Samba, winbind e autenticação AD: o nome de usuário é inválido neste sistema

2

Estou tentando configurar um servidor de arquivos com autenticação do Active Directory usando Samba e Winbind.

O controlador de domínio é o Windows 2000 SP4 (não julgue).
O servidor de arquivos é o Debian 7.7 (mais recente estável). Esta é uma instalação nova, com apenas algumas recomendadas por várias bibliotecas de guias e dependências instaladas. O Samba foi construído a partir da fonte com os seguintes parâmetros:

./configure --with-acl-support --with-ads --with-shared-modules=idmap_ad --disable-cups --disable-iprint

 

root@this-server:~# samba --version
Version 4.1.13
root@this-server:~# winbindd --version
Version 3.6.6
root@this-server:~# klist -V
Kerberos 5 version 1.10.1

kinit Administrator, ad net ads join -k, net ads testjoin, getent passwd, getent group, wbinfo -u, wbinfo -g, id DomainUser, chown DomainUser: DomainGroup, chgrp DomainUser: DomainGroup - todo o trabalho, sem erros.

Posso fazer login via ssh com credenciais de domínio.

smbclient -k -L any-other-host - também funciona.

Contudo...

root@this-server:~# smbclient -k -L this-server -d 3
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file "/usr/local/samba/etc/smb.conf"
Processing section "[global]"
added interface eth0 ip=192.168.1.104 bcast=192.168.1.255 netmask=255.255.255.0
Client started (version 4.1.13).
resolve_lmhosts: Attempting lmhosts lookup for name this-server<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name this-server<0x20>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name this-server<0x20>
Connecting to 192.168.1.104 at port 445
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
cli_session_setup_spnego: using target hostname not SPNEGO principal
cli_session_setup_spnego: guessed server principal=cifs/this-server@MY-DOMAIN
Doing kerberos session setup
ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_0.1] expiration Sat, 29 Nov 2014 02:29:49 MSK
SPNEGO login failed: Access denied
session setup failed: NT_STATUS_ACCESS_DENIED

(/usr/local/samba/etc/smb.conf é um link simbólico para /usr/share/samba/smb.conf)

Trecho dos logs:

[2014/11/28 16:46:58.430797,  1, pid=6006, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
  Username MY-DOMAIN\Administrator is invalid on this system
[2014/11/28 16:46:58.430856,  1, pid=6006, effective(0, 0), real(0, 0)] ../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac)
  Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
[2014/11/28 16:46:58.430965,  1, pid=6006, effective(0, 0), real(0, 0)] ../source3/smbd/sesssetup.c:276(reply_sesssetup_and_X_spnego)
  Failed to generate session_info (user and group token) for session setup: NT_STATUS_ACCESS_DENIED

Aqui estão algumas informações de configuração, principalmente se não completamente irrelevantes:

/etc/samba/smb.conf (que também é um link simbólico para /usr/share/samba/smb.conf)

[global]

   netbios name = this-server
   realm = MY-DOMAIN
   workgroup = MY-DOMAIN
   server string = %h server
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d

   security = ads
   encrypt passwords = yes
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user

   winbind enum groups = yes
   winbind enum users = yes

   idmap config * : backend        = tdb
   idmap config * : range          = 20000-29999

   idmap config MY-DOMAIN : backend  = rid
   idmap config MY-DOMAIN : range    = 10000 - 19999

   winbind trusted domains only = no
   winbind use default domain = yes
   client use spnego = yes
   kerberos method = secrets and keytab

   vfs objects = acl_xattr
   map acl inherit = yes
   store dos attributes = yes
   template homedir = /home/%D/%U
   template shell = /bin/bash
   load printers = no
   printcap name = /dev/null
   log level = 10

[homes]
   comment = Home Directories
   browseable = no
   read only = yes
   create mask = 0700
   directory mask = 0700
   valid users = %S

[demoshare]
   path = /srv/samba/test
   read only = no

/ etc / hosts

127.0.0.1       localhost       localhost.localdomain
192.168.1.104   this-server.MY-DOMAIN        this-server
192.168.1.100   domain-controller.MY-DOMAIN  domain-controller

/etc/resolv.conf

nameserver 192.168.1.100
search MY-DOMAIN

/etc/nsswitch.conf

passwd:         files winbind
group:          files winbind
shadow:         files winbind

hosts:          files dns wins
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Todos os arquivos /etc/pam.d/* são gerados com pam-auth-update, aqui está o conteúdo de qualquer maneira:

/etc/pam.d/samba

@include common-auth
@include common-account
@include common-session-noninteractive

/etc/pam.d/common-auth

auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so

/etc/pam.d/common-account

account [success=2 new_authtok_reqd=done default=ignore]        pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore]        pam_winbind.so
account requisite                       pam_deny.so
account required                        pam_permit.so

/etc/pam.d/session-noninteractive

session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session required        pam_unix.so
session optional        pam_winbind.so

/etc/pam.d/common-session

session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session required        pam_unix.so
session optional        pam_winbind.so

/etc/pam.d/common-password

password        [success=2 default=ignore]      pam_unix.so obscure sha512
password        [success=1 default=ignore]      pam_winbind.so use_authtok try_first_pass
password        requisite                       pam_deny.so
password        required                        pam_permit.so

/etc/krb5.conf

[libdefaults]
default_realm = MY-DOMAIN

krb4_config = /etc/krb.
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true

default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
preferred_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

[realms]
MY-DOMAIN = {
        kdc = domain-controller.my-domain
        admin_server = domain-controller.my-domain
        default_domain = MY-DOMAIN
}

[domain_realm]
.my-domain = MY-DOMAIN
my-domain = MY-DOMAIN

Qual pode ser o problema aqui e como resolvê-lo?

linux  samba  active-directory  authentication  pam 
Isso é frustrante
fonte
Ao utilizar nosso site, você reconhece que leu e compreendeu nossa Política de Cookies e nossa Política de Privacidade.
Licensed under cc by-sa 3.0 with attribution required.