Я настроил свой Debian-сервер с помощью Samba и успешно присоединился к своему домену с помощью Winbind. Я пытаюсь предоставить общий доступ к папке и открыть ее с помощью проверки подлинности Windows Active Directory (в домене server 2012 R2). Кажется, все работает, но что бы я ни делал, я получаю сообщение «Доступ запрещен», когда пытаюсь получить доступ к общему ресурсу.
Я использовал это руководство для настройки Samba:
https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
Я могу видеть общие ресурсы и загружать их на компьютере с Windows с помощью консоли управления компьютером ... Я даже могу изменить разрешения с помощью Windows, но, несмотря ни на что, я не могу получить доступ к общему ресурсу.
Вот шаги, которые я предпринял, чтобы зарегистрировать ящик в AD и раскрыть общий ресурс:
curl https://debgen.simplylinux.ch/txt/jessie/sources_02afb983ca66b4136396fe1f3cc5e8052fa5532a.txt | sudo tee /etc/apt/sources.list
cat /etc/debian_version; apt-get update --fix-missing -y; apt-get dist-upgrade -y; apt-get upgrade -y; cat /etc/debian_version
apt-get -y install ntp ntpdate winbind samba samba-client libnss-winbind libpam-winbind krb5-config krb5-locales krb5-user
server dc1.my.domain.com prefer iburst
service ntp restart
[libdefaults]
ticket_lifetime = 24000
default_realm = MY.DOMAIN.COM
default_tgs_entypes = rc4-hmac des-cbc-md5
default_tkt__enctypes = rc4-hmac des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-md5
dns_lookup_realm = true
dns_lookup_kdc = true
dns_fallback = yes
[realms]
MY.DOMAIN.COM = {
kdc = DC1.MY.DOMAIN.COM
default_domain = DC1.MY.DOMAIN.COM
}
[domain_realm]
.my.domain.com = DC1.MY.DOMAIN.COM
my.domain.com = DC1.MY.DOMAIN.COM
[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
root@nas02:~# kinit domain_admin
Password for domain_admin@MY.DOMAIN.COM:
root@nas02:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: domain_admin@MY.DOMAIN.COM
Valid starting Expires Service principal
10/14/2016 21:56:26 10/15/2016 04:36:20 krbtgt/MY.DOMAIN.COM@MY.DOMAIN.COM
kdestroy
# Global parameters
[global]
workgroup = MY
realm = MY.DOMAIN.COM
server role = member server
security = ADS
map to guest = Bad User
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
unix password sync = Yes
syslog = 0
syslog only = Yes
log file = /var/log/samba/log.%m
max log size = 1000
dns proxy = No
usershare allow guests = Yes
panic action = /usr/share/samba/panic-action %d
template homedir = /home/%U
template shell = /sbin/bash
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind refresh tickets = Yes
idmap config samdom:range = 10000-99999
idmap config samdom:backend = rid
idmap config *:range = 2000-9999
idmap config * : backend = tdb
map acl inherit = Yes
store dos attributes = Yes
vfs objects = acl_xattr
passwd: compat winbind
group: compat winbind
shadow: compat winbind
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
root@nas02:/etc/samba# net ads join -S DC1.MY.DOMAIN.COM -U domain_admin@my.domain.com
Enter domain_admin@my.domain.com's password:
Using short domain name -- MY
Joined 'NAS02' to dns domain 'MY.DOMAIN.COM'
service smbd restart; service nmbd restart; service winbind restart
root@nas02:/etc/samba# wbinfo -u
domain_admin
guest
krbtgt
svc.sql
svc.tfs
nas_admin
root@nas02:/etc/samba# wbinfo -g
winrmremotewmiusers__
domain computers
domain controllers
schema admins
enterprise admins
cert publishers
domain admins
domain users
domain guests
group policy creator owners
ras and ias servers
allowed rodc password replication group
denied rodc password replication group
read-only domain controllers
enterprise read-only domain controllers
cloneable domain controllers
protected users
dnsadmins
dnsupdateproxy
domain local admins
wss_admin_wpg
wss_wpg
netmon users
root@nas02:/etc/samba# wbinfo -i domain_admin
domain_admin:*:10500:10513:domain_admin:/home/domain_admin:/sbin/bash
root@nas02:/etc/samba# getent passwd
....
....
domain_admin:*:10500:10513:domain_admin:/home/domain_admin:/sbin/bash
....
....
root@nas02:/etc/samba# getent group
root:x:0:
daemon:x:1:
bin:x:2:
....
sambashare:x:114:
winbindd_priv:x:115:
winrmremotewmiusers__:x:11000:
domain computers:x:10515:
domain controllers:x:10516:
schema admins:x:10518:
enterprise admins:x:10519:
....
domain admins:x:10512:
domain users:x:10513:
domain guests:x:10514:
....
root@nas02:/etc/samba# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[Demo]"
Processing section "[print$]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
mkdir -p /srv/samba/Demo/
root@nas02:/etc/samba# chmod g=rwx /srv/samba/Demo/
root@nas02:/etc/samba# chgrp "Domain Admins" /srv/samba/Demo/
[Demo]
path = /srv/samba/Demo/
read only = no
root@nas02:/etc/samba# smbcontrol all reload-config
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED