Samba 4 associado ao AD: pode acessar compartilhamentos usando FQDN, mas não usando IP ou aliases

Samba 4 associado ao AD: pode acessar compartilhamentos usando FQDN, mas não usando IP ou aliases

Instalei um novo servidor Openmediavault 4 que juntei ao meu Active Directory gerenciado por dois controladores de domínio Samba 4.

Especificações:

  • Domínio do Active DirectoryMEU.AD.DOMÍNIOgerenciado por dois controladores de domínio Samba 4 (servidor-z1.meu.ad.domínio (192.168.70.201)eservidor-z2.meu.ad.domínio (192.168.70.202)
  • Um servidor de arquivos comSamba versão 4.5.12-DebiancorrendoOpenmediavault 4.1.0-1(Baseado em Debian 9)
  • O endereço IP do servidor de arquivos é192.168.70.171
  • O FQDN do servidor de arquivos é server-f1.my.ad.domain
  • O servidor de arquivos tem um aliasservidor-f10.meu.ad.domínioconfigurado no DNS
  • Quero acessar o servidor de arquivos de clientes usando o endereço IP (\192.168.70.171), o FQDN (\servidor-f1.meu.ad.domínio) e o alias DNS (\servidor-f10.meu.ad.domínio).

Entrei no Openmediavault usando SSSD seguindo o guia emhttps://forum.openmediavault.org/index.php/Thread/18886-Guide-how-to-join-OpenMediaVault-3-x-in-an-Active-Directory-domain/e posso listar os usuários do domínio usando getent passwdmesmo após a reinicialização.

O problema que tenho é que consigo acessar os compartilhamentos do Samba no Openmediavault conectando-me a ele usando o FQDN (\servidor-f1ou\servidor-f1.meu.ad.domínio), mas não usando o endereço IP (\192.168.70.171) ou o alias DNS (\servidor-f10ou\servidor-f10.meu.ad.domínio).

Quando acesso usando o endereço IP ou o alias DNS, recebo estes erros no sistema Openmediavault:

Mar 15 20:14:54 server-f1 smbd[21103]: [2018/03/15 20:14:54.956409,  2] ../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets)
Mar 15 20:14:54 server-f1 smbd[21103]:   ../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password
Mar 15 20:14:54 server-f1 smbd[21103]: [2018/03/15 20:14:54.957928,  2] ../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets)
Mar 15 20:14:54 server-f1 smbd[21103]:   ../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password
Mar 15 20:14:54 server-f1 smbd[21103]: [2018/03/15 20:14:54.961733,  1] ../lib/param/loadparm.c:1729(lpcfg_do_global_parameter)
Mar 15 20:14:54 server-f1 smbd[21103]:   WARNING: The "syslog" option is deprecated
Mar 15 20:14:54 server-f1 smbd[21103]: [2018/03/15 20:14:54.961772,  1] ../lib/param/loadparm.c:1729(lpcfg_do_global_parameter)
Mar 15 20:14:54 server-f1 smbd[21103]:   WARNING: The "syslog only" option is deprecated
Mar 15 20:14:54 server-f1 smbd[21103]: [2018/03/15 20:14:54.961984,  2] ../source3/param/loadparm.c:2685(lp_do_section)
Mar 15 20:14:54 server-f1 smbd[21103]:   Processing section "[homes]"
Mar 15 20:14:57 server-f1 smbd[21103]: [2018/03/15 20:14:57.049955,  1] ../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx)
Mar 15 20:14:57 server-f1 smbd[21103]:   Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4575) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Mar 15 20:14:57 server-f1 smbd[21103]: [2018/03/15 20:14:57.050031,  0] ../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
Mar 15 20:14:57 server-f1 smbd[21103]:   connect_to_domain_password_server: unable to open the domain client session to machine SERVER-Z1.MY.AD.DOMAIN. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
Mar 15 20:14:57 server-f1 smbd[21103]: [2018/03/15 20:14:57.081918,  1] ../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx)
Mar 15 20:14:57 server-f1 smbd[21103]:   Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4575) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Mar 15 20:14:57 server-f1 smbd[21103]: [2018/03/15 20:14:57.081968,  0] ../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
Mar 15 20:14:57 server-f1 smbd[21103]:   connect_to_domain_password_server: unable to open the domain client session to machine SERVER-Z1.MY.AD.DOMAIN. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
Mar 15 20:14:57 server-f1 smbd[21103]: [2018/03/15 20:14:57.110632,  1] ../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx)
Mar 15 20:14:57 server-f1 smbd[21103]:   Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4575) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Mar 15 20:14:57 server-f1 smbd[21103]: [2018/03/15 20:14:57.110683,  0] ../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
Mar 15 20:14:57 server-f1 smbd[21103]:   connect_to_domain_password_server: unable to open the domain client session to machine SERVER-Z1.MY.AD.DOMAIN. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
Mar 15 20:14:57 server-f1 smbd[21103]: [2018/03/15 20:14:57.112016,  0] ../source3/auth/auth_domain.c:184(domain_client_validate)
Mar 15 20:14:57 server-f1 smbd[21103]:   domain_client_validate: Domain password server not available.
Mar 15 20:14:57 server-f1 smbd[21103]: [2018/03/15 20:14:57.112060,  2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
Mar 15 20:14:57 server-f1 smbd[21103]:   check_ntlm_password:  Authentication for user [my.user] -> [my.user] FAILED with error NT_STATUS_NO_LOGON_SERVERS
Mar 15 20:14:57 server-f1 smbd[21103]: [2018/03/15 20:14:57.112088,  2] ../auth/gensec/spnego.c:720(gensec_spnego_server_negTokenTarg)
Mar 15 20:14:57 server-f1 smbd[21103]:   SPNEGO login failed: NT_STATUS_NO_LOGON_SERVERS
Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.121674,  2] ../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets)
Mar 15 20:14:57 server-f1 smbd[21104]:   ../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password
Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.125426,  1] ../lib/param/loadparm.c:1729(lpcfg_do_global_parameter)
Mar 15 20:14:57 server-f1 smbd[21104]:   WARNING: The "syslog" option is deprecated
Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.125460,  1] ../lib/param/loadparm.c:1729(lpcfg_do_global_parameter)
Mar 15 20:14:57 server-f1 smbd[21104]:   WARNING: The "syslog only" option is deprecated
Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.125698,  2] ../source3/param/loadparm.c:2685(lp_do_section)
Mar 15 20:14:57 server-f1 smbd[21104]:   Processing section "[homes]"
Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.197432,  1] ../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx)
Mar 15 20:14:57 server-f1 smbd[21104]:   Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4575) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.197476,  0] ../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
Mar 15 20:14:57 server-f1 smbd[21104]:   connect_to_domain_password_server: unable to open the domain client session to machine SERVER-Z1.MY.AD.DOMAIN. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.227212,  1] ../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx)
Mar 15 20:14:57 server-f1 smbd[21104]:   Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4575) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.227250,  0] ../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
Mar 15 20:14:57 server-f1 smbd[21104]:   connect_to_domain_password_server: unable to open the domain client session to machine SERVER-Z1.MY.AD.DOMAIN. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.257018,  1] ../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx)
Mar 15 20:14:57 server-f1 smbd[21104]:   Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4575) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.257051,  0] ../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
Mar 15 20:14:57 server-f1 smbd[21104]:   connect_to_domain_password_server: unable to open the domain client session to machine SERVER-Z1.MY.AD.DOMAIN. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.466888,  0] ../source3/auth/auth_domain.c:184(domain_client_validate)
Mar 15 20:14:57 server-f1 smbd[21104]:   domain_client_validate: Domain password server not available.
Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.466920,  2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
Mar 15 20:14:57 server-f1 smbd[21104]:   check_ntlm_password:  Authentication for user [my.user] -> [my.user] FAILED with error NT_STATUS_NO_LOGON_SERVERS
Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.466943,  2] ../auth/gensec/spnego.c:720(gensec_spnego_server_negTokenTarg)
Mar 15 20:14:57 server-f1 smbd[21104]:   SPNEGO login failed: NT_STATUS_NO_LOGON_SERVERS
Mar 15 20:15:01 server-f1 CRON[21106]: (root) CMD (/usr/sbin/omv-mkrrdgraph >/dev/null 2>&1)

Esta é a minha configuração global do Samba:

[global]
workgroup = DOMAIN
server string = %h server
dns proxy = no
log level = 3
syslog = 3
log file = /var/log/samba/log.%m
max log size = 1000
syslog only = yes
panic action = /usr/share/samba/panic-action %d
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = no
unix password sync = no
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
socket options = TCP_NODELAY IPTOS_LOWDELAY
guest account = nobody
load printers = no
disable spoolss = yes
printing = bsd
printcap name = /dev/null
unix extensions = yes
wide links = no
create mask = 0777
directory mask = 0777
use sendfile = yes
aio read size = 16384
aio write size = 16384
local master = yes
time server = no
wins support = no
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
dedicated keytab file = FILE:/etc/krb5.keytab
password server = server-z1.my.ad.domain, server-z2.my.ad.domain
realm = MY.AD.DOMAIN
security = ads
template homedir = /home/my.ad.domain/users/%U
netbios name = server-f1
netbios aliases = server-f10

Você poderia me ajudar por favor?

Obrigado!

Responder1

embora esta seja uma postagem antiga (ish), acabei de encontrar esse problema hoje, então estou compartilhando minha solução para ele.

Ao ingressar uma máquina no Active Directory, dois conjuntos de SPNs são criados para a conta de computador gerada, um no FQDN e o segundo no nome Netbios (também conhecido como nome do servidor)

Os nomes Netbios são limitados a 15 caracteres. então, no meu caso, o nome do servidor tinha mais de 15 caracteres - então, quando o juntei ao domínio, o SPN gerado para a conta do computador foi cortado a partir dos 15 caracteres. o SPN, entretanto, com o FQDN foi concluído - portanto, o acesso aos compartilhamentos com o nome do servidor falhou enquanto o acesso com FQDN funcionou.

A correção do SPN no diretório ativo funcionou para mim e provavelmente funcionará para você também (embora não para endereços IP - para isso você precisa do NTLM)

Também pode ser necessário reinicializar o servidor após adicionar SPNs à conta do computador.

Responder2

Você não pode usar o IP, porque o Kerberos está vinculado apenas ao FQDN.

informação relacionada