服务器 Gind.cn
  1. 服务器 Gind.cn
  3. Samba 4:域join,但所有用户都映射到nobody,并且从Windows客户端无法访问共享
Intereting Posts
是否有“wusa.exe”的完整返回码列表? 从solaris磁盘上删除标签 在将1G转换为10G时,Arista交换机仍然是切换的 Linux用户组:如何在家中创build共享目录 在Windows 10十一月更新后运行Cisco VPN客户端 networkingUPS工具(NUT)导致UPS重新启动? 为什么仙人掌不停地等待死循环? 在同一networking中的服务器上部署文件的快速方法 每三天在Crontab中运行脚本一次 在linux上为程序设置默认值 垃圾邮件关键字是否出现在邮件日志中意味着邮件被标记为垃圾邮件? 外部世界将如何访问我的机器? 连接到SQL 2005的Sporatic连接问题 – 命名pipe道与TCP / IP问题? 自动添加pipe理模板(.adm)到组策略的脚本 ProLiant Gen9服务器中的第三方SSD解决scheme

Samba 4:域join,但所有用户都映射到nobody,并且从Windows客户端无法访问共享

我有一个Debian / Jessie Samba 4.2.14作为AD成员运行。 ADC是一个Windows2008R2服务器。 join没有问题。 

# net ads testjoin Join is OK

wbinfo -uwbinfo -g完美地工作,并按照预期提供来自AD的用户和组的列表。 wbinfo -i <user>起作用: 

 # wbinfo -i TESTAD\\testuser TESTAD\testuser:*:4294967295:4294967295:testuser:/home/TESTAD/testuser:/bin/false

编辑:这里有什么不对,因为wbinfo -i将所有用户和组映射到ID为4294967295,就像@ TheSkunk所指出的那样,2 ^ 32 -1。

编辑2: wbinfo --sid-to-uid TESTAD\\testuser失败。 当然,我必须明确地设置一些idmap参数(默认显然不工作),但是如何?

编辑3:我已经将这两行添加到smb.conf中: 

 idmap config * : backend = tdb idmap config * : range = 10000-30000

现在,ẁbinfo-i TESTDOMAIN \ testuser reports a valid id, and a different one for each and every user. However I still have the same problems (all users mapping to nobody, reports a valid id, and a different one for each and every user. However I still have the same problems (all users mapping to nobody, id and getent不知道AD用户等)。

但是getent passwd TESTAD\\testuser失败: 

 # getent passwd TESTAD\\testuser # echo $? 2

可以使用smbclient使用任何AD帐户连接到服务器: 

 # smbclient //srv1/data -U TESTAD\\testuser Enter TESTAD\testuser's password: Domain=[TESTAD] OS=[Windows 6.1] Server=[Samba 4.2.14-Debian] smb: \> ls . D 0 Fri Feb 17 16:23:04 2017 .. D 0 Wed Feb 1 16:47:02 2017 test.txt N 5 Fri Feb 17 14:38:21 2017 popo D 0 Fri Feb 17 16:23:04 2017 117125466112 blocks of size 1024. 117052392484 blocks available smb: \>

然而,连接映射到nobody/nogroup ,并且创build的文件也不属于nobody 。 Windows机器无法使用任何AD帐户连接。 但是,如果我使用smbpasswd -a <user>创build本地帐户,则可以使用它连接。 然而,他们的连接参数,文件等都被映射到nobody尽pipe该帐户也存在于本地。

以下是当前的smb.conf (尽可能接近默认值): 

 [global] workgroup = TESTAD realm = TESTAD.lan server role = member server security = ADS map to guest = Bad User obey pam restrictions = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 dns proxy = No usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d idmap config * : backend = tdb inherit permissions = Yes inherit acls = Yes [DATA] path = /mnt/raid/ read only = No guest ok = Yes

这里是/etc/nsswitch.conf (我尝试添加和删除从影子winbindd,没有任何改变): 

 # cat /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: compat winbind gshadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns wins networks: files protocols: db files services: db files ethers: db files rpc: db files

我不明白为什么authentication似乎永远不会通过winbind。 我越来越绝望了,有什么想法?

4294967295表示2 ^ 32 – 这是一个由winbind deamon生成的GID或UID的计数器的溢出,用于转换来自AD的xid。 这与客人映射没有任何关系……如果您使用idmap config YOUR_DOMAIN:backend = ad ,则广告意味着信息不仅存储在本地,而且在运行时将其复制到所有客户端并存储在其上但是,这是什么,这是目前我的任务找出)。 广告意味着,如果客户迷路了,你已经把所有的uid / gid映射信息存储在其他的。 如果你恢复你的客户端,所有的映射将再次相同。 问题是,如果你有这个溢出一次,你不能摆脱easyli,因为所有的客户端复制它(运行windbind),也许(我目前正在试图找出它)也DC。

在这里,我正在使用的部分(工作正常,但我有一个关于通过广告的idmaps的其他问题): 

 winbind nss info = rfc2307 idmap config * : backend = tbd idmap config * : range = 1000-2999 idmap config MY_DOMAIN : backend = ad idmap config MY_DOMAIN : schema_mode = rfc2307 idmap config MY_DOMAIN : range = 3000-30000 idmap_ldb:use rfc2307 = yes winbind refresh tickets = yes winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind cache time = 60 #higher might make you wait long for updates

我发现了一个核心问题:缺less一个软件包。 不幸的是,这并不容易:这是最后的工作configuration(感谢samba.org的Rowland Penny):

确保你安装了所有必要的软件包(缺less的是libnss-winbind): 

 apt-get install samba acl attr quota fam winbind libpam-winbind \ libpam-krb5 libnss-winbind krb5-config krb5-user ntp dnsutils ldb-tools

停止服务 

 service smbd stop service nmbd stop service winbind stop

设置一个合适的smb.conf(特别是idmap参数): 

 [global] workgroup = TESTAD security = ADS realm = TESTAD.LAN dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab server string = Data %h winbind use default domain = yes winbind expand groups = 4 winbind nss info = rfc2307 winbind refresh tickets = Yes winbind offline logon = yes winbind normalize names = Yes ## map ids outside of domain to tdb files. idmap config *:backend = tdb idmap config *:range = 2000-9999 ## map ids from the domain the ranges may not overlap ! idmap config TESTAD : backend = rid idmap config TESTAD : range = 10000-999999 template shell = /bin/bash template homedir = /home/TESTAD/%U domain master = no local master = no preferred master = no os level = 20 map to guest = bad user host msdfs = no # user Administrator workaround, without it you are unable to set privileges username map = /etc/samba/user.map # For ACL support on domain member vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes # Share Setting Globally unix extensions = no reset on zero vc = yes veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ hide unreadable = yes # disable printing completely load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes

在该configuration中,需要包含以下行的所需的其他/etc/samba/user.map文件: 

 !root = TESTAD\Administrator TESTAD\administrator Administrator administrator

不要忘记正确填写/etc/krb5.conf: 

 [libdefaults] default_realm = TESTAD.LAN dns_lookup_realm = false dns_lookup_kdc = true

要小心,krb5.conf必须由root拥有并且每个人都可以读取(644个权限)。

编辑/etc/nsswitch.conf并将winbind添加到passwd和group行: 

 # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat files winbind group: compat files winbind shadow: compat files hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis

现在join域名: 

 # net ads join -U Administrator Using short domain name -- TESTAD Joined 'DEBMEMBER' to dns domain 'TESTAD.example.com'

最后启动服务: 

 service smbd start service nmbd start service winbind start

getent passwd现在应该与AD用户合作: 

 # getent passwd testuser testuser:*:11107:10513:testuser:/home/TESTAD/testuser:/bin/bash

CAVEAT正如我之前joinAD而没有安装必要的库,我必须重新启动系统才能在安装完成后使系统正常validation用户!