У меня проблемы с аутентификацией с помощью AD на общем ресурсе SAMBA на сервере Linux.
Аутентификация вроде работает, но только наполовину ...
[root@myserver ~]# wbinfo -a my_ad_user%password123
plaintext password authentication succeeded
challenge/response password authentication succeeded
[root@myserver ~]# wbinfo -i my_ad_user
Could not get info for user my_ad_user << weird
[root@myserver ~]# getent passwd my_ad_user
my_ad_user:*:1256023472:1256023469:my name:/:
[root@myserver ~]#
Странно, потому что вроде все работает нормально Кроме выход wbinfo -i <any_ad_user_name>
. Другой wbinfo
запросы работают нормально.
Проверка доверия тоже работает:
[root@myserver ~]# wbinfo -t
checking the trust secret for domain MYDOMAIN via RPC calls succeeded
Ошибка аутентификации Samba (почему cifs отображается так, cifs/myserver.mydomain.com@MYDOMAIN.COM
? ):
[root@myserver ~]# smbclient //localhost/MySharedFolder -d 3 -U my_ad_user%password123
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
added interface eth0 ip=10.2.3.7 bcast=10.2.3.255 netmask=255.255.255.0
Client started (version 3.5.22).
resolve_lmhosts: Attempting lmhosts lookup for name localhost<0x20>
Connecting to 127.0.0.1 at port 445
Doing spnego session setup (blob length=128)
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.48018.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=cifs/myserver.mydomain.com@MYDOMAIN.COM
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
Domain=[CLIENTSERVER] OS=[Unix] Server=[Samba 3.5.22]
tree connect failed: NT_STATUS_ACCESS_DENIED
Keytab выглядит нормально:
[root@myserver ~]# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 host/myserver.mydomain.com@MYDOMAIN.COM (des-cbc-crc)
2 host/myserver.mydomain.com@MYDOMAIN.COM (des-cbc-md5)
2 host/myserver.mydomain.com@MYDOMAIN.COM (arcfour-hmac)
2 host/myserver@MYDOMAIN.COM (des-cbc-crc)
2 host/myserver@MYDOMAIN.COM (des-cbc-md5)
2 host/myserver@MYDOMAIN.COM (arcfour-hmac)
2 myserver$@MYDOMAIN.COM (des-cbc-crc)
2 myserver$@MYDOMAIN.COM (des-cbc-md5)
2 myserver$@MYDOMAIN.COM (arcfour-hmac)
3 host/myserver.mydomain.com@MYDOMAIN.COM (des-cbc-crc)
3 host/myserver.mydomain.com@MYDOMAIN.COM (des-cbc-md5)
3 host/myserver.mydomain.com@MYDOMAIN.COM (arcfour-hmac)
3 host/myserver@MYDOMAIN.COM (des-cbc-crc)
3 host/myserver@MYDOMAIN.COM (des-cbc-md5)
3 host/myserver@MYDOMAIN.COM (arcfour-hmac)
3 myserver$@MYDOMAIN.COM (des-cbc-crc)
3 myserver$@MYDOMAIN.COM (des-cbc-md5)
3 myserver$@MYDOMAIN.COM (arcfour-hmac)
Конфигурация Samba из smb.conf:
[root@myserver ~]# cat /etc/samba/smb.conf
[global]
workgroup = MYDOMAIN
password server = WCR-LUCDC01.MYDOMAIN.COM
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
log file = /var/log/samba/%m.log
realm = MYDOMAIN.COM
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = true
winbind nested groups = yes
winbind enum users = yes
winbind enum groups = yes
winbind nss info = rfc2307
encrypt passwords = yes
#idmap domains = MYDOMAIN
idmap uid = 10000-20000
idmap gid = 10000-20000
idmap config MYDOMAIN : cache time = 1800
idmap config MYDOMAIN : backend = ad
idmap config MYDOMAIN : range = 16777216-33554431
idmap confg MYDOMAIN : schema_mode = rfc2307
idmap backend = tbd
log level = 3
max log size = 50
[MySharedFolder]
comment = My Share
path = /opt/MySharedFolder
browsable = yes
writable = yes
valid users = @GROUP1, @"GROUP2"