Samba, winbind ve AD kimlik doğrulaması: kullanıcı adı bu sistemde geçersiz


2

Samba ve Winbind kullanarak Active Directory kimlik doğrulaması ile bir dosya sunucusu kurmaya çalışıyorum.

Etki alanı denetleyicisi, Windows 2000 SP4'tür (yargılamayın).
Dosya sunucusu Debian 7.7 (en son kararlı). Bu, yalnızca bazılarının yüklü çeşitli kılavuz kitaplıkları ve bağımlılıkları tarafından önerilen yeni bir yüklemedir. Samba, aşağıdaki parametrelerle kaynaktan oluşturuldu:

./configure --with-acl-support --with-ads --with-shared-modules=idmap_ad --disable-cups --disable-iprint

 

root@this-server:~# samba --version
Version 4.1.13
root@this-server:~# winbindd --version
Version 3.6.6
root@this-server:~# klist -V
Kerberos 5 version 1.10.1

kinit Administrator, net ads join -k, net ads testjoin, getent passwd, getent grubu, wbinfo -u, wbinfo -g, id DomainUser, chown DomainUser: DomainGroup, chgrp DomainUser: DomainGroup - tüm işler, hata yok.

Alan adı bilgileriyle ssh ile giriş yapabilirim

smbclient -k -L herhangi bir başka ana bilgisayar - da çalışır.

Ancak...

root@this-server:~# smbclient -k -L this-server -d 3
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file "/usr/local/samba/etc/smb.conf"
Processing section "[global]"
added interface eth0 ip=192.168.1.104 bcast=192.168.1.255 netmask=255.255.255.0
Client started (version 4.1.13).
resolve_lmhosts: Attempting lmhosts lookup for name this-server<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name this-server<0x20>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name this-server<0x20>
Connecting to 192.168.1.104 at port 445
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
cli_session_setup_spnego: using target hostname not SPNEGO principal
cli_session_setup_spnego: guessed server principal=cifs/this-server@MY-DOMAIN
Doing kerberos session setup
ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_0.1] expiration Sat, 29 Nov 2014 02:29:49 MSK
SPNEGO login failed: Access denied
session setup failed: NT_STATUS_ACCESS_DENIED

(/usr/local/samba/etc/smb.conf, /usr/share/samba/smb.conf ile bir bağlantıdır)

Günlüklerden alıntı:

[2014/11/28 16:46:58.430797,  1, pid=6006, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
  Username MY-DOMAIN\Administrator is invalid on this system
[2014/11/28 16:46:58.430856,  1, pid=6006, effective(0, 0), real(0, 0)] ../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac)
  Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
[2014/11/28 16:46:58.430965,  1, pid=6006, effective(0, 0), real(0, 0)] ../source3/smbd/sesssetup.c:276(reply_sesssetup_and_X_spnego)
  Failed to generate session_info (user and group token) for session setup: NT_STATUS_ACCESS_DENIED

İşte, çoğu zaman tamamen ilgisiz değilse, bir sürü yapılandırma bilgisi:

/etc/samba/smb.conf (ayrıca /usr/share/samba/smb.conf ile bir bağlantıdır)

[global]

   netbios name = this-server
   realm = MY-DOMAIN
   workgroup = MY-DOMAIN
   server string = %h server
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d

   security = ads
   encrypt passwords = yes
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user

   winbind enum groups = yes
   winbind enum users = yes

   idmap config * : backend        = tdb
   idmap config * : range          = 20000-29999

   idmap config MY-DOMAIN : backend  = rid
   idmap config MY-DOMAIN : range    = 10000 - 19999

   winbind trusted domains only = no
   winbind use default domain = yes
   client use spnego = yes
   kerberos method = secrets and keytab

   vfs objects = acl_xattr
   map acl inherit = yes
   store dos attributes = yes
   template homedir = /home/%D/%U
   template shell = /bin/bash
   load printers = no
   printcap name = /dev/null
   log level = 10

[homes]
   comment = Home Directories
   browseable = no
   read only = yes
   create mask = 0700
   directory mask = 0700
   valid users = %S

[demoshare]
   path = /srv/samba/test
   read only = no

/ Etc / ana

127.0.0.1       localhost       localhost.localdomain
192.168.1.104   this-server.MY-DOMAIN        this-server
192.168.1.100   domain-controller.MY-DOMAIN  domain-controller

/etc/resolv.conf

nameserver 192.168.1.100
search MY-DOMAIN

/etc/nsswitch.conf

passwd:         files winbind
group:          files winbind
shadow:         files winbind

hosts:          files dns wins
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Tüm /etc/pam.d/* dosyalarının tümü pam-auth-update ile oluşturulur, işte yine de içeriği:

/etc/pam.d/samba

@include common-auth
@include common-account
@include common-session-noninteractive

/etc/pam.d/common-auth

auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so

/etc/pam.d/common-account

account [success=2 new_authtok_reqd=done default=ignore]        pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore]        pam_winbind.so
account requisite                       pam_deny.so
account required                        pam_permit.so

/etc/pam.d/session-noninteractive

session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session required        pam_unix.so
session optional        pam_winbind.so

/etc/pam.d/common-session

session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session required        pam_unix.so
session optional        pam_winbind.so

/etc/pam.d/common-password

password        [success=2 default=ignore]      pam_unix.so obscure sha512
password        [success=1 default=ignore]      pam_winbind.so use_authtok try_first_pass
password        requisite                       pam_deny.so
password        required                        pam_permit.so

/etc/krb5.conf

[libdefaults]
default_realm = MY-DOMAIN

krb4_config = /etc/krb.
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true

default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
preferred_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

[realms]
MY-DOMAIN = {
        kdc = domain-controller.my-domain
        admin_server = domain-controller.my-domain
        default_domain = MY-DOMAIN
}

[domain_realm]
.my-domain = MY-DOMAIN
my-domain = MY-DOMAIN

Burada sorun ne olabilir ve nasıl çözebilirim?

Sitemizi kullandığınızda şunları okuyup anladığınızı kabul etmiş olursunuz: Çerez Politikası ve Gizlilik Politikası.
Licensed under cc by-sa 3.0 with attribution required.