背景:
我有一个桑巴CIFS服务器。 它没有join到一个域,但有一个麻省理工学院kerberosV领域的keytab。
Kerberized坐骑(例如mount -t cifs //cifs.example.com/groups /mnt/cifs -o sec=krb5i )可以从Linux客户端运行。 来自AD的Kerberized坐骑join了Windows机器(连接到Kerberos领域的信任configuration域)。 基于密码的坐骑不适用于Linux客户端(不是什么大问题)。
基于密码的非AD加载Windows客户端工作。 使用浏览器转到\\cifs.example.com\groups将无法正常工作,并且不会显示密码提示。 但是,如果将\\cifs.example.com\groups作为驱动器挂载,则对话框将无法完成,但驱动器映射将会build立并运行,并且此时可以取消对话框,同时保留挂载。
题:
CONFIGS:
主机名:cifs.example.com领域:EXAMPLE.COM发行版:CentOS版本6.5(最终版)
samba版本:samba-3.6.9-167.el6_5.x86_64
smb.conf文件
syslog only = yes syslog = 3 server string = %h server (Samba, CentOS) workgroup = EXAMPLE.COM security = ads realm = EXAMPLE.COM create krb5 conf = no kerberos method = secrets and keytab server signing = auto smb encrypt = auto smb ports = 445 use sendfile = yes map to guest = Bad User guest account = nobody wins support = no dns proxy = no load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes hide files = /Desktop.ini/$RECYCLE.BIN/Thumbs.db/~$.*/ [home] path = /export/home/ writeable = yes guest ok = no browseable = no create mask = 0600 directory mask = 0700 [groups] path = /export/groups writeable = yes guest ok = no browseable = yes create mask = 0660 directory mask = 0770
*
klist -k
Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 8 host/[email protected] 8 host/[email protected] 8 host/[email protected] 8 host/[email protected] 8 cifs/[email protected] 8 cifs/[email protected] 8 cifs/[email protected] 8 cifs/[email protected]
getsebool -a | grep -e cifs -e samba
allow_ftpd_use_cifs --> off cobbler_use_cifs --> off git_cgi_use_cifs --> off git_system_use_cifs --> off httpd_use_cifs --> off qemu_use_cifs --> on rsync_use_cifs --> off samba_create_home_dirs --> off samba_domain_controller --> off samba_enable_home_dirs --> off samba_export_all_ro --> off samba_export_all_rw --> off samba_portmapper --> off samba_run_unconfined --> off samba_share_fusefs --> off samba_share_nfs --> off sanlock_use_samba --> off tftp_use_cifs --> off use_samba_home_dirs --> off virt_use_samba --> off
/etc/pam.d/samba
#%PAM-1.0 auth required pam_nologin.so auth include password-auth account include password-auth session include password-auth password include password-auth
/etc/pam.d/password-auth
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
需要将max protocol从默认NT1更改为最大协议= SMB2 。