OpenLDAP 2.4.21服务器,包含~15个组和> 100个用户,所有服务器都具有存储在LDAP中的unix和samba密码,以及分配和存储在LDAP中的用户SID和主要组SID,这些服务器来自SID LDAP服务器.
现在我想使用几个samba服务器来使用LDAP服务器来验证用户.
samba服务器是使用ldap服务器配置NSS / PAM的linux. getent passwd / group返回所有用户,ssh到samba机器适用于所有用户.现在这是smb.conf:
[global] workgroup = XXXXX security = user passdb backend = ldapsam:ldap://myldapserver ldap suffix = dc=mydomain,dc=com ldap admin dn = cn=replicator,dc=mydomain,dc=com ldap user suffix = ou=users ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap ssl = start tls
ldap连接正常工作,如pdbedit -L所示
pm_process() returned Yes smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=SAMBAHOSTNAME))] StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected smbldap_search_paged: base => [dc=mydomain,dc=com],filter => [(&(uid=*)(objectclass=sambaSamAccount))],scope => [2],pagesize => [1024] smbldap_search_paged: search was successful sid S-1-5-21-[LDAPSID]-5168 does not belong to our domain
然后最后一条消息重复所有uid.
使用smbclient -L localhost -U someid日志文件说:
check_ntlm_password: Checking password for unmapped user [XXX]\[someid]@[SAMBAHOST] with the new password interface check_ntlm_password: mapped user is: [SAMBAHOST]\[someid]@[SAMBAHOST] StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected init_sam_from_ldap: Entry found for user: someid Home server: SAMBAHOST Home server: SAMBAHOST init_group_from_ldap: Entry found for group: 1011 init_group_from_ldap: Entry found for group: 1011 Primary group S-1-5-21-[LDAPSID]-1000 for user someid is a UNKNOWN and not a domain group Forcing Primary Group to 'Domain Users' for someid ntlm_password_check: Checking NTLMv2 password with domain [CIN] sam_account_ok: Checking SMB password for user someid The primary group domain sid(S-1-5-21-[LOCALSID]-513) does not match the domain sid(S-1-5-21-[LDAPSID]) for someid(S-1-5-21-[LDAPSID]-5708) check_sam_security: make_server_info_sam() Failed with 'NT_STATUS_UNSUCCESSFUL' check_ntlm_password: Authentication for user [someid] -> [someid] Failed with error NT_STATUS_UNSUCCESSFUL
我在这里看到的是samba服务器无法识别用户的主要组(LDAP中的现有组),因此将主要组映射到其本地“Domain Users”组,然后显然与domainSID不匹配用户ID.
但是为什么samba服务器不能识别该组?或者是否存在不同的潜在问题?
到目前为止我尝试了什么:
将samba服务器的SID更改为LDAP服务器的SID,但net setlocalsid S -…未更改本地SID.没有错误消息,只是成功执行但getlocalsid返回旧的SID.
将samba服务器的domainsid设置为ldap服务器的SID. net setdomainsid S -…成功但samba服务器仍然拒绝对用户进行身份验证.
尝试使用net join XXX将服务器添加到域,但答案只是“独立服务器无法加入域”.
我试图运行smbpasswd -a将用户添加到本地samba数据库(即使这不是最终解决方案的选项,但这是其他用户推荐的),但错误没有改变.
如何告诉samba忽略域SID不匹配或强制samba与LDAP具有相同的SID?或者这会导致其他问题,如果~10 Samba Server和LDAP最终都具有完全相同的SID?
解决方法
[2015/12/03 14:39:19.753690,1] ../source3/auth/server_info.c:346(samu_to_SamInfo3) The primary group domain sid(S-1-5-21-748580849-194208185-3916830000-513) does not match the domain sid(S-1-5-21-2566626306-4294080665-3504248766) for someuser(S-1-5-21-2566626306-4294080665-3504248766-11678) [2015/12/03 14:39:19.753733,0] ../source3/auth/check_samsec.c:492(check_sam_security) check_sam_security: make_server_info_sam() Failed with 'NT_STATUS_UNSUCCESSFUL' [2015/12/03 14:39:19.753755,2] ../source3/auth/auth.c:288(auth_check_ntlm_password) check_ntlm_password: Authentication for user [someuser] -> [bbogaert] Failed with error NT_STATUS_UNSUCCESSFUL [2015/12/03 14:39:19.753777,2] ../auth/gensec/spnego.c:743(gensec_spnego_server_negTokenTarg) SPNEGO login Failed: NT_STATUS_UNSUCCESSFUL
在您的服务器上运行net getdomainsid.这将返回localsid和domainsid.这些值应该匹配.如果它们不将net setdomainsid运行到本地计算机的SID值.
root@TheWiggle:~# net getdomainsid SID for local machine THEWIGGLE is: S-1-5-21-748580849-194208185-3916830000 SID for domain THISDOMAIN is: S-1-5-21-748580849-194208185-3916830000
现在在LDAP服务器上获取域的SID值,并确保这是sambaDomainName = THISDOMAIN的sambaSID属性的值.
还要确保用户的sambaSID和sambaPrimaryGroupID,并且该组的sambaSID由域的SID和属性的唯一值组成.
例如,某些用户的sambaSID为S-1-5-21-748580849-194208185-3916830000-99999,他们的sambaPrimaryGroupID为S-1-5-21-748580849-194208185-3916830000-555.该组的sambaSID将是S-1-5-21-748580849-194208185-3916830000-77777
希望这可以帮助!!!
