我对 Netatalk 和 Active Directory 有疑问。我无法使用活动目录用户登录。我已经使用广告连接工作的 samba,并且我使用 wbinfo -u 和 wbinfo -g 从 AD 获取所有数据。Getent passwd 向我显示所有用户,但我没有得到带有 getent 组的广告组。
好吧,我不知道这是否会成为问题,因为我只想使用用户而不是组。
我已经测试了 samba 本身,我可以使用活动目录用户名连接 samba 共享。
目前,它似乎“部分”起作用。如果我尝试将 afp 卷与已知的活动目录用户连接,我会在 netatalk 日志中看到以下条目。同样,无论我输入正确还是错误的密码:
Aug 10 08:48:37.908651 afpd[34123] {afp_dsi.c:624} (debug:AFPDaemon): <== Start AFP command: AFP_LOGINCONT
Aug 10 08:48:37.919318 afpd[34123] {uams_dhx2_pam.c:214} (info:UAMS): PAM DHX2: PAM Success
Aug 10 08:48:40.121785 afpd[34123] {uams_dhx2_pam.c:666} (info:UAMS): DHX2: PAM_Error: Authentication failure
Aug 10 08:48:40.121848 afpd[34123] {dsi_cmdreply.c:24} (debug:DSI): dsi_cmdreply(DSI ID: 4, len: 0): START
Aug 10 08:48:40.121883 afpd[34123] {dsi_stream.c:530} (maxdebug:DSI): dsi_stream_send(0 bytes): START
如果我输入一个无效的用户,我会得到一个不同的错误:
Aug 10 08:55:16.416783 afpd[34205] {afp_dsi.c:624} (debug:AFPDaemon): <== Start AFP command: AFP_LOGIN_EXT
Aug 10 08:55:18.830640 afpd[34205] {uams_dhx2_pam.c:324} (info:UAMS): DHX2: unknown username
Aug 10 08:55:18.830711 afpd[34205] {dsi_cmdreply.c:24} (debug:DSI): dsi_cmdreply(DSI ID: 2, len: 0): START
Aug 10 08:55:18.830732 afpd[34205] {dsi_stream.c:530} (maxdebug:DSI): dsi_stream_send(0 bytes): START
Aug 10 08:55:18.830745 afpd[34205] {dsi_stream.c:538} (maxdebug:DSI): dsi_stream_send(16 bytes): DSI header, no data
Aug 10 08:55:18.830762 afpd[34205] {dsi_stream.c:281} (maxdebug:DSI): dsi_stream_write(send: 16 bytes): START
我还查看了来自 samba/winbind 的日志,如果用户不知道,似乎只有查询。如果我输入一个有效用户,samba 和 winbind 中的日志仍然相当。
好吧,我还想知道 kerberos 模块 uam_gss.so 似乎也不起作用:
Aug 10 09:34:09.480536 afpd[45001] {auth.c:1011} (debug:AFPDaemon):
auth_load: /usr/local/lib/netatalk//, uam_gss.so,uams_dhx.so,uams_dhx2.so
Aug 10 09:34:09.480562 afpd[45001] {auth.c:1025} (debug:AFPDaemon): uam: loading (/usr/local/lib/netatalk//uam_gss.so)
Aug 10 09:34:09.480577 afpd[45001] {auth.c:1037} (info:AFPDaemon): uam: uam not found (status=-1)
Aug 10 09:34:09.480585 afpd[45001] {auth.c:1025} (debug:AFPDaemon): uam: loading (/usr/local/lib/netatalk//uams_dhx.so)
Aug 10 09:34:09.518932 afpd[45001] {auth.c:1032} (debug:AFPDaemon): uam: uams_dhx.so loaded
Aug 10 09:34:09.518975 afpd[45001] {auth.c:1025} (debug:AFPDaemon): uam: loading (/usr/local/lib/netatalk//uams_dhx2.so)
Aug 10 09:34:09.519205 afpd[45001] {uams_dhx2_pam.c:934} (debug:UAMS): DHX2: generating mersenne primes
Aug 10 09:34:09.712308 afpd[45001] {auth.c:1032} (debug:AFPDaemon): uam: uams_dhx2.so loaded
我花了几天的时间搜索,但看不到解决方案。我已经找到了各种方法,但它对我不起作用。例如来自 netatalk 官方: http: //netatalk.sourceforge.net/wiki/index.php/How-To_authenticate_to_an_NT_domain
也许它可以与 Kerberos 一起工作,但我没有让模块工作......
以下是一些背景信息:
我在 DELL R420 上使用 Ubuntu 16.04。基于 Windows Server 2012 R2 环境的 Active Directory。我使用 Samba 版本 4.3.9-Ubuntu 和 Winbind 2:4.3.9+dfsg-0ubuntu0.16.04.2。
我已经编译了具有所有功能的最新 Netatalk 版本 3.1.9。我使用以下几行来编译:
./configure --with-init-style=debian-systemd \
--with-cracklib --enable-pgp-uam --enable-krbV-uam \
--with-pam-confdir=/etc/pam.d \
--with-dbus-sysconf-dir=/etc/dbus-1/system.d \
--with-tracker-pkgconfig-version=1.0
编译总结:
CPPFLAGS = -I$(top_srcdir)/include -I$(top_builddir)/include -I$(top_srcdir)
CFLAGS = -D_U_="__attribute__((unused))" -g -O2
LIBS = -lcrack
PTHREADS:
LIBS =
CFLAGS = -pthread
TRACKER:
LIBS = -ltracker-sparql-1.0 -lgio-2.0 -lgobject-2.0 -Wl,--export-dynamic -lgmodule-2.0 -pthread -lglib-2.0
CFLAGS = -pthread -I/usr/include/tracker-1.0 -I/usr/include/tracker-1.0/libtracker-sparql -I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include
SSL:
LIBS = -L/usr/lib64 -lcrypto
CFLAGS = -I/usr/include/openssl
LIBGCRYPT:
LIBS = -lgcrypt
CFLAGS =
PAM:
LIBS = -lpam
CFLAGS =
WRAP:
LIBS = -lwrap
CFLAGS =
BDB:
LIBS = -L/usr/lib64 -ldb-5.3
CFLAGS =
GSSAPI:
LIBS = -L/usr/lib/x86_64-linux-gnu/mit-krb5 -Wl,-Bsymbolic-functions -Wl,-z,relro -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err
CFLAGS = -isystem /usr/include/mit-krb5
ZEROCONF:
LIBS = -lavahi-common -lavahi-client
CFLAGS = -D_REENTRANT
LDAP:
LIBS = -lldap
CFLAGS =
LIBEVENT:
bundled
TDB:
bundled
MySQL:
LIBS = -L/usr/lib/x86_64-linux-gnu -lmysqlclient -lpthread -lz -lm -lrt -ldl
CFLAGS = -I/usr/include/mysql -fabi-version=2 -fno-omit-frame-pointer
Configure summary:
INIT STYLE:
debian-systemd
AFP:
Extended Attributes: ad | sys
ACL support: yes
Spotlight: yes
CNID:
backends: dbd last tdb mysql
UAMS:
DHX (PAM SHADOW)
DHX2 (PAM SHADOW)
RANDNUM (afppasswd)
Kerberos V
PGP
clrtxt (PAM SHADOW)
guest
Options:
Zeroconf support: yes
tcp wrapper support: yes
quota support: yes
valid shell check: yes
cracklib support: yes
ACL support: auto
Kerberos support: yes
LDAP support: yes
AFP stats via dbus: yes
dtrace probes: yes
Paths:
Netatalk lockfile: /var/lock/netatalk
init directory: /lib/systemd/system
dbus system directory: /etc/dbus-1/system.d
dbus daemon path: /bin/dbus-daemon
tracker prefix: /usr
tracker install prefix: /usr
tracker manager: /usr/bin/tracker daemon
pam config directory: /etc/pam.d
Documentation:
Docbook: no
这是我的 netatalk 配置:
[Global]
k5 keytab = /etc/krb5.keytab
uam list = uam_gss.so,uams_dhx.so,uams_dhx2.so
nt domain = AD.DOMAIN.LOCAL
ad domain = AD.DOMAIN.LOCAL
map acls = rights
ldap server = ad.domain.local
ldap auth method = simple
ldap auth dn = CN=ldapinfo,OU=IT,OU=Services,OU=Intern,DC=ad,DC=domain,DC=local
ldap auth pw = ************
ldap userbase = OU=Staff,OU=company,DC=ad,DC=domain,DC=local
ldap userscope = sub
ldap groupbase = OU=Groups,OU=company,DC=ad,DC=domain,DC=local
ldap groupscope = sub
ldap uuid attr = objectGUID
ldap name attr = sAMAccountName
ldap group attr = cn
; Global server settings
hostname = TimeMachine.domain.local
vol preset = default_for_all
log file = /var/log/netatalk.log
log level = default:maxdebug
save password = no
afpstats = yes
[default_for_all]
file perm = 0664
directory perm = 0774
cnid scheme = dbd
; Uncomment the following line to restrict access to specific users
; valid users = someuser
# [Homes]
# basedir regex = /storage/timemachine
# time machine = yes
# vol size limit = 102400
#
# Config for time machine users
include = /usr/local/etc/afp_users.conf
afp_users.conf
[test1]
name = Timemachine
time machine = yes
vol size limit = 102400
path = /storage/timemachine/test1
valid users = test1
/etc/pam.d/netatalk
#%PAM-1.0
# Following lines dont work
#auth required pam_winbind.so
#account required pam_winbind.so
#session required pam_unix.so
auth include common-auth
account include common-account
password include common-password
session include common-session
桑巴配置:
#======================= Global Settings =======================
[global]
netbios name = CLIENT1
workgroup = DOMAIN
security = ADS
realm = AD.DOMAIN.LOCAL
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
idmap config *:backend = tdb
idmap config *:range = 2000-50000
idmap config SAMDOM:backend = ad
idmap config SAMDOM:range = 50001 - 99999
idmap config SAMDOM:schema_mode = rfc2307
winbind nss info = rfc2307
#passdb backend = pam
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind refresh tickets = Yes
obey pam restrictions = no
template homedir = /storage/timemachine/%U
template shell = /bin/bash
#encrypt passwords = no
hide dot files = no
#### Debugging/Accounting ####
log file = /var/log/samba/log.%m
max log size = 1000
log level = 10
# ####### Authentication #######
# server role = standalone server
# passdb backend = tdbsam
# obey pam restrictions = yes
# unix password sync = yes
#
# passwd program = /usr/bin/passwd %u
# passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
#
# pam password change = yes
# map to guest = bad user
#
# ########## Domains ###########
[TEST]
path = /storage/test
valid users = testuser
read only = no
create mask = 0666
directory mask = 0777
acl map full control = True
force user = nobody
force group = nogroup
guest ok = yes
如果有人有想法,我会很高兴。谢谢