Autenticação AD com SAMBA, Winbind e SSS

1

Estou tendo problemas para autenticação com o AD em um compartilhamento SAMBA em um servidor linux.

A autenticação parece estar funcionando, mas apenas na metade ...

[root@myserver ~]# wbinfo -a my_ad_user%password123
plaintext password authentication succeeded
challenge/response password authentication succeeded
[root@myserver ~]# wbinfo -i my_ad_user
Could not get info for user my_ad_user << weird
[root@myserver ~]# getent passwd my_ad_user
my_ad_user:*:1256023472:1256023469:my name:/:
[root@myserver ~]# 

É estranho porque parece que tudo está funcionando corretamente exceto a saída de wbinfo -i <any_ad_user_name> . Outras wbinfo consultas parecem funcionar bem.

Verificar a confiança também funciona:

[root@myserver ~]# wbinfo -t
checking the trust secret for domain MYDOMAIN via RPC calls succeeded

A autenticação do Samba falha (por que o cifs é listado assim, cifs/[email protected] ?):

[root@myserver ~]# smbclient //localhost/MySharedFolder -d 3 -U my_ad_user%password123
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
added interface eth0 ip=10.2.3.7 bcast=10.2.3.255 netmask=255.255.255.0
Client started (version 3.5.22).
resolve_lmhosts: Attempting lmhosts lookup for name localhost<0x20>
Connecting to 127.0.0.1 at port 445
Doing spnego session setup (blob length=128)
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.48018.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=cifs/[email protected]
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
Domain=[CLIENTSERVER] OS=[Unix] Server=[Samba 3.5.22]
tree connect failed: NT_STATUS_ACCESS_DENIED

O material do Keytab parece OK:

[root@myserver ~]# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/[email protected] (des-cbc-crc) 
   2 host/[email protected] (des-cbc-md5) 
   2 host/[email protected] (arcfour-hmac) 
   2 host/[email protected] (des-cbc-crc) 
   2 host/[email protected] (des-cbc-md5) 
   2 host/[email protected] (arcfour-hmac) 
   2 [email protected] (des-cbc-crc) 
   2 [email protected] (des-cbc-md5) 
   2 [email protected] (arcfour-hmac) 
   3 host/[email protected] (des-cbc-crc) 
   3 host/[email protected] (des-cbc-md5) 
   3 host/[email protected] (arcfour-hmac) 
   3 host/[email protected] (des-cbc-crc) 
   3 host/[email protected] (des-cbc-md5) 
   3 host/[email protected] (arcfour-hmac) 
   3 [email protected] (des-cbc-crc) 
   3 [email protected] (des-cbc-md5) 
   3 [email protected] (arcfour-hmac)

Configuração do Samba do smb.conf:

[root@myserver ~]# cat /etc/samba/smb.conf
[global]
   workgroup = MYDOMAIN
   password server = WCR-LUCDC01.MYDOMAIN.COM
   client signing = yes
   client use spnego = yes
   kerberos method = secrets and keytab
   log file = /var/log/samba/%m.log
   realm = MYDOMAIN.COM
   security = ads
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = true
   winbind nested groups = yes
   winbind enum users = yes
   winbind enum groups = yes
   winbind nss info = rfc2307
   encrypt passwords = yes
   #idmap domains = MYDOMAIN
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   idmap config MYDOMAIN : cache time = 1800
   idmap config MYDOMAIN : backend = ad
   idmap config MYDOMAIN : range = 16777216-33554431
   idmap confg MYDOMAIN : schema_mode = rfc2307
   idmap backend = tbd
   log level = 3
   max log size = 50
[MySharedFolder]
    comment = My Share
    path = /opt/MySharedFolder
    browsable = yes
    writable = yes
    valid users = @GROUP1, @"GROUP2"
    
por 에이바 21.10.2014 / 20:01

0 respostas