我正在尝试,目前为止还没有成功地在一个领域信任的Ubuntu 12.04LTS ZFS-on-Linux文件服务器上安置Active Directory域的漫游configuration文件。 最终目标是要有一个可互操作的文件服务器来存放Linux的autofs nfs主目录和Windows的漫游configuration文件。 纯粹的Windows服务器或将Linux服务器join到Active Directory中对我来说在政治上是困难的。 因此,我正在寻求技术解决scheme或certificate这种技术解决scheme不如打仗政治斗争成立。
我怀疑我目前的困难与Windows客户端到Samba交互而不是ZFS有关,但是我有点不深入,所以我没有完全排除它。 亲爱的读者,请您指出为什么我所做的是不正确的,并解释正确的程序?
这是我想你想知道的所有configuration,但我可能是错的。
我很抱歉找不到可折叠的方式。
涉及的系统和机器的简要概述
AD domain: ad.example.com (Functional Level 2012) domain controllers: dc1.ad.example.com, dc2.ad.example.com (OS: Windows Server 2012 Std) mit-krb5 realm: EXAMPLE.COM mit-krb5 kdcs: kdc1.example.com, kdc2.example.com (mit-krb5: 1.9.4) smb/cifs server: zfs.example.com (OS: Ubuntu 12.04LTS) client: client.ad.example.com (OS: Windows 8 Enterprise) 桑巴日志
root@zfs:~# cat /var/log/samba/client.log [2013/06/14 14:37:26.194496, 0] param/loadparm.c:9114(process_usershare_file) process_usershare_file: stat of /var/lib/samba/usershares/tank_test failed. Permission denied [2013/06/14 14:37:26.460344, 0] param/loadparm.c:9114(process_usershare_file) process_usershare_file: stat of /var/lib/samba/usershares/tank_test failed. Permission denied [2013/06/14 14:44:04.352344, 0] param/loadparm.c:9114(process_usershare_file) process_usershare_file: stat of /var/lib/samba/usershares/tank_test failed. Permission denied
不知道是什么抱怨…
root@zfs:~# ls -l /var/lib/samba/usershares/tank_test -rw-r--r-- 1 root root 110 Jun 14 12:57 /var/lib/samba/usershares/tank_test
文件服务器共享预login
root@zfs:~# ls -la /tank/test/ total 38 drwxrwxrwt 2 root root 2 Jun 14 09:12 . drwxr-xr-x 5 root root 5 Jun 13 15:52 ..
文件服务器共享login后:
root@zfs:~# ls -la /tank/test/ total 57 drwxrwxrwt 3 root root 3 Jun 14 09:16 . drwxr-xr-x 5 root root 5 Jun 13 15:52 .. drwxr-xr-x 2 user user 2 Jun 14 09:16 user.V2 root@zfs:~# find /tank/test /tank/test /tank/test/user.V2/
login时的用户凭据caching
Current LogonId is 0:0x6c79e3 Cached Tickets: (7) #0> Client: user @ EXAMPLE.COM Server: krbtgt/EXAMPLE.COM @ EXAMPLE.COM KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x60a90000 -> forwardable forwarded renewable pre_authent name_canonicalize 0x80000 Start Time: 6/14/2013 14:44:24 (local) End Time: 6/15/2013 2:44:24 (local) Renew Time: 6/21/2013 14:44:24 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0x2 -> DELEGATION Kdc Called: kdc2.example.com #1> Client: user @ EXAMPLE.COM Server: krbtgt/AD.EXAMPLE.COM @ EXAMPLE.COM KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40a90000 -> forwardable renewable pre_authent name_canonicalize 0x80000 Start Time: 6/14/2013 14:44:24 (local) End Time: 6/15/2013 2:44:24 (local) Renew Time: 6/14/2013 14:44:24 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0 Kdc Called: kdc2.example.com #2> Client: user @ EXAMPLE.COM Server: krbtgt/EXAMPLE.COM @ EXAMPLE.COM KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize Start Time: 6/14/2013 14:44:24 (local) End Time: 6/15/2013 2:44:24 (local) Renew Time: 6/21/2013 14:44:24 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0x1 -> PRIMARY Kdc Called: kdc2.example.com #3> Client: user @ EXAMPLE.COM Server: ldap/dc1.ad.example.com @ AD.EXAMPLE.COM KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize Start Time: 6/14/2013 14:44:31 (local) End Time: 6/15/2013 0:44:31 (local) Renew Time: 6/14/2013 14:44:24 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0 Kdc Called: dc1.ad.example.com #4> Client: user @ EXAMPLE.COM Server: LDAP/dc1.ad.example.com/ad.example.com @ AD.EXAMPLE.COM KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize Start Time: 6/14/2013 14:44:25 (local) End Time: 6/15/2013 0:44:25 (local) Renew Time: 6/14/2013 14:44:24 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0 Kdc Called: dc1.ad.example.com #5> Client: user @ EXAMPLE.COM Server: cifs/dc1.ad.example.com @ AD.EXAMPLE.COM KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize Start Time: 6/14/2013 14:44:24 (local) End Time: 6/15/2013 0:44:24 (local) Renew Time: 6/14/2013 14:44:24 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0 Kdc Called: dc1.ad.example.com #6> Client: user @ EXAMPLE.COM Server: cifs/zfs.example.com @ EXAMPLE.COM KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40a90000 -> forwardable renewable pre_authent name_canonicalize 0x80000 Start Time: 6/14/2013 14:44:24 (local) End Time: 6/15/2013 2:44:24 (local) Renew Time: 6/14/2013 14:44:24 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0 Kdc Called: kdc2.example.com
REALM信托
ldapsearch -h ad.example.com -LLL cn=EXAMPLE.COM objectClass trustPartner instancetype trustDirection trustAttributes SASL/GSSAPI authentication started SASL username: [email protected] SASL SSF: 56 SASL data security layer installed. dn: CN=EXAMPLE.COM,CN=System,DC=ad,DC=example,DC=com objectClass: top objectClass: leaf objectClass: trustedDomain instanceType: 4 trustDirection: 3 trustPartner: EXAMPLE.COM trustAttributes: 1
Active Directory用户
ldapsearch -h ad.example.com -LLL samaccountname=user profilePath altSecurityIdentities SASL/GSSAPI authentication started SASL username: [email protected] SASL SSF: 56 SASL data security layer installed. dn: CN=Test User,OU=managed users,DC=ad,DC=example,DC=com profilePath: \\zfs.example.com\tank_test\user altSecurityIdentities: Kerberos:[email protected]
基本的ZFS信息
root@zfs:~# zfs get mountpoint,casesensitivity,sharesmb,available tank/test NAME PROPERTY VALUE SOURCE tank/test mountpoint /tank/test default tank/test casesensitivity mixed - tank/test sharesmb on local tank/test available 26.1T -
ZFS创buildsmb共享 root @ zfs:〜#cat / var / lib / samba / usershares / tank_test #VERSION 2 path = / tank / test comment =评论:/ tank / test usershare_acl = S-1-1-0:F guest_ok = n sharename = tank_test
Sambaconfiguration
root@zfs:~# grep -v -e ^$ -e ^\; -e ^# /etc/samba/smb.conf [global] workgroup = EXAMPLE.COM server string = %h server (Samba, Ubuntu) dns proxy = no log file = /var/log/samba/%M.log max log size = 1000 syslog = 3 panic action = /usr/share/samba/panic-action %d security = ADS realm = EXAMPLE.COM kerberos method = system keytab map to guest = bad user
文件服务器的密钥表
root@zfs:~# ktutil ktutil: rkt /etc/krb5.keytab ktutil: list -e slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 host/[email protected] (aes256-cts-hmac-sha1-96) 2 2 host/[email protected] (aes128-cts-hmac-sha1-96) 3 2 host/[email protected] (arcfour-hmac) 4 2 nfs/[email protected] (aes256-cts-hmac-sha1-96) 5 2 nfs/[email protected] (aes128-cts-hmac-sha1-96) 6 2 nfs/[email protected] (arcfour-hmac) 7 2 cifs/[email protected] (aes256-cts-hmac-sha1-96) 8 2 cifs/[email protected] (aes128-cts-hmac-sha1-96) 9 2 cifs/[email protected] (arcfour-hmac)
服务器的身份映射(通过sssd)
root@zfs:~# cat /etc/sssd/sssd.conf # SSSD configuration generated using /usr/lib/sssd/generate-config [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = example.com [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 [domain/example.com] enumerate = false cache_credentials = true id_provider = ldap auth_provider = krb5 chpass_provider = krb5 ldap_uri = ldap://ldap.example.com ldap_search_base = dc=example,dc=com ldap_tls_reqcert = demand ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt krb5_kdcip = kerberos.example.com krb5_realm = EXAMPLE.COM krb5_changepw_principle = kadmin/changepw krb5_auth_timeout = 15
服务器(Relavent)包
root@zfs:~# uname -a Linux zfs 3.5.0-23-generic #35~precise1-Ubuntu SMP Fri Jan 25 17:13:26 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux root@zfs:~# dpkg --get-selections | grep -e samba -e zfs -e krb -e sssd krb5-config install krb5-locales install krb5-user install libgssapi-krb5-2 install libkrb5-26-heimdal install libkrb5-3 install libkrb5support0 install libpam-krb5 install libzfs1 install samba install samba-common install samba-common-bin install samba-tools install sssd install ubuntu-zfs install zfs-dkms install zfsutils install
默认情况下,Windows客户端必须在加载漫游configuration文件时使用SIDs来validation漫游configuration文件文件夹ACLs 。 即使Active Directory用户具有相同的uid , uidNumber , gidNumber和适当的altSecurityIdentites属性也不足。
而SID要求不能被禁用。 ACL检查本身可以。 该文件夹仍然可以由用户或pipe理员组读取。
在Server 2012下调用此策略
Do not check for user ownership of Roaming Profile Folders
并被发现在
Computuer Configuration \ Administrative Templates \ System \ User Profiles
我应该早点看过Windows客户端日志。 我没有这个借口。
Windows日志: Windows could not load your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you log off. Windows could not load your profile because a server copy of the profile folder already exists that does not have the correct security. Either the current user or the Administrators group must be the owner of the folder. Windows could not load your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you log off. Windows could not load your profile because a server copy of the profile folder already exists that does not have the correct security. Either the current user or the Administrators group must be the owner of the folder.