私のシステム:
# cat /etc/*release*
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
# smbd -V
Version 4.13.13-Debian
OpenLDAP 2.4.57+dfsg-3+deb11u1
私の問題:あるサーバーのopenldap()に多くのユーザーが定義されており、vogon
別のシステムのSambaサーバーが定義されていますknox
。既存のユーザーを使用してSambaに接続すると、jan
正常に動作します。
# smbclient //knox/homes -U jan -W ZOMBIE
Enter ZOMBIE\jan's password:
Try "help" to get a list of possible commands.
smb: \> pwd
Current directory is \\knox\homes\
smb: \>
ただし、LDAPで新しいユーザーを作成すると、次の結果zzuser
が表示されます。
# smbclient //knox/homes -U zzuser -W ZOMBIE
Enter ZOMBIE\zzuser's password:
tree connect failed: NT_STATUS_BAD_NETWORK_NAME
そして/var/log/samba/log.192.168.50.109
:
...
[2023/04/11 10:06:56.594913, 5, pid=1089697, effective(0, 0), real(0, 0)] ../../source3/auth/token_util.c:873(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2023/04/11 10:06:56.594949, 5, pid=1089697, effective(0, 0), real(0, 0)] ../../source3/lib/smbldap.c:1307(smbldap_search_ext)
smbldap_search_ext: base => [dc=comind,dc=io], filter => [(&(uid=zzuser)(objectclass=sambaSamAccount))], scope => [2]
[2023/04/11 10:06:56.595600, 4, pid=1089697, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/pdb_ldap.c:1563(ldapsam_getsampwnam)
ldapsam_getsampwnam: Unable to locate user [zzuser] count=0
[2023/04/11 10:06:56.595645, 4, pid=1089697, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2023/04/11 10:06:56.595656, 3, pid=1089697, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/check_samsec.c:398(check_sam_security)
check_sam_security: Couldn't find user 'zzuser' in passdb.
[2023/04/11 10:06:56.595665, 5, pid=1089697, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:258(auth_check_ntlm_password)
auth_check_ntlm_password: sam_ignoredomain authentication for user [zzuser] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2023/04/11 10:06:56.595676, 2, pid=1089697, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:344(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [zzuser] -> [zzuser] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2023/04/11 10:06:56.595704, 2, pid=1089697, effective(0, 0), real(0, 0), class=auth_audit] ../../auth/auth_log.c:635(log_authentication_event_human_readable)
Auth: [SMB2,(null)] user [ZOMBIE]\[zzuser] at [Tue, 11 Apr 2023 10:06:56.595692 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [JAN] remote host [ipv4:192.168.50.106:60046] mapped to [ZOMBIE]\[zzuser]. local host [ipv4:192.168.50.7:445]
{"timestamp": "2023-04-11T10:06:56.595778+0000", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:192.168.50.7:445", "remoteAddress": "ipv4:192.168.50.106:60046", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "ZOMBIE", "clientAccount": "zzuser", "workstation": "JAN", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "zzuser", "mappedDomain": "ZOMBIE", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 5241}}
[2023/04/11 10:06:56.595822, 5, pid=1089697, effective(0, 0), real(0, 0)] ../../source3/auth/auth_ntlmssp.c:210(auth3_check_password_send)
auth3_check_password_send: Checking NTLMSSP password for ZOMBIE\zzuser failed: NT_STATUS_NO_SUCH_USER, authoritative=1
[2023/04/11 10:06:56.595832, 3, pid=1089697, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth_util.c:2295(do_map_to_guest_server_info)
No such user zzuser [ZOMBIE] - using guest account
...
zzuser
これは、システムがよく知られているという事実とは対照的である。
# id zzuser
uid=1104(zzuser) gid=100(users) groups=100(users)
# echo ~zzuser
/knox/home/zzuser
# su - zzuser
zzuser@knox:~$ passwd
Current Password:
New password:
Retype new password:
passwd: password updated successfully
一方:
zzuser@knox:~$ smbpasswd
Old SMB password:
New SMB password:
Retype new SMB password:
Bad SMB2 signature for message
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
[0000] 58 95 CD A8 66 08 74 38 19 A3 59 52 1E BE 15 28 X...f.t8 ..YR...(
Could not connect to machine 127.0.0.1: NT_STATUS_ACCESS_DENIED
ルートとして:
# smbpasswd zzuser
New SMB password:
Retype new SMB password:
Failed to find entry for user zzuser.
だからどうしたの?jan
過去にSambaにユーザーを追加したことを覚えているようです。違いがあるかもしれませんが、Sambaを実行するためにSambaが必要な場合は、LDAPを使用しているすべてのポイントが消えます。