使用SAMBA，Winbind和SSS的AD身份validation

我在使用AD到Linux服务器上的SAMBA共享时遇到了问题。

身份validation似乎正在工作，但只有一半…

[root@myserver ~]# wbinfo -a my_ad_user%password123 plaintext password authentication succeeded challenge/response password authentication succeeded [root@myserver ~]# wbinfo -i my_ad_user Could not get info for user my_ad_user << weird [root@myserver ~]# getent passwd my_ad_user my_ad_user:*:1256023472:1256023469:my name:/: [root@myserver ~]#

这很奇怪，因为看起来除了 wbinfo -i <any_ad_user_name>的输出之外，一切正常。其他的wbinfo查询似乎工作得很好。

检查信任也是如此：

 [root@myserver ~]# wbinfo -t checking the trust secret for domain MYDOMAIN via RPC calls succeeded

Sambavalidation失败（为什么cifs是这样列出的，cifs / cifs/[email protected] ？）：

 [root@myserver ~]# smbclient //localhost/MySharedFolder -d 3 -U my_ad_user%password123 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" Processing section "[global]" added interface eth0 ip=10.2.3.7 bcast=10.2.3.255 netmask=255.255.255.0 Client started (version 3.5.22). resolve_lmhosts: Attempting lmhosts lookup for name localhost<0x20> Connecting to 127.0.0.1 at port 445 Doing spnego session setup (blob length=128) got OID=1.2.840.113554.1.2.2 got OID=1.2.840.48018.1.2.2 got OID=1.3.6.1.4.1.311.2.2.10 got principal=cifs/[email protected] Got challenge flags: Got NTLMSSP neg_flags=0x60898215 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60088215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60088215 Domain=[CLIENTSERVER] OS=[Unix] Server=[Samba 3.5.22] tree connect failed: NT_STATUS_ACCESS_DENIED

Keytab的东西看起来不错：

 [root@myserver ~]# klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 host/[email protected] (des-cbc-crc) 2 host/[email protected] (des-cbc-md5) 2 host/[email protected] (arcfour-hmac) 2 host/[email protected] (des-cbc-crc) 2 host/[email protected] (des-cbc-md5) 2 host/[email protected] (arcfour-hmac) 2 [email protected] (des-cbc-crc) 2 [email protected] (des-cbc-md5) 2 [email protected] (arcfour-hmac) 3 host/[email protected] (des-cbc-crc) 3 host/[email protected] (des-cbc-md5) 3 host/[email protected] (arcfour-hmac) 3 host/[email protected] (des-cbc-crc) 3 host/[email protected] (des-cbc-md5) 3 host/[email protected] (arcfour-hmac) 3 [email protected] (des-cbc-crc) 3 [email protected] (des-cbc-md5) 3 [email protected] (arcfour-hmac)

smb.conf中的Sambaconfiguration：

 [root@myserver ~]# cat /etc/samba/smb.conf [global] workgroup = MYDOMAIN password server = WCR-LUCDC01.MYDOMAIN.COM client signing = yes client use spnego = yes kerberos method = secrets and keytab log file = /var/log/samba/%m.log realm = MYDOMAIN.COM security = ads idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/bash winbind use default domain = true winbind offline logon = true winbind nested groups = yes winbind enum users = yes winbind enum groups = yes winbind nss info = rfc2307 encrypt passwords = yes #idmap domains = MYDOMAIN idmap uid = 10000-20000 idmap gid = 10000-20000 idmap config MYDOMAIN : cache time = 1800 idmap config MYDOMAIN : backend = ad idmap config MYDOMAIN : range = 16777216-33554431 idmap confg MYDOMAIN : schema_mode = rfc2307 idmap backend = tbd log level = 3 max log size = 50 [MySharedFolder] comment = My Share path = /opt/MySharedFolder browsable = yes writable = yes valid users = @GROUP1, @"GROUP2"