Файловый сервер Ubuntu 14.04
Сервер Ubuntu 14 Active Directory (AD) запущен Samba 4
Клиент Ubuntu 18 (свежая установка)
Я настроил домашние каталоги пользователей Ubuntu для монтирования через PAM и SMB/CIFS.
Каталог test будет монтироваться через CIFS вручную, но не при вызове PAM при входе в систему. Ошибка -13 похоже, указывает на ошибку разрешений, но добавление определенных разрешений к файлу не помогает. Кроме того, разрешения должны быть получены из AD User вошел в систему (поэтому пароль не запрашивается).
APT
libmount1/bionic-updates,now 2.31.1-0.4ubuntu3.3 amd64 [installed]
libpam-mount/bionic-updates,now 2.16-3ubuntu0.1 amd64 [installed]
mount/bionic-updates,now 2.31.1-0.4ubuntu3.3 amd64 [installed]
cifs-utils/bionic,now 2:6.8-1 amd64 [installed]
libsmbclient/bionic-updates,bionic-security,now 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 [installed]
python-samba/bionic-updates,bionic-security,now 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 [installed,automatic]
samba/bionic-updates,bionic-security,now 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 [installed,automatic]
samba-common/bionic-updates,bionic-updates,bionic-security,bionic-security,now 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 all [installed,automatic]
samba-common-bin/bionic-updates,bionic-security,now 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 [installed,automatic]
samba-dsdb-modules/bionic-updates,bionic-security,now 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 [installed,automatic]
samba-libs/bionic-updates,bionic-security,now 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 [installed]
/etc/security/pam_mount.conf.xml
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<pam_mount>
<debug enable="0" />
<!-- Volume definitions -->
<volume fstype="cifs"
path="//SMB-Server.SAMBA-AD.de/testshare"
mountpoint="/mnt/AD-User"
options="user=AD-User,domain=SAMBA-AD,exec,vers=3.0"
gid="1234"/>
<!-- pam_mount parameters: General tunables -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<mntoptions require="nosuid,nodev" />
<!-- requires ofl from hxtools to be present -->
<logout wait="0" hup="no" term="no" kill="no" />
<mkmountpoint enable="1" remove="true" />
</pam_mount>
/etc/pam.d/common-auth
auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_mount.so
auth optional pam_cap.so
auth optional pam_mount.so
# end of pam-auth-update config
/etc/pam.d/common-session
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session optional pam_krb5.so minimum_uid=1000
session required pam_unix.so
session optional pam_winbind.so
session optional pam_mount.so
session optional pam_systemd.so
session optional pam_mount.so
# end of pam-auth-update config
Ручное крепление
root@logToComputerName:/#mount -t cifs -o rw,user=AD-User,domain=SAMBA-AD \\\\SMB-Server\\testshare /mnt/AD-User
Password for AD-User@\SMB-Server\testshare: ********
root@logToComputerName:/# df -h
Filesystem Size Used Avail Use% Mounted on
udev 7,9G 0 7,9G 0% /dev
tmpfs 1,6G 2,9M 1,6G 1% /run
/dev/sda1 458G 29G 406G 7% /
(...snip...)
\\SMB-Server\testshare 23T 0 23T 0% /mnt/AD-User
Крепление PAM
AD-User@localTerm:~$ ssh AD-User@logToComputerName
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.18.0-20-generic x86_64)
(...snip...)
Your Hardware Enablement Stack (HWE) is supported until April 2023.
Last login: Tue May 28 14:42:45 2019 from xxx.xxx.x8.149
AD-User@logToComputerName:~$ df -h
Filesystem Size Used Avail Use% Mounted on
udev 7,9G 0 7,9G 0% /dev
tmpfs 1,6G 2,9M 1,6G 1% /run
/dev/sda1 458G 29G 406G 7% /
(...snip...)
(No mount)
/ var / log / syslog (из-за неудачного монтирования входа в PAM
May 28 14:51:56 logToComputerName kernel: [14958.849509] Status code returned 0xc000006d STATUS_LOGON_FAILURE
May 28 14:51:56 logToComputerName kernel: [14958.849518] CIFS VFS: Send error in SessSetup = -13
May 28 14:51:56 logToComputerName kernel: [14958.849527] CIFS VFS: cifs_mount failed w/return code = -13
May 28 14:51:56 logToComputerName systemd[1]: Created slice User Slice of AD-User.
May 28 14:51:56 logToComputerName systemd[1]: Starting User Manager for UID 123456...
May 28 14:51:56 logToComputerName systemd[1]: Started Session 59 of user AD-User.
May 28 14:51:57 logToComputerName systemd[16601]: Listening on GnuPG network certificate management daemon.
May 28 14:51:57 logToComputerName systemd[16601]: Started Pending report trigger for Ubuntu Report.
May 28 14:51:57 logToComputerName systemd[16601]: Reached target Paths.
May 28 14:51:57 logToComputerName systemd[16601]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
May 28 14:51:57 logToComputerName systemd[16601]: Reached target Timers.
May 28 14:51:57 logToComputerName systemd[16601]: Listening on GnuPG cryptographic agent and passphrase cache (access for web browsers).
May 28 14:51:57 logToComputerName systemd[16601]: Listening on GnuPG cryptographic agent and passphrase cache.
May 28 14:51:57 logToComputerName systemd[16601]: Starting D-Bus User Message Bus Socket.
May 28 14:51:57 logToComputerName systemd[16601]: Listening on GnuPG cryptographic agent and passphrase cache (restricted).
May 28 14:51:57 logToComputerName systemd[16601]: Listening on D-Bus User Message Bus Socket.
May 28 14:51:57 logToComputerName systemd[16601]: Reached target Sockets.
May 28 14:51:57 logToComputerName systemd[16601]: Reached target Basic System.
May 28 14:51:57 logToComputerName systemd[1]: Started User Manager for UID 123456.
May 28 14:51:57 logToComputerName systemd[16601]: Reached target Default.
May 28 14:51:57 logToComputerName systemd[16601]: Startup finished in 504ms.
May 28 14:51:57 logToComputerName kernel: [14959.422369] FS-Cache: Duplicate cookie detected
May 28 14:51:57 logToComputerName kernel: [14959.422376] FS-Cache: O-cookie c=00000000439a062a [p=00000000aec79842 fl=222 nc=1 na=1]
May 28 14:51:57 logToComputerName kernel: [14959.422378] FS-Cache: O-cookie d=00000000ddea9b97 n=000000000ee78c37
May 28 14:51:57 logToComputerName kernel: [14959.422381] FS-Cache: O-key=[8] '020001bd8d03590a'
May 28 14:51:57 logToComputerName kernel: [14959.422389] FS-Cache: N-cookie c=000000005644be78 [p=00000000aec79842 fl=2 nc=0 na=1]
May 28 14:51:57 logToComputerName kernel: [14959.422392] FS-Cache: N-cookie d=00000000ddea9b97 n=00000000c3c538f7
May 28 14:51:57 logToComputerName kernel: [14959.422393] FS-Cache: N-key=[8] '020001bd8d03590a'
May 28 14:51:57 logToComputerName kernel: [14959.485780] Status code returned 0xc000006d STATUS_LOGON_FAILURE
May 28 14:51:57 logToComputerName kernel: [14959.485788] CIFS VFS: Send error in SessSetup = -13
May 28 14:51:57 logToComputerName kernel: [14959.485798] CIFS VFS: cifs_mount failed w/return code = -13
==============
=== ОБНОВЛЕНИЕ ===
==============
Я изменил pam_mount.conf.xml громкость до ...
<volume
fstype="cifs"
user="*"
path="testshare"
server="SMB-Server.SAMBA-AD.de"
mountpoint="/mnt/AD-User"
options="credentials=/etc/creds,exec"
/>
... с /etc/creds хранение файлов ...
username=AD-User
domain=SAMBA-AD
password=*********
... и он монтируется так, как нужно для пользователя AD-User. Однако, если я изменю его на ...
<volume
fstype="cifs"
user="*"
path="testshare"
server="SMB-Server.SAMBA-AD.de"
mountpoint="/mnt/AD-User"
options="sec=krb5,exec"
/>
... чтобы попытаться установить его, используя существующий active directory учетные данные, происходит сбой со следующей ошибкой. Я не могу найти решение этой проблемы.
Jun 3 14:08:07 logToComputerName cifs.upcall: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
Jun 3 14:08:07 logToComputerName cifs.upcall: get_tgt_time: unable to get principal
Jun 3 14:08:07 logToComputerName cifs.upcall: krb5_get_init_creds_keytab: -1765328203
Jun 3 14:08:07 logToComputerName cifs.upcall: Exit status 1
Jun 3 14:08:07 logToComputerName kernel: [39762.177414] CIFS VFS: Send error in SessSetup = -126
Jun 3 14:08:07 logToComputerName kernel: [39762.177429] CIFS VFS: cifs_mount failed w/return code = -126
ОДНАКО, если я вручную запустил kinit как root на клиентском компьютере, а затем войдите в клиент как AD-User в другом окне работает.
root@logToComputerName:/etc/pam.d# kinit -l 10h -r 5d AD-User
Password for AD-User@SAMBA-AD.de: *********
root@logToComputerName:/etc/pam.d# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: AD-User@SAMBA-AD.de
Valid starting Expires Service principal
03.06.2019 14:41:45 04.06.2019 00:41:40 krbtgt/SAMBA-AD.de@SAMBA-AD.de
renew until 08.06.2019 14:41:40
из системного журнала
Jun 3 15:07:17 logToComputerName cifs.upcall: get_cachename_from_process_env: pid == 0
Jun 3 15:07:17 logToComputerName cifs.upcall: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
Jun 3 15:07:17 logToComputerName cifs.upcall: handle_krb5_mech: getting service ticket for SMB-Server.SAMBA-AD.de
Jun 3 15:07:17 logToComputerName cifs.upcall: handle_krb5_mech: obtained service ticket
Jun 3 15:07:17 logToComputerName cifs.upcall: Exit status 0
Нужно ли мне что-то делать, чтобы правильно настроить кеш на клиенте, прежде чем пользователи смогут его использовать?