我遇到Netatalk和Active Directory的问题。我无法使用活动目录用户登录。我已经有了广告连接工作的samba,我得到了来自AD的wbinfo -u和wbinfo -g所有数据。 Getent passwd向我展示了所有用户,但我没有得到getent group的广告组。
嗯,我不知道这是不是一个问题,因为我只想使用用户而不是组。
我已经测试了samba本身,我可以将samba共享与活动目录用户名连接起来。
此刻,它似乎“部分地”起作用。如果我尝试将afp卷与已知的活动目录用户连接,我会在netatalk日志中看到以下条目。同样,我是否输入正确或错误的密码:
Aug 10 08:48:37.908651 afpd[34123] {afp_dsi.c:624} (debug:AFPDaemon): <== Start AFP command: AFP_LOGINCONT
Aug 10 08:48:37.919318 afpd[34123] {uams_dhx2_pam.c:214} (info:UAMS): PAM DHX2: PAM Success
Aug 10 08:48:40.121785 afpd[34123] {uams_dhx2_pam.c:666} (info:UAMS): DHX2: PAM_Error: Authentication failure
Aug 10 08:48:40.121848 afpd[34123] {dsi_cmdreply.c:24} (debug:DSI): dsi_cmdreply(DSI ID: 4, len: 0): START
Aug 10 08:48:40.121883 afpd[34123] {dsi_stream.c:530} (maxdebug:DSI): dsi_stream_send(0 bytes): START
如果我输入无效用户,我会遇到其他错误:
Aug 10 08:55:16.416783 afpd[34205] {afp_dsi.c:624} (debug:AFPDaemon): <== Start AFP command: AFP_LOGIN_EXT
Aug 10 08:55:18.830640 afpd[34205] {uams_dhx2_pam.c:324} (info:UAMS): DHX2: unknown username
Aug 10 08:55:18.830711 afpd[34205] {dsi_cmdreply.c:24} (debug:DSI): dsi_cmdreply(DSI ID: 2, len: 0): START
Aug 10 08:55:18.830732 afpd[34205] {dsi_stream.c:530} (maxdebug:DSI): dsi_stream_send(0 bytes): START
Aug 10 08:55:18.830745 afpd[34205] {dsi_stream.c:538} (maxdebug:DSI): dsi_stream_send(16 bytes): DSI header, no data
Aug 10 08:55:18.830762 afpd[34205] {dsi_stream.c:281} (maxdebug:DSI): dsi_stream_write(send: 16 bytes): START
我还查看了来自samba / winbind的日志,似乎只有用户不知道才有查询。如果我是一个有效的用户,那么samba和winbind中的日志仍然相当。
我也想知道kerberos模块uam_gss.so似乎也不行:
Aug 10 09:34:09.480536 afpd[45001] {auth.c:1011} (debug:AFPDaemon):
auth_load: /usr/local/lib/netatalk//, uam_gss.so,uams_dhx.so,uams_dhx2.so
Aug 10 09:34:09.480562 afpd[45001] {auth.c:1025} (debug:AFPDaemon): uam: loading (/usr/local/lib/netatalk//uam_gss.so)
Aug 10 09:34:09.480577 afpd[45001] {auth.c:1037} (info:AFPDaemon): uam: uam not found (status=-1)
Aug 10 09:34:09.480585 afpd[45001] {auth.c:1025} (debug:AFPDaemon): uam: loading (/usr/local/lib/netatalk//uams_dhx.so)
Aug 10 09:34:09.518932 afpd[45001] {auth.c:1032} (debug:AFPDaemon): uam: uams_dhx.so loaded
Aug 10 09:34:09.518975 afpd[45001] {auth.c:1025} (debug:AFPDaemon): uam: loading (/usr/local/lib/netatalk//uams_dhx2.so)
Aug 10 09:34:09.519205 afpd[45001] {uams_dhx2_pam.c:934} (debug:UAMS): DHX2: generating mersenne primes
Aug 10 09:34:09.712308 afpd[45001] {auth.c:1032} (debug:AFPDaemon): uam: uams_dhx2.so loaded
我花了几天的时间搜索,但看不到任何解决方案。我已经找到了各种各样的方法,但它对我没用。例如来自netatalk officialy:http://netatalk.sourceforge.net/wiki/index.php/How-To_authenticate_to_an_NT_domain
也许它可以与Kerberos一起使用,但我没有让模块工作......
以下是一些背景信息:
我在DELL R420上使用Ubuntu 16.04。基于Windows Server 2012 R2环境的Active Directory。我使用Samba版本4.3.9-Ubuntu和Winbind 2:4.3.9 + dfsg-0ubuntu0.16.04.2。
我已经编译了最近的Netatalk版本3.1.9以及所有功能。我使用以下行编译:
./configure --with-init-style=debian-systemd \
--with-cracklib --enable-pgp-uam --enable-krbV-uam \
--with-pam-confdir=/etc/pam.d \
--with-dbus-sysconf-dir=/etc/dbus-1/system.d \
--with-tracker-pkgconfig-version=1.0
汇编摘要:
CPPFLAGS = -I$(top_srcdir)/include -I$(top_builddir)/include -I$(top_srcdir)
CFLAGS = -D_U_="__attribute__((unused))" -g -O2
LIBS = -lcrack
PTHREADS:
LIBS =
CFLAGS = -pthread
TRACKER:
LIBS = -ltracker-sparql-1.0 -lgio-2.0 -lgobject-2.0 -Wl,--export-dynamic -lgmodule-2.0 -pthread -lglib-2.0
CFLAGS = -pthread -I/usr/include/tracker-1.0 -I/usr/include/tracker-1.0/libtracker-sparql -I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include
SSL:
LIBS = -L/usr/lib64 -lcrypto
CFLAGS = -I/usr/include/openssl
LIBGCRYPT:
LIBS = -lgcrypt
CFLAGS =
PAM:
LIBS = -lpam
CFLAGS =
WRAP:
LIBS = -lwrap
CFLAGS =
BDB:
LIBS = -L/usr/lib64 -ldb-5.3
CFLAGS =
GSSAPI:
LIBS = -L/usr/lib/x86_64-linux-gnu/mit-krb5 -Wl,-Bsymbolic-functions -Wl,-z,relro -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err
CFLAGS = -isystem /usr/include/mit-krb5
ZEROCONF:
LIBS = -lavahi-common -lavahi-client
CFLAGS = -D_REENTRANT
LDAP:
LIBS = -lldap
CFLAGS =
LIBEVENT:
bundled
TDB:
bundled
MySQL:
LIBS = -L/usr/lib/x86_64-linux-gnu -lmysqlclient -lpthread -lz -lm -lrt -ldl
CFLAGS = -I/usr/include/mysql -fabi-version=2 -fno-omit-frame-pointer
Configure summary:
INIT STYLE:
debian-systemd
AFP:
Extended Attributes: ad | sys
ACL support: yes
Spotlight: yes
CNID:
backends: dbd last tdb mysql
UAMS:
DHX (PAM SHADOW)
DHX2 (PAM SHADOW)
RANDNUM (afppasswd)
Kerberos V
PGP
clrtxt (PAM SHADOW)
guest
Options:
Zeroconf support: yes
tcp wrapper support: yes
quota support: yes
valid shell check: yes
cracklib support: yes
ACL support: auto
Kerberos support: yes
LDAP support: yes
AFP stats via dbus: yes
dtrace probes: yes
Paths:
Netatalk lockfile: /var/lock/netatalk
init directory: /lib/systemd/system
dbus system directory: /etc/dbus-1/system.d
dbus daemon path: /bin/dbus-daemon
tracker prefix: /usr
tracker install prefix: /usr
tracker manager: /usr/bin/tracker daemon
pam config directory: /etc/pam.d
Documentation:
Docbook: no
这是我的netatalk配置:
[Global]
k5 keytab = /etc/krb5.keytab
uam list = uam_gss.so,uams_dhx.so,uams_dhx2.so
nt domain = AD.DOMAIN.LOCAL
ad domain = AD.DOMAIN.LOCAL
map acls = rights
ldap server = ad.domain.local
ldap auth method = simple
ldap auth dn = CN=ldapinfo,OU=IT,OU=Services,OU=Intern,DC=ad,DC=domain,DC=local
ldap auth pw = ************
ldap userbase = OU=Staff,OU=company,DC=ad,DC=domain,DC=local
ldap userscope = sub
ldap groupbase = OU=Groups,OU=company,DC=ad,DC=domain,DC=local
ldap groupscope = sub
ldap uuid attr = objectGUID
ldap name attr = sAMAccountName
ldap group attr = cn
; Global server settings
hostname = TimeMachine.domain.local
vol preset = default_for_all
log file = /var/log/netatalk.log
log level = default:maxdebug
save password = no
afpstats = yes
[default_for_all]
file perm = 0664
directory perm = 0774
cnid scheme = dbd
; Uncomment the following line to restrict access to specific users
; valid users = someuser
# [Homes]
# basedir regex = /storage/timemachine
# time machine = yes
# vol size limit = 102400
#
# Config for time machine users
include = /usr/local/etc/afp_users.conf
afp_users.conf
[test1]
name = Timemachine
time machine = yes
vol size limit = 102400
path = /storage/timemachine/test1
valid users = test1
/etc/pam.d/netatalk
#%PAM-1.0
# Following lines dont work
#auth required pam_winbind.so
#account required pam_winbind.so
#session required pam_unix.so
auth include common-auth
account include common-account
password include common-password
session include common-session
Samba配置:
#======================= Global Settings =======================
[global]
netbios name = CLIENT1
workgroup = DOMAIN
security = ADS
realm = AD.DOMAIN.LOCAL
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
idmap config *:backend = tdb
idmap config *:range = 2000-50000
idmap config SAMDOM:backend = ad
idmap config SAMDOM:range = 50001 - 99999
idmap config SAMDOM:schema_mode = rfc2307
winbind nss info = rfc2307
#passdb backend = pam
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind refresh tickets = Yes
obey pam restrictions = no
template homedir = /storage/timemachine/%U
template shell = /bin/bash
#encrypt passwords = no
hide dot files = no
#### Debugging/Accounting ####
log file = /var/log/samba/log.%m
max log size = 1000
log level = 10
# ####### Authentication #######
# server role = standalone server
# passdb backend = tdbsam
# obey pam restrictions = yes
# unix password sync = yes
#
# passwd program = /usr/bin/passwd %u
# passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
#
# pam password change = yes
# map to guest = bad user
#
# ########## Domains ###########
[TEST]
path = /storage/test
valid users = testuser
read only = no
create mask = 0666
directory mask = 0777
acl map full control = True
force user = nobody
force group = nogroup
guest ok = yes