我已將 Samba4 安裝設定為備份網域控制器:
james@photon:~$ testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[netlogon]"
Processing section "[profiles]"
Processing section "[printers]"
Processing section "[print$]"
Loaded services file OK.
Server role: ROLE_DOMAIN_BDC
Press enter to see a dump of your service definitions
[global]
workgroup = NT4Domain
server string = %h NT4 BDC (Samba4, Linux)
interfaces = lo, eth1
bind interfaces only = Yes
server role = classic backup domain controller
map to guest = Bad User
obey pam restrictions = Yes
passdb backend = ldapsam:ldap://127.0.0.1/
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
name resolve order = wins, bcast, hosts
client signing = if_required
server signing = if_required
add user script = /usr/sbin/smbldap-useradd -m '%u' -t 1
add group script = /usr/sbin/smbldap-groupadd -p '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -w '%u' -t 1
logon script = scripts\logon.cmd
logon path = \\%L\profiles\%U
logon drive = H:
logon home = \\%L\%U
domain logons = Yes
domain master = No
dns proxy = No
wins server = ip.of.nt4.box
ldap admin dn = cn=admin,dc=thisdomain
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=People
ldap passwd sync = yes
ldap suffix = dc=thisdomain
ldap ssl = no
ldap timeout = 20
ldap user suffix = ou=People
usershare allow guests = Yes
panic action = /usr/share/samba/panic-action %d
winbind cache time = 3600
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind offline logon = Yes
idmap config * : backend = tdb
ea support = Yes
map acl inherit = Yes
[homes]
comment = Home Directories
valid users = %S
read only = No
create mask = 0775
directory mask = 0775
browseable = No
[netlogon]
comment = Network Logon Service
path = /home/samba/netlogon
guest ok = Yes
[profiles]
comment = Users profiles
path = /home/samba/profiles
create mask = 0600
directory mask = 0700
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
printable = Yes
print ok = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
write list = root, @lpadmin
它已加入我的 NT4 網域。共用印表機可訪問,netlogon 共用可見,使用者共用可由網域中 Windows 電腦上的正確(本機設定)使用者可見和瀏覽。電腦帳戶在 NT4 網域控制站中可見。有用。
但是,我無法讓 net rpc vampire 工作。 NT4 網域控制站上儲存了數百個使用者帳戶,我需要將其同步到 Samba 電腦上的(工作)LDAP 實例,以便我們可以停用 NT4 電腦。
james@photon:~$ sudo net rpc join -U NT4AdminAccount%secret
Joined domain NT4Domain.
然而:
sudo net rpc vampire -U NT4AdminAccount%secret
DC is not running Active Directory
cli_rpc_pipe_open_schannel: failed to get schannel session key from server 127.0.0.1 for domain NT4Domain.
Could not initialise schannel netlogon pipe. Error was NT_STATUS_ACCESS_DENIED
和:
sudo net rpc vampire -S NT4DC -U NT4AdminAccount%secret
DC is not running Active Directory
cli_rpc_pipe_open_schannel: failed to get schannel session key from server data1 for domain ATMOS.
Could not initialise schannel netlogon pipe. Error was NT_STATUS_INVALID_COMPUTER_NAME
當我嘗試使用 -d=10 運行 vampire 時看到的相關行是:
result : NT_STATUS_INVALID_COMPUTER_NAME
get_schannel_session_key_common: rpccli_netlogon_setup_creds failed with result NT_STATUS_INVALID_COMPUTER_NAME to server NT4DC, domain NT4Domain, machine account SAMBASERVER.
cli_rpc_pipe_open_schannel: failed to get schannel session key from server data1 for domain ATMOS.
Could not initialise schannel netlogon pipe. Error was NT_STATUS_INVALID_COMPUTER_NAME
return code = -1
Freeing parametrics:
那麼,畢竟,出了什麼問題呢?吸血鬼現在已經崩潰了嗎?我一直讀到它已被棄用,但我見過的使用 samba-tool 網域加入執行此操作的所有文件都是關於加入活動目錄網域的。那不是我們想要做的。我還在 schannel 會話密鑰錯誤的上下文中閱讀了很多有關 Kerberos 的內容,但這也是一個活動目錄,不是嗎?我認為 NT4 使用 LANMAN 來實現現在 Kerberos 涵蓋的那些功能。看來我唯一遇到困難的是吸血鬼行動。其他一切似乎都工作正常......
提前致謝。