我试图设置一个Ubuntu服务器与Samba 4作为Active Directory域控制器,当我尝试从Windows机器连接时出现错误。
这是Samba的错误日志(我已经replace了我的域名的隐私):
[2014/07/04 15:09:48.437798, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: AS-REQ [email protected] from ipv4:10.8.0.14:36394 for krbtgt/[email protected] [2014/07/04 15:09:48.442161, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Client sent patypes: 128 [2014/07/04 15:09:48.442329, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Looking for PK-INIT(ietf) pa-data -- [email protected] [2014/07/04 15:09:48.442438, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Looking for PK-INIT(win2k) pa-data -- [email protected] [2014/07/04 15:09:48.442539, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Looking for ENC-TS pa-data -- [email protected] [2014/07/04 15:09:48.442658, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ [2014/07/04 15:09:48.535053, 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection) Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' [2014/07/04 15:09:48.535219, 3] ../source4/smbd/process_single.c:114(single_terminate) single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] 但是,如果我尝试在本地login,则没有问题:
# smbclient //localhost/netlogon -U Administrator Enter Administrator's password: Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 4.1.6-Ubuntu] smb: \> ls . D 0 Mon May 26 12:54:45 2014 .. D 0 Mon May 26 12:56:28 2014 36484 blocks of size 8388608. 27650 blocks available smb: \> # kinit Password for [email protected]: Warning: Your password will expire in 5 days on jue 10 jul 2014 14:47:07 ART # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 04/07/14 16:38:31 05/07/14 02:38:31 krbtgt/[email protected] renew until 05/07/14 16:38:24
可能是什么问题? “需要使用PA-ENC-TIMESTAMP / PA-PK-AS-REQ”的错误是什么意思?
以下是一些重要的附加信息。
有关服务器的信息:
smb.conf的内容
# Global parameters [global] workgroup = MYDOMAIN realm = MYDOMAIN.COM netbios name = COLLIE server role = active directory domain controller dns forwarder = 10.1.1.1 idmap_ldb:use rfc2307 = yes log level = 3 [netlogon] path = /var/lib/samba/sysvol/huntmob.com/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No # Sharing general [files] path = /var/lib/samba/usershares/files read only = no [todos] path = /var/lib/samba/usershares/todos read only = no [dbox] path = /var/lib/samba/usershares/dbox read only = no
有关Windows客户端的信息
在安装阶段,我正在使用运行Windows 7 Professional的虚拟机,该虚拟机由一个Kubuntu盒子托pipe,该盒子通过VPN连接到Samba服务器所在的办公室。
我知道这有点搞砸了,但只是在这个阶段,Samba服务器只能提供本地的Windows机器。 但是,我不认为这是什么原因导致的问题,因为窗口框似乎到达Samba服务器就好了。
根据MS-KILE文件
当客户端执行基于密码的初始authentication时,它们必须在构造初始AS请求时提供PA-ENC-TIMESTAMP预authenticationtypes。
你是Windows客户端显然不是这样做的。
我不关心如何很好地了解Windows方面的内容,但也许有“兼容模式”选项用于身份validation,而Samba 4不能启用它。