我有一个非常令人沮丧的问题,我现在要解决几天,也许你们中的一个可以帮助我。
我有两个(独立的)samba服务器应该使用LDAP服务器来validation用户。 两个samba服务器都使用LDAP进行nss和unix用户authentication(即ssh适用于所有LDAP用户,getent passwd / group显示所有用户/组)。 但是,samba只能在服务器1上工作,而不能在服务器2上工作,在那里我得到了
[2013/06/06 19:03:06.972236, 3] auth/auth.c:216(check_ntlm_password) check_ntlm_password: Checking password for unmapped user [XXX]\[xxx]@[XXX] with the new password interface [2013/06/06 19:03:06.972266, 3] auth/auth.c:219(check_ntlm_password) check_ntlm_password: mapped user is: [YYY]\[xxx]@[XXX] [2013/06/06 19:03:06.972311, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2013/06/06 19:03:06.972334, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2013/06/06 19:03:06.972351, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2013/06/06 19:03:06.972395, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2013/06/06 19:03:06.972414, 3] auth/auth_sam.c:399(check_sam_security) check_sam_security: Couldn't find user 'xxx' in passdb. [2013/06/06 19:03:06.972432, 2] auth/auth.c:314(check_ntlm_password) check_ntlm_password: Authentication for user [xxx] -> [xxx] FAILED with error NT_STATUS_NO_SUCH_USER [2013/06/06 19:03:06.972463, 3] smbd/error.c:80(error_packet_set) error packet at smbd/sesssetup.c(111) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE smb.conf的一般部分在两台服务器上完全相同 。 但是,服务器1正确使用LDAP:
[2013/06/06 19:15:38.458920, 3] auth/auth.c:216(check_ntlm_password) check_ntlm_password: Checking password for unmapped user [YYY]\[xxx]@[XXX] with the new password interface [2013/06/06 19:15:38.458941, 3] auth/auth.c:219(check_ntlm_password) check_ntlm_password: mapped user is: [XXX]\[xxx]@[XXX] [2013/06/06 19:15:38.458961, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2013/06/06 19:15:38.458974, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2013/06/06 19:15:38.458987, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2013/06/06 19:15:38.465392, 3] lib/smbldap.c:735(smb_ldap_start_tls) StartTLS issued: using a TLS connection [2013/06/06 19:15:38.479800, 2] lib/smbldap.c:950(smbldap_open_connection) smbldap_open_connection: connection opened [2013/06/06 19:15:38.481107, 3] lib/smbldap.c:1166(smbldap_connect_system) ldap_connect_system: successful connection to the LDAP server [2013/06/06 19:15:38.481136, 4] lib/smbldap.c:1242(smbldap_open) The LDAP server is successfully connected [2013/06/06 19:15:38.481922, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: ldaplookup
唯一的区别是服务器1是一个debian 6.0.3,samba 3.5.6,服务器2是CentOS 6.3,samba 3.5.10。 ldap和pam的configuration文件在不同的地方,但是samba看起来和我完全一样。 这是smb.conf w / o共享:
[global] workgroup = XXX server string = %h server dns proxy = no name resolve order = lmhosts host wins bcast hosts allow = 127.0.0.0/8 192.168.99.0/24 172.24.0.0/16 172.25.0.0/16 172.30.0.0/16 log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d encrypt passwords = true passdb backend = ldapsam:ldap://myldapserver ldap suffix = dc=mydomain,dc=com ldap admin dn = cn=replicator,dc=mydomain,dc=com ldap user suffix = ou=users ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap passwd sync = Yes ldap ssl = start tls ldap debug level = 4 log level = 4 obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes
我在过去几天正在研究指南和教程,但主要是他们使用winbind和idmap,但由于我的设置适用于一台服务器,我不认为需要设置额外的服务。 在我看不到的地方必须有一个错误。 因为我只使用debian和ubuntu作为服务器操作系统,所以我不知道是否缺less一些简单的东西,我必须在centOS中启用/禁用/更改。
在更改configuration后,我重新加载(但未重新启动)两台服务器上的samba服务。 随着用户全天候工作,重启将无法进行,重启将导致连接失败。 但是,根据log.smbd,configuration更新了:
[2013/06/06 19:44:15.896620, 3] param/loadparm.c:7873(do_section) Processing section "[global]" ... doing parameter passdb backend = ldapsam:ldap://myldapserver doing parameter ldap suffix = dc=mydomain,dc=com ...
改变像debugging级别的东西的作品。 这可能是问题,重新加载只重新加载configuration的一些部分,但不是全部?
我很感激每一个提示!