHERREALM.COM记录吗？

# LDAPTLS_CACERTDIR=/etc/ssl/certs/ ldapwhoami -x -ZZ -H ldaps://ldap.domain.tld
ldap_start_tls: Can't contact LDAP server (-1)
      additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.

# openssl s_client -connect ldap.domain.tld:636 -CApath /etc/ssl/certs
<... successful tls negotiation stuff ...>
    Compression: 1 (zlib compression)
    Start Time: 1349994779
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

openssl似乎认为证书很好，但是openldap的图书馆（pam_ldap表现出类似的行为，这就是我陷入困境的方式）不同意。
我究竟做错了什么？

为什么 slapd 记录“connection_read(12)：无连接！” ？

这是全新安装。
没有其他联系。
消息也记录在olcLogLevel: none。

命令

kldap1 ~ # ldapwhoami 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

日志

Jul 25 15:24:37 kldap1 slapd[6137]: conn=1055 fd=12 ACCEPT from PATH=/var/run/openldap/slapd.sock (PATH=/var/run/openldap/slapd.sock)
Jul 25 15:24:37 kldap1 slapd[6137]: conn=1055 op=0 BIND dn="" method=163
Jul 25 15:24:37 kldap1 slapd[6137]: conn=1055 op=0 BIND authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
Jul 25 15:24:37 kldap1 slapd[6137]: conn=1055 op=0 BIND dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=71
Jul 25 15:24:37 kldap1 slapd[6137]: conn=1055 op=0 RESULT tag=97 err=0 text=
Jul 25 15:24:37 kldap1 slapd[6137]: conn=1055 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.3
Jul 25 15:24:37 kldap1 slapd[6137]: conn=1055 op=1 WHOAMI
Jul 25 15:24:37 kldap1 slapd[6137]: conn=1055 op=1 RESULT oid= err=0 text=
Jul 25 15:24:37 kldap1 slapd[6137]: conn=1055 op=2 UNBIND
Jul 25 15:24:37 kldap1 slapd[6137]: conn=1055 fd=12 closed
Jul 25 15:24:37 kldap1 slapd[6137]: connection_read(12): no connection!
Jul 25 15:24:37 kldap1 slapd[6137]: connection_read(12): no connection!
Jul 25 15:24:37 kldap1 slapd[6137]: connection_read(12): no connection!
Jul 25 15:24:37 kldap1 slapd[6137]: connection_read(12): no connection!
Jul 25 15:24:37 kldap1 slapd[6137]: connection_read(12): no connection!
Jul 25 15:24:37 kldap1 slapd[6137]: connection_read(12): no connection!
Jul 25 15:24:37 kldap1 slapd[6137]: connection_read(12): no connection!
Jul 25 15:24:37 kldap1 slapd[6137]: connection_read(12): no connection!
Jul 25 15:24:37 kldap1 slapd[6137]: connection_read(12): no connection!

配置

kldap1 ~ # ldapsearch -b cn=config "(|(cn=config)(olcDatabase={-1}frontend)(olcDatabase={0}config))"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (|(cn=config)(olcDatabase={-1}frontend)(olcDatabase={0}config))
# requesting: ALL
#

# config
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: /etc/openldap/slapd.conf
olcConfigDir: /etc/openldap/slapd.d/
olcAllows: bind_v2
olcArgsFile: /var/run/openldap/slapd.args
olcAttributeOptions: lang-
olcAuthzPolicy: none
olcConcurrency: 0
olcConnMaxPending: 100
olcConnMaxPendingAuth: 1000
olcGentleHUP: FALSE
olcIdleTimeout: 15
olcIndexSubstrIfMaxLen: 4
olcIndexSubstrIfMinLen: 2
olcIndexSubstrAnyLen: 4
olcIndexSubstrAnyStep: 2
olcIndexIntLen: 4
olcLocalSSF: 71
olcPidFile: /var/run/openldap/slapd.pid
olcReadOnly: FALSE
olcReverseLookup: FALSE
olcSaslSecProps: noplain,noanonymous
olcSizeLimit: unlimited
olcSockbufMaxIncoming: 262143
olcSockbufMaxIncomingAuth: 16777215
olcThreads: 16
olcTimeLimit: unlimited
olcTLSCACertificatePath: /etc/ssl/certs/
olcTLSCRLCheck: none
olcTLSVerifyClient: try
olcToolThreads: 1
olcWriteTimeout: 0
olcLogLevel: stats

# {-1}frontend, config
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 0
olcReadOnly: FALSE
olcSchemaDN: cn=Subschema
olcSizeLimit: unlimited
olcSyncUseSubentry: FALSE
olcTimeLimit: unlimited
olcMonitoring: FALSE

# {0}config, config
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to *  by * none
olcAddContentAcl: TRUE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
olcSyncUseSubentry: FALSE
olcMonitoring: FALSE

# search result
search: 2
result: 0 Success

# numResponses: 4
# numEntries: 3

Nginx 可以作为不接受明文登录的后端服务器的邮件代理吗？

最好我想知道要包含什么指令以便它调用STARTTLS/ STLS，但是通过IMAPSor进行通信POP3S就足够了。

nginx.conf的相关（？）部分

mail {
    auth_http           localhost:80/mailproxy/auth.php;
    proxy               on; 
    ssl_prefer_server_ciphers   on;
    ssl_protocols           TLSv1 SSLv3;
    ssl_ciphers         HIGH:!ADH:!MD5:@STRENGTH;
    ssl_session_cache       shared:TLSSL:16m;
    ssl_session_timeout     10m;
    ssl_certificate         /etc/ssl/private/hostname.crt;
    ssl_certificate_key     /etc/ssl/private/hostname.key;
    imap_capabilities  "IMAP4rev1" "UIDPLUS"; 
    server {
        protocol    imap;
        listen      143;
        starttls    on;
    }
    server {
        protocol    imap;
        listen      993;
        ssl     on;
    }
    pop3_capabilities  "TOP" "USER";
    server {
        protocol    pop3;
        listen      110;
        starttls    on;
        pop3_auth   plain;
    }
    server {
        protocol    pop3;
        listen      995;
        ssl     on;
        pop3_auth   plain;
    }
}