Назад | Перейти на главную страницу

Аутентификация AD с помощью SAMBA, Winbind и SSS

У меня проблемы с аутентификацией с помощью AD на общем ресурсе SAMBA на сервере Linux.

Аутентификация вроде работает, но только наполовину ...

[root@myserver ~]# wbinfo -a my_ad_user%password123
plaintext password authentication succeeded
challenge/response password authentication succeeded
[root@myserver ~]# wbinfo -i my_ad_user
Could not get info for user my_ad_user << weird
[root@myserver ~]# getent passwd my_ad_user
my_ad_user:*:1256023472:1256023469:my name:/:
[root@myserver ~]# 

Странно, потому что вроде все работает нормально Кроме выход wbinfo -i <any_ad_user_name>. Другой wbinfo запросы работают нормально.

Проверка доверия тоже работает:

[root@myserver ~]# wbinfo -t
checking the trust secret for domain MYDOMAIN via RPC calls succeeded

Ошибка аутентификации Samba (почему cifs отображается так, cifs/myserver.mydomain.com@MYDOMAIN.COM? ):

[root@myserver ~]# smbclient //localhost/MySharedFolder -d 3 -U my_ad_user%password123
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
added interface eth0 ip=10.2.3.7 bcast=10.2.3.255 netmask=255.255.255.0
Client started (version 3.5.22).
resolve_lmhosts: Attempting lmhosts lookup for name localhost<0x20>
Connecting to 127.0.0.1 at port 445
Doing spnego session setup (blob length=128)
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.48018.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=cifs/myserver.mydomain.com@MYDOMAIN.COM
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
Domain=[CLIENTSERVER] OS=[Unix] Server=[Samba 3.5.22]
tree connect failed: NT_STATUS_ACCESS_DENIED

Keytab выглядит нормально:

[root@myserver ~]# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/myserver.mydomain.com@MYDOMAIN.COM (des-cbc-crc) 
   2 host/myserver.mydomain.com@MYDOMAIN.COM (des-cbc-md5) 
   2 host/myserver.mydomain.com@MYDOMAIN.COM (arcfour-hmac) 
   2 host/myserver@MYDOMAIN.COM (des-cbc-crc) 
   2 host/myserver@MYDOMAIN.COM (des-cbc-md5) 
   2 host/myserver@MYDOMAIN.COM (arcfour-hmac) 
   2 myserver$@MYDOMAIN.COM (des-cbc-crc) 
   2 myserver$@MYDOMAIN.COM (des-cbc-md5) 
   2 myserver$@MYDOMAIN.COM (arcfour-hmac) 
   3 host/myserver.mydomain.com@MYDOMAIN.COM (des-cbc-crc) 
   3 host/myserver.mydomain.com@MYDOMAIN.COM (des-cbc-md5) 
   3 host/myserver.mydomain.com@MYDOMAIN.COM (arcfour-hmac) 
   3 host/myserver@MYDOMAIN.COM (des-cbc-crc) 
   3 host/myserver@MYDOMAIN.COM (des-cbc-md5) 
   3 host/myserver@MYDOMAIN.COM (arcfour-hmac) 
   3 myserver$@MYDOMAIN.COM (des-cbc-crc) 
   3 myserver$@MYDOMAIN.COM (des-cbc-md5) 
   3 myserver$@MYDOMAIN.COM (arcfour-hmac)

Конфигурация Samba из smb.conf:

[root@myserver ~]# cat /etc/samba/smb.conf
[global]
   workgroup = MYDOMAIN
   password server = WCR-LUCDC01.MYDOMAIN.COM
   client signing = yes
   client use spnego = yes
   kerberos method = secrets and keytab
   log file = /var/log/samba/%m.log
   realm = MYDOMAIN.COM
   security = ads
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = true
   winbind nested groups = yes
   winbind enum users = yes
   winbind enum groups = yes
   winbind nss info = rfc2307
   encrypt passwords = yes
   #idmap domains = MYDOMAIN
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   idmap config MYDOMAIN : cache time = 1800
   idmap config MYDOMAIN : backend = ad
   idmap config MYDOMAIN : range = 16777216-33554431
   idmap confg MYDOMAIN : schema_mode = rfc2307
   idmap backend = tbd
   log level = 3
   max log size = 50
[MySharedFolder]
    comment = My Share
    path = /opt/MySharedFolder
    browsable = yes
    writable = yes
    valid users = @GROUP1, @"GROUP2"