Meu objetivo principal é configurar um Samba-Server, para onde os usuários podem se conectar usando suas credenciais do Active Directory. Além disso, usuários linux locais no Samba-Server devem ser capazes de autenticar.
Primeiro, tentei configurar o Samba-Server para autenticar os usuários contra o Active Directory, mas não consegui descobrir como fazer isso.
O Samba-Server está na versão 4.2.10 executado no CentOS 7. Minha configuração do Samba se parece com isso:
/etc/samba/smb.conf
[global] workgroup = AD netbios name = clients-hostname max log size = 50 log level = 3 log file = /var/log/samba3/log.%m map untrusted to domain = Yes winbind enum users = yes winbind enum groups = yes winbind cache time = 10 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind refresh tickets = yes os level = 20 winbind enum groups = yes realm = AD.COMPANY.CPOM security = ads auth methods = winbind passdb backend = tdbsam client use spnego = yes client ntlmv2 auth = yes [aShare] available = yes path = /aShare browseable = yes writeable = yes #read only = no #inherit acls = yes #inherit permissions = yes create mask = 0777 directory mask = 0777 valid users = @"domain users@AD",localUser
A configuração do Kerberos é assim:
/etc/krb5.conf
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_realm = AD.COMPANY.COM default_ccache_name = KEYRING:persistent:%{uid} [realms] AD.COMPANY.COM = { kdc = DC.AD.COMPANY.COM kpasswd_server = DC.AD.COMPANY.COM admin_server = DC.AD.COMPANY.COM default_domain = AD.COMPANY.COM } [domain_realm] .ad.company.com = AD.COMPANY.COM ad.company.com = IN.ITM-CONSULTING.DE
O servidor samba existe no Active Directory e eu tenho um kerberos-ticket. wbinfo -u exibe todos os usuários no Active Directory. O que eu notei é que no passado ele exibia os usuários com o prefixo AD \ agora eles não têm mais esse prefixo.
O principal problema é que não consigo me conectar aos compartilhamentos com um usuário de diretório ativo:
$ smbclient -L //10.0.0.2 -U aduser -W AD
Enter aduser's password:
session setup failed: NT_STATUS_LOGON_FAILURE
Os registros mostram isso: /var/log/samba3/log.10.0.0.2 [< - o IP das máquinas locais]
[2016/07/26 13:00:28.408563, 3] ../source3/smbd/oplock.c:1307(init_oplocks) init_oplocks: initializing messages. [2016/07/26 13:00:28.408626, 3] ../source3/smbd/process.c:1879(process_smb) Transaction 0 of length 194 (0 toread) [2016/07/26 13:00:28.408646, 3] ../source3/smbd/process.c:1489(switch_message) switch message SMBnegprot (pid 9538) conn 0x0 [2016/07/26 13:00:28.409162, 3] ../source3/smbd/negprot.c:576(reply_negprot) Requested protocol [PC NETWORK PROGRAM 1.0] [2016/07/26 13:00:28.409177, 3] ../source3/smbd/negprot.c:576(reply_negprot) Requested protocol [MICROSOFT NETWORKS 1.03] [2016/07/26 13:00:28.409183, 3] ../source3/smbd/negprot.c:576(reply_negprot) Requested protocol [MICROSOFT NETWORKS 3.0] [2016/07/26 13:00:28.409188, 3] ../source3/smbd/negprot.c:576(reply_negprot) Requested protocol [LANMAN1.0] [2016/07/26 13:00:28.409192, 3] ../source3/smbd/negprot.c:576(reply_negprot) Requested protocol [LM1.2X002] [2016/07/26 13:00:28.409197, 3] ../source3/smbd/negprot.c:576(reply_negprot) Requested protocol [DOS LANMAN2.1] [2016/07/26 13:00:28.409202, 3] ../source3/smbd/negprot.c:576(reply_negprot) Requested protocol [LANMAN2.1] [2016/07/26 13:00:28.409207, 3] ../source3/smbd/negprot.c:576(reply_negprot) Requested protocol [Samba] [2016/07/26 13:00:28.409211, 3] ../source3/smbd/negprot.c:576(reply_negprot) Requested protocol [NT LANMAN 1.0] [2016/07/26 13:00:28.409216, 3] ../source3/smbd/negprot.c:576(reply_negprot) Requested protocol [NT LM 0.12] [2016/07/26 13:00:28.651581, 3] ../source3/smbd/negprot.c:395(reply_nt1) using SPNEGO [2016/07/26 13:00:28.651628, 3] ../source3/smbd/negprot.c:684(reply_negprot) Selected protocol NT LANMAN 1.0 [2016/07/26 13:00:28.652715, 3] ../source3/smbd/process.c:1879(process_smb) Transaction 1 of length 160 (0 toread) [2016/07/26 13:00:28.652741, 3] ../source3/smbd/process.c:1489(switch_message) switch message SMBsesssetupX (pid 9538) conn 0x0 [2016/07/26 13:00:28.652762, 3] ../source3/smbd/sesssetup.c:614(reply_sesssetup_and_X) wct=12 flg2=0xc843 [2016/07/26 13:00:28.652774, 3] ../source3/smbd/sesssetup.c:144(reply_sesssetup_and_X_spnego) Doing spnego session setup [2016/07/26 13:00:28.652782, 3] ../source3/smbd/sesssetup.c:185(reply_sesssetup_and_X_spnego) NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[] [2016/07/26 13:00:28.653003, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0x62088215 [2016/07/26 13:00:28.653391, 3] ../source3/smbd/process.c:1879(process_smb) Transaction 2 of length 528 (0 toread) [2016/07/26 13:00:28.653410, 3] ../source3/smbd/process.c:1489(switch_message) switch message SMBsesssetupX (pid 9538) conn 0x0 [2016/07/26 13:00:28.653432, 3] ../source3/smbd/sesssetup.c:614(reply_sesssetup_and_X) wct=12 flg2=0xc843 [2016/07/26 13:00:28.653438, 3] ../source3/smbd/sesssetup.c:144(reply_sesssetup_and_X_spnego) Doing spnego session setup [2016/07/26 13:00:28.653445, 3] ../source3/smbd/sesssetup.c:185(reply_sesssetup_and_X_spnego) NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[] [2016/07/26 13:00:28.653466, 3] ../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth) Got user=[aduser] domain=[AD] workstation=[clients-hostname] len1=24 len2=238 [2016/07/26 13:00:28.653518, 3] ../source3/param/loadparm.c:3653(lp_load_ex) lp_load_ex: refreshing parameters [2016/07/26 13:00:28.653570, 3] ../source3/param/loadparm.c:544(init_globals) Initialising global parameters [2016/07/26 13:00:28.653637, 3] ../source3/param/loadparm.c:2596(lp_do_section) Processing section "[global]" [2016/07/26 13:00:28.653758, 2] ../source3/param/loadparm.c:2613(lp_do_section) Processing section "[aShare]" [2016/07/26 13:00:28.653826, 3] ../source3/param/loadparm.c:1493(lp_add_ipc) adding IPC service [2016/07/26 13:00:28.654335, 3] ../source3/auth/auth.c:178(auth_check_ntlm_password) check_ntlm_password: Checking password for unmapped user [AD]\[aduser]@[clients-hostname] with the new password interface [2016/07/26 13:00:28.654350, 3] ../source3/auth/auth.c:181(auth_check_ntlm_password) check_ntlm_password: mapped user is: [AD]\[aduser]@[clients-hostname] [2016/07/26 13:00:28.657067, 3] ../source3/auth/auth_util.c:1229(check_account) Failed to find authenticated user AD\aduser via getpwnam(), denying access. [2016/07/26 13:00:28.657091, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password) check_ntlm_password: Authentication for user [aduser] -> [aduser] FAILED with error NT_STATUS_NO_SUCH_USER [2016/07/26 13:00:28.657104, 2] ../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg) SPNEGO login failed: NT_STATUS_NO_SUCH_USER [2016/07/26 13:00:28.657139, 3] ../source3/smbd/error.c:82(error_packet_set) NT error packet at ../source3/smbd/sesssetup.c(269) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2016/07/26 13:00:28.660840, 3] ../source3/smbd/server_exit.c:249(exit_server_common) Server exit (failed to receive smb request) 2016/07/26 13:00:28.653758, 2] ../source3/param/loadparm.c:2613(lp_do_section) Processing section "[smbext4]" [2016/07/26 13:00:28.653826, 3] ../source3/param/loadparm.c:1493(lp_add_ipc) adding IPC service [2016/07/26 13:00:28.654335, 3] ../source3/auth/auth.c:178(auth_check_ntlm_password) check_ntlm_password: Checking password for unmapped user [AD]\[aduser]@[clients-hostname] with the new password interface [2016/07/26 13:00:28.654350, 3] ../source3/auth/auth.c:181(auth_check_ntlm_password) check_ntlm_password: mapped user is: [AD]\[aduser]@[clients-hostname] [2016/07/26 13:00:28.657067, 3] ../source3/auth/auth_util.c:1229(check_account) Failed to find authenticated user AD\aduser via getpwnam(), denying access. [2016/07/26 13:00:28.657091, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password) check_ntlm_password: Authentication for user [aduser] -> [aduser] FAILED with error NT_STATUS_NO_SUCH_USER [2016/07/26 13:00:28.657104, 2] ../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg) SPNEGO login failed: NT_STATUS_NO_SUCH_USER [2016/07/26 13:00:28.657139, 3] ../source3/smbd/error.c:82(error_packet_set) NT error packet at ../source3/smbd/sesssetup.c(269) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2016/07/26 13:00:28.660840, 3] ../source3/smbd/server_exit.c:249(exit_server_common) Server exit (failed to receive smb request)
Como posso permitir que os usuários efetuem login no samba com suas credenciais do Active Directory?