我是SLES和Samba的新手,所以我需要一些帮助。 我成功地在SUSE 11上设置了Samba。 我能够创build一个没有用户限制,我设法从Windows访问的共享。 但是我想只允许特定的一组用户访问共享。 所以我使用“有效用户”,“读取列表”和“写入列表”。 但是,一旦我添加有效的用户到我的configuration文件,我不能再访问共享。 即使我input了正确的凭据,我也遇到访问被拒绝的错误。 我用本地用户帐户与AD域用户一起尝试。 这没有一个工作。 你能给我一个关于如何解决这个问题的build议吗? 这是我的smb.conf文件:
# smb.conf is the main Samba configuration file. You find a full commented # version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the # samba-doc package is installed. # Date: 2012-02-03 [global] workgroup = ******* passdb backend = tdbsam printing = cups printcap name = cups printcap cache time = 750 cups options = raw map to guest = Bad User include = /etc/samba/dhcp.conf logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P: usershare allow guests = No idmap gid = 10000-20000 idmap uid = 10000-20000 realm = ******** security = ADS template homedir = /home/%D/%U template shell = /bin/bash usershare max shares = 100 winbind refresh tickets = yes wins support = No [homes] comment = Home Directories valid users = %S, %D%w%S browseable = No read only = No inherit acls = Yes [profiles] comment = Network Profiles Service path = %H read only = No store dos attributes = Yes create mask = 0600 directory mask = 0700 [users] comment = All users path = /home read only = No inherit acls = Yes veto files = /aquota.user/groups/shares/ [groups] comment = All groups path = /home/groups read only = No inherit acls = Yes [printers] comment = All Printers path = /var/tmp printable = Yes create mask = 0600 browseable = No [Share] inherit acls = Yes path = /share/Share read only = No browseable = Yes valid users = @****+Group1, *****+user1 这里是日志文件的输出,当我试图访问共享:
[2013/05/17 15:39:18.753943, 3] lib/access.c:338(allow_access) Allowed connection from IP Address(IP Address) [2013/05/17 15:39:18.754178, 3] smbd/oplock.c:922(init_oplocks) init_oplocks: initializing messages. [2013/05/17 15:39:18.754281, 3] smbd/oplock_linux.c:226(linux_init_kernel_oplocks) Linux kernel oplocks enabled [2013/05/17 15:39:18.754396, 3] smbd/process.c:1662(process_smb) Transaction 0 of length 137 (0 toread) [2013/05/17 15:39:18.754447, 3] smbd/process.c:1467(switch_message) switch message SMBnegprot (pid 11575) conn 0x0 [2013/05/17 15:39:18.754827, 3] smbd/negprot.c:598(reply_negprot) Requested protocol [PC NETWORK PROGRAM 1.0] [2013/05/17 15:39:18.754882, 3] smbd/negprot.c:598(reply_negprot) Requested protocol [LANMAN1.0] [2013/05/17 15:39:18.754922, 3] smbd/negprot.c:598(reply_negprot) Requested protocol [Windows for Workgroups 3.1a] [2013/05/17 15:39:18.754959, 3] smbd/negprot.c:598(reply_negprot) Requested protocol [LM1.2X002] [2013/05/17 15:39:18.754996, 3] smbd/negprot.c:598(reply_negprot) Requested protocol [LANMAN2.1] [2013/05/17 15:39:18.755035, 3] smbd/negprot.c:598(reply_negprot) Requested protocol [NT LM 0.12] [2013/05/17 15:39:18.755163, 3] smbd/negprot.c:419(reply_nt1) using SPNEGO [2013/05/17 15:39:18.755204, 3] smbd/negprot.c:704(reply_negprot) Selected protocol NT LM 0.12 [2013/05/17 15:39:18.757824, 3] smbd/process.c:1662(process_smb) Transaction 1 of length 142 (0 toread) [2013/05/17 15:39:18.757917, 3] smbd/process.c:1467(switch_message) switch message SMBsesssetupX (pid 11575) conn 0x0 [2013/05/17 15:39:18.757970, 3] smbd/sesssetup.c:1333(reply_sesssetup_and_X) wct=12 flg2=0xc807 [2013/05/17 15:39:18.758013, 2] smbd/sesssetup.c:1279(setup_new_vc_session) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2013/05/17 15:39:18.758051, 3] smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego) Doing spnego session setup [2013/05/17 15:39:18.758091, 3] smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego) NativeOS=[] NativeLanMan=[] PrimaryDomain=[] [2013/05/17 15:39:18.758159, 3] smbd/sesssetup.c:660(reply_spnego_negotiate) reply_spnego_negotiate: Got secblob of size 40 [2013/05/17 15:39:18.758344, 3] ../libcli/auth/ntlmssp.c:34(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0xe2088297 [2013/05/17 15:39:18.762052, 3] smbd/process.c:1662(process_smb) Transaction 2 of length 486 (0 toread) [2013/05/17 15:39:18.762108, 3] smbd/process.c:1467(switch_message) switch message SMBsesssetupX (pid 11575) conn 0x0 [2013/05/17 15:39:18.762152, 3] smbd/sesssetup.c:1333(reply_sesssetup_and_X) wct=12 flg2=0xc807 [2013/05/17 15:39:18.762190, 2] smbd/sesssetup.c:1279(setup_new_vc_session) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2013/05/17 15:39:18.762225, 3] smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego) Doing spnego session setup [2013/05/17 15:39:18.762262, 3] smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego) NativeOS=[] NativeLanMan=[] PrimaryDomain=[] [2013/05/17 15:39:18.762313, 3] ../libcli/auth/ntlmssp_server.c:348(ntlmssp_server_preauth) Got user=[user1] domain=[DOMAINNAME] workstation=[WORKSTATIONNAME] len1=24 len2=246
对不起,没有写这个评论,但我的代表是不够高的。
我看到的是,你使用+作为Domain和Group的分隔符,但是你没有在configuration中将+设置为winbind分隔符。
winbind separator = +
另外,您将passdb后端设置为本地数据库tdbsam。 这可能是您的AD身份validation失败的原因。
尝试设置以下内容:
workgroup = [SHORTDOMAINNAME] realm = [KERBEROS REALM / LONG DOMAIN NAME] password server = [fqdn of your pdc] winbind use default domain = yes encrypt passwords = yes security = ads
领域和工作组应该全部大写并匹配你的'krb5.conf'文件
krb5.conf的:
[libdefaults] default_realm = [KERBEROS REALM / LONG DOMAIN NAME] dns_lookup_realm = true dns_lookup_kdc = true default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1 default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1 clockskew = 300 forwardable = true proxiable = true [realms] [KERBEROS REALM / LONG DOMAIN NAME] = { kdc = [fqdn of your pdc] default_domain = [long domain name lowercase] } [domain_realm] .[long domain name lowercase] = [KERBEROS REALM / LONG DOMAIN NAME] [long domain name lowercase] = [KERBEROS REALM / LONG DOMAIN NAME]
你也可以检查是否一切正常
wbinfo -u
你应该看到用户列表
wbinfo -g
看到小组的名单。
如果名称中包含空格的组别,请不要忘记将它们放在“有效的用户”中
希望能帮助到你