Eu tive meu membro do domínio samba trabalhando há alguns dias, mas agora ele parou de atender aos usuários do domínio. Algumas das etapas que eu já tentei: limpar caches, reingressar ao domínio, reinicializar, pam-auth-update, com e sem "winbind use default domain = yes" e mais alguns.
Editar: é um domínio do Active Directory com DCs do servidor 2008
Algo mudou embora. Quando estava funcionando, "wbinfo -u" e "wbinfo -g" exibiam as contas como LONGNAME \ accoutname. Agora eles mostram apenas o nome da conta.
--- Edit2: isso parece não estar relacionado ao problema. Eu coloquei "workgroup = LONGNAME" acima de "realm = SHORTNAME.TLD" e agora wbinfo -u ou -g mostra as contas como antes: LONGNAME \ accountname.
O somelocaluser pode acessar os compartilhamentos. Quando um usuário de domínio tenta acessar o compartilhamento, obtenho:
[2018/04/24 13:34:49.422394, 3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
Kerberos ticket principal name is [[email protected]]
[2018/04/24 13:34:49.423991, 3] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
Username LONGNAME\user is invalid on this system
Alguém tem uma pista? Estou sem ideias.
Abaixo está minha configuração e alguma saída de solução de problemas.
Software: Ubuntu 16.04.4 LTS, Samba 4, krb5-config, krb5-usuário, winbind, libpam-winbind, libnss-winbind
Config: hostname é e. g. 'samba'
/etc/network/interfaces
auto ens18
iface ens18 inet static
address 10.10.*****
netmask 255.255.0.0
gateway 10.10.*****
dns-nameservers 172.17.*** 172.17.***
dns-search shortname.tld
A resolução de DNS funciona, mas eu coloco os servidores de nomes (e AD-DCs ao mesmo tempo) em hosts também / etc / hosts
127.0.0.1 localhost
172.17.*** DC1.shortname.tld
172.17.*** DC2.shortname.tld
O tempo de sincronização é externo, mas a mesma fonte dos DCs e a diferença é zero. Eu uso o timesyncd.
/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5.log
[libdefaults]
ticket_lifetime = 24000
clock_skew = 300
default_realm = SHORTNAME.TLD
dns_lookup_kdc = true
dns_lookup_realm = false
[realms]
SHORTNAME.TLD = {
kdc = dc1:88
admin_server = dc1:464
default_domain = SHORTNAME.TLD
}
[domain_realm]
.shortname.tld = SHORTNAME.TLD
shortname.tld = SHORTNAME.TLD
ping e kinit [email protected] estão trabalhando
klist-output:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
24.04.2018 18:48:19 25.04.2018 01:28:09 krbtgt/[email protected]
net ads join -U [email protected]
Using short domain name -- LONGNAME
Joined 'SAMBA' to dns domain 'shortname.tld'
/etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
shadow: compat
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Eu tenho um usuário local que precisa autenticar sem uma senha e, portanto, alterei o parâmetro nullok_secure para pam_unix.so para nullok nos arquivos pam-common. Além disso, mudei o parâmetro minimum_uid de 1000 para 10000 para pam_krb5.so nos arquivos pam-common.
net ads info
LDAP server: 172.17.***
LDAP server name: dc1.shortname.tld
Realm: SHORTNAME.TLD
Bind Path: dc=SHORTNAME,dc=TLD
LDAP port: 389
Server time: Di, 24 Apr 2018 19:11:11 CEST
KDC server: 172.17.***
Server time offset: 0
systemctl status winbind
● winbind.service - LSB: start Winbind daemon
Loaded: loaded (/etc/init.d/winbind; bad; vendor preset: enabled)
Active: active (running) since Di 2018-04-24 18:08:59 CEST; 1h 3min ago
Docs: man:systemd-sysv-generator(8)
Process: 1920 ExecStop=/etc/init.d/winbind stop (code=exited, status=0/SUCCESS)
Process: 2132 ExecStart=/etc/init.d/winbind start (code=exited, status=0/SUCCESS)
Tasks: 8
Memory: 25.5M
CPU: 3.663s
CGroup: /system.slice/winbind.service
├─2147 /usr/sbin/winbindd
├─2148 /usr/sbin/winbindd
├─2154 /usr/sbin/winbindd
├─2159 /usr/sbin/winbindd
├─2161 /usr/sbin/winbindd
├─2167 /usr/sbin/winbindd
├─2502 /usr/sbin/winbindd
└─2503 /usr/sbin/winbindd
Apr 24 18:08:59 samba systemd[1]: Starting LSB: start Winbind daemon...
Apr 24 18:08:59 samba winbind[2132]: * Starting the Winbind daemon winbind
Apr 24 18:08:59 samba winbind[2132]: ...done.
Apr 24 18:08:59 samba winbindd[2147]: [2018/04/24 18:08:59.795374, 0] ../source3/winbindd/winbindd_cache.c:3245(initialize_winbindd_cache)
Apr 24 18:08:59 samba winbindd[2147]: initialize_winbindd_cache: clearing cache and re-creating with version number 2
Apr 24 18:08:59 samba systemd[1]: Started LSB: start Winbind daemon.
Apr 24 18:08:59 samba winbindd[2147]: [2018/04/24 18:08:59.798362, 0] ../lib/util/become_daemon.c:124(daemon_ready)
Apr 24 18:08:59 samba winbindd[2147]: STATUS=daemon 'winbindd' finished starting up and ready to serve connections
/etc/samba/smb.conf
[global]
realm = SHORTNAME.TLD
workgroup = LONGNAME
idmap config * : backend = tdb
idmap config * : range = 1000-9999
idmap config MICROCONSULT : backend = nss
idmap config MICROCONSULT : range = 10000-19999
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 300
winbind expand groups = 5
winbind max domain connections = 10
template homedir = /dev/null
client use spnego = yes
client ntlmv2 auth = yes
restrict anonymous = 2
acl group control = yes
inherit acls = yes
inherit owner = yes
inherit permissions = yes
vfs objects = acl_xattr
deadtime = 15
admin users = "@LONGNAME\linuxadminsgroup"
store dos attributes = yes
null passwords = yes
domain master = no
local master = no
preferred master = no
os level = 0
server string = %h server (Samba, Ubuntu)
wins server = 172.17.*** 172.17.***
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
panic action = /usr/share/samba/panic-action %d
server role = member server
passdb backend = tdbsam
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccess fully* .
pam password change = yes
map to guest = bad user
#======================= Share Definitions =======================
[ShareOne]
path = /smbshare/ShareOne
valid users = somelocaluser, @LONGNAME\linuxwriter
create mask = 570
directory mask = 570
writeable = no
write list = @LONGNAME\linuxwriter
[ShareTwo]
path = /smbshare/ShareTwo
valid users = somelocaluser, @LONGNAME\linuxwriter
create mask = 770
directory mask = 770
writeable = yes