Назад | Перейти на главную страницу

Настройте Samba с Active Directory и аутентификацией локального пользователя

Моя главная цель - настроить Samba-сервер, к которому пользователи могут подключаться, используя свои учетные данные Active-Directory. Кроме того, локальные пользователи Linux на Samba-Server должны иметь возможность аутентифицироваться.

Сначала я попытался настроить Samba-Server для аутентификации пользователей в Active Directory, но не мог понять, как это сделать.

Samba-Server версии 4.2.10 работает на CentOS 7. Моя Samba-конфигурация выглядит так:

/etc/samba/smb.conf

[global]
workgroup = AD
netbios name = clients-hostname

max log size = 50
log level = 3
log file = /var/log/samba3/log.%m

map untrusted to domain = Yes

winbind enum users = yes
winbind enum groups = yes
winbind cache time = 10
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind refresh tickets = yes

os level = 20
winbind enum groups = yes
realm = AD.COMPANY.CPOM
security = ads
auth methods = winbind
passdb backend = tdbsam

client use spnego = yes

client ntlmv2 auth = yes

[aShare]
available = yes
path = /aShare
browseable = yes
writeable = yes
#read only = no
#inherit acls = yes
#inherit permissions = yes
create mask = 0777
directory mask = 0777
valid users = @"domain users@AD",localUser

Конфигурация Kerberos выглядит так:

/etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = false

ticket_lifetime = 24h
renew_lifetime = 7d

forwardable = true
rdns = false

default_realm = AD.COMPANY.COM
default_ccache_name = KEYRING:persistent:%{uid}

[realms]
AD.COMPANY.COM = {
kdc = DC.AD.COMPANY.COM
kpasswd_server = DC.AD.COMPANY.COM
admin_server = DC.AD.COMPANY.COM
default_domain = AD.COMPANY.COM
}

[domain_realm]
.ad.company.com = AD.COMPANY.COM
ad.company.com  = IN.ITM-CONSULTING.DE

Самба-сервер существует в Active-Directory, и я получил kerberos-ticket. wbinfo -u отображает всех пользователей в Active Directory. Я заметил, что раньше он отображал пользователей с префиксом AD \, теперь у них больше нет этого префикса.

Основная проблема в том, что я не могу подключиться к общим ресурсам с пользователем активного каталога:

$ smbclient -L //10.0.0.2 -U aduser -W AD
Enter aduser's password:
session setup failed: NT_STATUS_LOGON_FAILURE

Журналы показывают мне это: /var/log/samba3/log.10.0.0.2 [<- IP-адрес локальных машин]

[2016/07/26 13:00:28.408563,  3] ../source3/smbd/oplock.c:1307(init_oplocks)
  init_oplocks: initializing messages.
[2016/07/26 13:00:28.408626,  3] ../source3/smbd/process.c:1879(process_smb)
  Transaction 0 of length 194 (0 toread)
[2016/07/26 13:00:28.408646,  3] ../source3/smbd/process.c:1489(switch_message)
  switch message SMBnegprot (pid 9538) conn 0x0
[2016/07/26 13:00:28.409162,  3] ../source3/smbd/negprot.c:576(reply_negprot)
  Requested protocol [PC NETWORK PROGRAM 1.0]
[2016/07/26 13:00:28.409177,  3] ../source3/smbd/negprot.c:576(reply_negprot)
  Requested protocol [MICROSOFT NETWORKS 1.03]
[2016/07/26 13:00:28.409183,  3] ../source3/smbd/negprot.c:576(reply_negprot)
  Requested protocol [MICROSOFT NETWORKS 3.0]
[2016/07/26 13:00:28.409188,  3] ../source3/smbd/negprot.c:576(reply_negprot)
  Requested protocol [LANMAN1.0]
[2016/07/26 13:00:28.409192,  3] ../source3/smbd/negprot.c:576(reply_negprot)
  Requested protocol [LM1.2X002]
[2016/07/26 13:00:28.409197,  3] ../source3/smbd/negprot.c:576(reply_negprot)
  Requested protocol [DOS LANMAN2.1]
[2016/07/26 13:00:28.409202,  3] ../source3/smbd/negprot.c:576(reply_negprot)
  Requested protocol [LANMAN2.1]
[2016/07/26 13:00:28.409207,  3] ../source3/smbd/negprot.c:576(reply_negprot)
  Requested protocol [Samba]
[2016/07/26 13:00:28.409211,  3] ../source3/smbd/negprot.c:576(reply_negprot)
  Requested protocol [NT LANMAN 1.0]
[2016/07/26 13:00:28.409216,  3] ../source3/smbd/negprot.c:576(reply_negprot)
  Requested protocol [NT LM 0.12]
[2016/07/26 13:00:28.651581,  3] ../source3/smbd/negprot.c:395(reply_nt1)
  using SPNEGO
[2016/07/26 13:00:28.651628,  3] ../source3/smbd/negprot.c:684(reply_negprot)
  Selected protocol NT LANMAN 1.0
[2016/07/26 13:00:28.652715,  3] ../source3/smbd/process.c:1879(process_smb)
  Transaction 1 of length 160 (0 toread)
[2016/07/26 13:00:28.652741,  3] ../source3/smbd/process.c:1489(switch_message)
  switch message SMBsesssetupX (pid 9538) conn 0x0
[2016/07/26 13:00:28.652762,  3] ../source3/smbd/sesssetup.c:614(reply_sesssetup_and_X)
  wct=12 flg2=0xc843
[2016/07/26 13:00:28.652774,  3] ../source3/smbd/sesssetup.c:144(reply_sesssetup_and_X_spnego)
  Doing spnego session setup
[2016/07/26 13:00:28.652782,  3] ../source3/smbd/sesssetup.c:185(reply_sesssetup_and_X_spnego)
  NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
[2016/07/26 13:00:28.653003,  3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62088215
[2016/07/26 13:00:28.653391,  3] ../source3/smbd/process.c:1879(process_smb)
  Transaction 2 of length 528 (0 toread)
[2016/07/26 13:00:28.653410,  3] ../source3/smbd/process.c:1489(switch_message)
  switch message SMBsesssetupX (pid 9538) conn 0x0
[2016/07/26 13:00:28.653432,  3] ../source3/smbd/sesssetup.c:614(reply_sesssetup_and_X)
  wct=12 flg2=0xc843
[2016/07/26 13:00:28.653438,  3] ../source3/smbd/sesssetup.c:144(reply_sesssetup_and_X_spnego)
  Doing spnego session setup
[2016/07/26 13:00:28.653445,  3] ../source3/smbd/sesssetup.c:185(reply_sesssetup_and_X_spnego)
  NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
[2016/07/26 13:00:28.653466,  3] ../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)
  Got user=[aduser] domain=[AD] workstation=[clients-hostname] len1=24 len2=238
[2016/07/26 13:00:28.653518,  3] ../source3/param/loadparm.c:3653(lp_load_ex)
  lp_load_ex: refreshing parameters
[2016/07/26 13:00:28.653570,  3] ../source3/param/loadparm.c:544(init_globals)
  Initialising global parameters
[2016/07/26 13:00:28.653637,  3] ../source3/param/loadparm.c:2596(lp_do_section)
  Processing section "[global]"
[2016/07/26 13:00:28.653758,  2] ../source3/param/loadparm.c:2613(lp_do_section)
  Processing section "[aShare]"
[2016/07/26 13:00:28.653826,  3] ../source3/param/loadparm.c:1493(lp_add_ipc)
  adding IPC service
[2016/07/26 13:00:28.654335,  3] ../source3/auth/auth.c:178(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [AD]\[aduser]@[clients-hostname] with the new password interface
[2016/07/26 13:00:28.654350,  3] ../source3/auth/auth.c:181(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [AD]\[aduser]@[clients-hostname]
[2016/07/26 13:00:28.657067,  3] ../source3/auth/auth_util.c:1229(check_account)
  Failed to find authenticated user AD\aduser via getpwnam(), denying access.
[2016/07/26 13:00:28.657091,  2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [aduser] -> [aduser] FAILED with error NT_STATUS_NO_SUCH_USER
[2016/07/26 13:00:28.657104,  2] ../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg)
  SPNEGO login failed: NT_STATUS_NO_SUCH_USER
[2016/07/26 13:00:28.657139,  3] ../source3/smbd/error.c:82(error_packet_set)
  NT error packet at ../source3/smbd/sesssetup.c(269) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2016/07/26 13:00:28.660840,  3] ../source3/smbd/server_exit.c:249(exit_server_common)
  Server exit (failed to receive smb request)
2016/07/26 13:00:28.653758,  2] ../source3/param/loadparm.c:2613(lp_do_section)
  Processing section "[smbext4]"
[2016/07/26 13:00:28.653826,  3] ../source3/param/loadparm.c:1493(lp_add_ipc)
  adding IPC service
[2016/07/26 13:00:28.654335,  3] ../source3/auth/auth.c:178(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [AD]\[aduser]@[clients-hostname] with the new password interface
[2016/07/26 13:00:28.654350,  3] ../source3/auth/auth.c:181(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [AD]\[aduser]@[clients-hostname]
[2016/07/26 13:00:28.657067,  3] ../source3/auth/auth_util.c:1229(check_account)
  Failed to find authenticated user AD\aduser via getpwnam(), denying access.
[2016/07/26 13:00:28.657091,  2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [aduser] -> [aduser] FAILED with error NT_STATUS_NO_SUCH_USER
[2016/07/26 13:00:28.657104,  2] ../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg)
  SPNEGO login failed: NT_STATUS_NO_SUCH_USER
[2016/07/26 13:00:28.657139,  3] ../source3/smbd/error.c:82(error_packet_set)
  NT error packet at ../source3/smbd/sesssetup.c(269) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2016/07/26 13:00:28.660840,  3] ../source3/smbd/server_exit.c:249(exit_server_common)
  Server exit (failed to receive smb request)

Как я могу позволить пользователям входить в samba со своими учетными данными из Active Directory?