Samba ve Winbind kullanarak Active Directory kimlik doğrulaması ile bir dosya sunucusu kurmaya çalışıyorum.
Etki alanı denetleyicisi, Windows 2000 SP4'tür (yargılamayın).
Dosya sunucusu Debian 7.7 (en son kararlı). Bu, yalnızca bazılarının yüklü çeşitli kılavuz kitaplıkları ve bağımlılıkları tarafından önerilen yeni bir yüklemedir. Samba, aşağıdaki parametrelerle kaynaktan oluşturuldu:
./configure --with-acl-support --with-ads --with-shared-modules=idmap_ad --disable-cups --disable-iprint
root@this-server:~# samba --version
Version 4.1.13
root@this-server:~# winbindd --version
Version 3.6.6
root@this-server:~# klist -V
Kerberos 5 version 1.10.1
kinit Administrator, net ads join -k, net ads testjoin, getent passwd, getent grubu, wbinfo -u, wbinfo -g, id DomainUser, chown DomainUser: DomainGroup, chgrp DomainUser: DomainGroup - tüm işler, hata yok.
Alan adı bilgileriyle ssh ile giriş yapabilirim
smbclient -k -L herhangi bir başka ana bilgisayar - da çalışır.
Ancak...
root@this-server:~# smbclient -k -L this-server -d 3
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file "/usr/local/samba/etc/smb.conf"
Processing section "[global]"
added interface eth0 ip=192.168.1.104 bcast=192.168.1.255 netmask=255.255.255.0
Client started (version 4.1.13).
resolve_lmhosts: Attempting lmhosts lookup for name this-server<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name this-server<0x20>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name this-server<0x20>
Connecting to 192.168.1.104 at port 445
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
cli_session_setup_spnego: using target hostname not SPNEGO principal
cli_session_setup_spnego: guessed server principal=cifs/this-server@MY-DOMAIN
Doing kerberos session setup
ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_0.1] expiration Sat, 29 Nov 2014 02:29:49 MSK
SPNEGO login failed: Access denied
session setup failed: NT_STATUS_ACCESS_DENIED
(/usr/local/samba/etc/smb.conf, /usr/share/samba/smb.conf ile bir bağlantıdır)
Günlüklerden alıntı:
[2014/11/28 16:46:58.430797, 1, pid=6006, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
Username MY-DOMAIN\Administrator is invalid on this system
[2014/11/28 16:46:58.430856, 1, pid=6006, effective(0, 0), real(0, 0)] ../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac)
Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
[2014/11/28 16:46:58.430965, 1, pid=6006, effective(0, 0), real(0, 0)] ../source3/smbd/sesssetup.c:276(reply_sesssetup_and_X_spnego)
Failed to generate session_info (user and group token) for session setup: NT_STATUS_ACCESS_DENIED
İşte, çoğu zaman tamamen ilgisiz değilse, bir sürü yapılandırma bilgisi:
/etc/samba/smb.conf (ayrıca /usr/share/samba/smb.conf ile bir bağlantıdır)
[global]
netbios name = this-server
realm = MY-DOMAIN
workgroup = MY-DOMAIN
server string = %h server
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = ads
encrypt passwords = yes
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
winbind enum groups = yes
winbind enum users = yes
idmap config * : backend = tdb
idmap config * : range = 20000-29999
idmap config MY-DOMAIN : backend = rid
idmap config MY-DOMAIN : range = 10000 - 19999
winbind trusted domains only = no
winbind use default domain = yes
client use spnego = yes
kerberos method = secrets and keytab
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
template homedir = /home/%D/%U
template shell = /bin/bash
load printers = no
printcap name = /dev/null
log level = 10
[homes]
comment = Home Directories
browseable = no
read only = yes
create mask = 0700
directory mask = 0700
valid users = %S
[demoshare]
path = /srv/samba/test
read only = no
/ Etc / ana
127.0.0.1 localhost localhost.localdomain
192.168.1.104 this-server.MY-DOMAIN this-server
192.168.1.100 domain-controller.MY-DOMAIN domain-controller
/etc/resolv.conf
nameserver 192.168.1.100
search MY-DOMAIN
/etc/nsswitch.conf
passwd: files winbind
group: files winbind
shadow: files winbind
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Tüm /etc/pam.d/* dosyalarının tümü pam-auth-update ile oluşturulur, işte yine de içeriği:
/etc/pam.d/samba
@include common-auth
@include common-account
@include common-session-noninteractive
/etc/pam.d/common-auth
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
/etc/pam.d/common-account
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so
account requisite pam_deny.so
account required pam_permit.so
/etc/pam.d/session-noninteractive
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
session optional pam_winbind.so
/etc/pam.d/common-session
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
session optional pam_winbind.so
/etc/pam.d/common-password
password [success=2 default=ignore] pam_unix.so obscure sha512
password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass
password requisite pam_deny.so
password required pam_permit.so
/etc/krb5.conf
[libdefaults]
default_realm = MY-DOMAIN
krb4_config = /etc/krb.
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
preferred_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
[realms]
MY-DOMAIN = {
kdc = domain-controller.my-domain
admin_server = domain-controller.my-domain
default_domain = MY-DOMAIN
}
[domain_realm]
.my-domain = MY-DOMAIN
my-domain = MY-DOMAIN
Burada sorun ne olabilir ve nasıl çözebilirim?