nordz0r
@nordz0r

Как заходить на samba шару без указания домена в логине?

Добрый день. У меня есть
1. Сервер Debian 10 samba-ad-dc 4.9, как контроллер домена с учетками пользователей (Домен CLOUD.DOMAIN.RU). Имя: s1
2. На сервер s1 strongswan VPN, куда подключаются пользователи (vpn.domain.ru)
3. Сервер Debian 11 samba 4.13 с файловым сервером. имя s2.cloud.domain.ru (так же доступен по альясу fs.s2.domain.ru)

При подключении к VPN я пытаюсь зайти на \\fs.s2.domain.ru\Public, у меня запрашивает обязательно домен (без домена не пускает). Как можно сделать, чтобы было можно использовать только логин

Конфиг smb.conf сервера s1 (DC)
# Global parameters
[global]
        netbios name = DC1
        realm = CLOUD.DOMAIN.RU
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
        workgroup = CLOUD
        idmap_ldb:use rfc2307 = yes
        bind interfaces only = yes 
        interfaces = 127.0.0.1 10.18.18.10
        ldap server require strong auth = no 
        domain master = yes  
        local master = yes
        preferred master = yes
        winbind use default domain = yes

        vfs objects = acl_xattr full_audit
        map acl inherit = yes
        inherit permissions = yes
        inherit owner = yes
        store dos attributes = yes

        # TLS
        tls enabled = yes
        tls keyfile = tls/key.pem
        tls certfile = tls/cert.pem
        tls cafile = tls/ca.pem

        # NTLM FIX
        ntlm auth = Yes

[netlogon]
        path = /var/lib/samba/sysvol/cloud.DOMAIN.RU/scripts
        browseable = No
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        browseable = No
        read only = No


Конфиг smb.conf сервера s2 (FS)
# Global parameters
[global]
        netbios name = S2
        security = ADS
        workgroup = CLOUD
        realm = CLOUD.DOMAIN.RU
        encrypt passwords = yes
        # Default idmap config for local BUILTIN accounts and groups
        idmap config * : backend = tdb
        idmap config * : range = 3000-7999
        # idmap config for the CLOUD domain
        idmap config CLOUD : backend = rid
        idmap config CLOUD : range = 10000-999999
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes

        vfs objects = acl_xattr full_audit
        map acl inherit = yes
        inherit permissions = yes
        inherit owner = yes
        store dos attributes = yes

        # Disable printers
        load printers = no
        show add printer wizard = no
        printcap name = /dev/null
        disable spoolss = yes

        # TLS
        tls enabled = yes
        tls keyfile = tls/key.pem
        tls certfile = tls/cert.pem
        tls cafile = tls/ca.pem

        # NTLM FIX
        ntlm auth = Yes
        #client ntlmv2 auth = Yes

        # LOG
        log level = 1 auth:2 vfs:1
        log file = /var/log/samba/log.%I
        max log size = 1024
        # audit
        full_audit:failure = stat
        full_audit:success = open
        full_audit:facility = local5
        full_audit:priority = notice

        # RECYCLE
        recycle:repository = .recycle/%U

# FS

[public]
        path = /data/fs4-doc
        read only = No
        write ok = Yes
        browseable = No
        guest ok = no
        public = no
        full_audit:prefix = [public] %u|%I|%S


Логи:
1. Подключение с локалхоста (домен не вписываю)
root@s2:/data# tailf /var/log/samba/log.10.18.18.101 
[2021/10/27 15:54:11.542724,  2] ../../source3/auth/auth.c:323(auth_check_ntlm_password)
  check_ntlm_password:  authentication for user [u3557@CLOUD.DOMAIN.RU] -> [u3557@CLOUD.DOMAIN.RU] -> [CLOUD\u3557] succeeded
[2021/10/27 15:54:15.184074,  2] ../../source3/auth/auth.c:323(auth_check_ntlm_password)
  check_ntlm_password:  authentication for user [u3557@CLOUD.DOMAIN.RU] -> [u3557@CLOUD.DOMAIN.RU] -> [CLOUD\u3557] succeeded
[2021/10/27 15:54:17.117996,  2] ../../source3/auth/auth.c:323(auth_check_ntlm_password)
  check_ntlm_password:  authentication for user [u3557@CLOUD.DOMAIN.RU] -> [u3557@CLOUD.DOMAIN.RU] -> [CLOUD\u3557] succeeded
[2021/10/27 15:54:19.476640,  2] ../../source3/auth/auth.c:323(auth_check_ntlm_password)
  check_ntlm_password:  authentication for user [u3557@CLOUD.DOMAIN.RU] -> [u3557@CLOUD.DOMAIN.RU] -> [CLOUD\u3557] succeeded
[2021/10/27 15:54:19.492014,  2] ../../source3/auth/auth.c:323(auth_check_ntlm_password)
  check_ntlm_password:  authentication for user [u3557@CLOUD.DOMAIN.RU] -> [u3557@CLOUD.DOMAIN.RU] -> [CLOUD\u3557] succeeded


1. Подключение через VPN (домен не вписываю)
root@s2:/data# tailf /var/log/samba/log.10.18.20.1
[2021/10/27 15:52:39.009845,  2] ../../source3/auth/auth.c:344(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [u3599] -> [u3599] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2021/10/27 15:52:40.588938,  2] ../../source3/auth/auth.c:344(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [u3599] -> [u3599] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2021/10/27 15:52:42.158677,  2] ../../source3/auth/auth.c:344(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [u3599] -> [u3599] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2021/10/27 15:52:43.736559,  2] ../../source3/auth/auth.c:344(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [u3599] -> [u3599] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2021/10/27 15:52:45.314993,  2] ../../source3/auth/auth.c:344(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [u3599] -> [u3599] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1


Явно проблема в том, что теперь нет параметра map untrusted to domain = yes, но как это обойти?
  • Вопрос задан
  • 292 просмотра
Пригласить эксперта
Ваш ответ на вопрос

Войдите, чтобы написать ответ

Войти через центр авторизации
Похожие вопросы