새로운 LDAP 사용자는 [homes]에 연결할 수 없지만 기존 사용자는 연결할 수 있습니까?

tag-icon tag-icon samba openldap samba4
새로운 LDAP 사용자는 [homes]에 연결할 수 없지만 기존 사용자는 연결할 수 있습니까?

내 시스템:

# cat /etc/*release*
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

# smbd -V
Version 4.13.13-Debian

OpenLDAP 2.4.57+dfsg-3+deb11u1내 문제: 한 서버의 openldap()에 많은 사용자가 정의되어 있고 vogon다른 시스템의 Samba 서버가 정의되어 있습니다 knox. 기존 사용자를 사용하여 Samba에 연결하면 jan정상적으로 작동합니다.

# smbclient //knox/homes -U jan -W ZOMBIE   
Enter ZOMBIE\jan's password: 
Try "help" to get a list of possible commands.
smb: \> pwd
Current directory is \\knox\homes\
smb: \>

그러나 LDAP에서 새 사용자를 생성하면 다음과 같은 결과 zzuser가 나타납니다.

# smbclient //knox/homes -U zzuser -W ZOMBIE
Enter ZOMBIE\zzuser's password: 
tree connect failed: NT_STATUS_BAD_NETWORK_NAME

그리고 /var/log/samba/log.192.168.50.109:

...
[2023/04/11 10:06:56.594913,  5, pid=1089697, effective(0, 0), real(0, 0)] ../../source3/auth/token_util.c:873(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2023/04/11 10:06:56.594949,  5, pid=1089697, effective(0, 0), real(0, 0)] ../../source3/lib/smbldap.c:1307(smbldap_search_ext)
  smbldap_search_ext: base => [dc=comind,dc=io], filter => [(&(uid=zzuser)(objectclass=sambaSamAccount))], scope => [2]
[2023/04/11 10:06:56.595600,  4, pid=1089697, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/pdb_ldap.c:1563(ldapsam_getsampwnam)
  ldapsam_getsampwnam: Unable to locate user [zzuser] count=0
[2023/04/11 10:06:56.595645,  4, pid=1089697, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2023/04/11 10:06:56.595656,  3, pid=1089697, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/check_samsec.c:398(check_sam_security)
  check_sam_security: Couldn't find user 'zzuser' in passdb.
[2023/04/11 10:06:56.595665,  5, pid=1089697, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:258(auth_check_ntlm_password)
  auth_check_ntlm_password: sam_ignoredomain authentication for user [zzuser] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2023/04/11 10:06:56.595676,  2, pid=1089697, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:344(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [zzuser] -> [zzuser] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2023/04/11 10:06:56.595704,  2, pid=1089697, effective(0, 0), real(0, 0), class=auth_audit] ../../auth/auth_log.c:635(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [ZOMBIE]\[zzuser] at [Tue, 11 Apr 2023 10:06:56.595692 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [JAN] remote host [ipv4:192.168.50.106:60046] mapped to [ZOMBIE]\[zzuser]. local host [ipv4:192.168.50.7:445] 
  {"timestamp": "2023-04-11T10:06:56.595778+0000", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:192.168.50.7:445", "remoteAddress": "ipv4:192.168.50.106:60046", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "ZOMBIE", "clientAccount": "zzuser", "workstation": "JAN", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "zzuser", "mappedDomain": "ZOMBIE", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 5241}}
[2023/04/11 10:06:56.595822,  5, pid=1089697, effective(0, 0), real(0, 0)] ../../source3/auth/auth_ntlmssp.c:210(auth3_check_password_send)
  auth3_check_password_send: Checking NTLMSSP password for ZOMBIE\zzuser failed: NT_STATUS_NO_SUCH_USER, authoritative=1
[2023/04/11 10:06:56.595832,  3, pid=1089697, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth_util.c:2295(do_map_to_guest_server_info)
  No such user zzuser [ZOMBIE] - using guest account
...

zzuser이는 시스템이 잘 알려져 있다는 사실과 대조됩니다.

# id zzuser
uid=1104(zzuser) gid=100(users) groups=100(users)
# echo ~zzuser
/knox/home/zzuser
# su - zzuser
zzuser@knox:~$ passwd
Current Password: 
New password: 
Retype new password: 
passwd: password updated successfully

반면에:

zzuser@knox:~$ smbpasswd
Old SMB password:
New SMB password:
Retype new SMB password:
Bad SMB2 signature for message
[0000] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[0000] 58 95 CD A8 66 08 74 38   19 A3 59 52 1E BE 15 28   X...f.t8 ..YR...(
Could not connect to machine 127.0.0.1: NT_STATUS_ACCESS_DENIED

루트로서:

# smbpasswd zzuser
New SMB password:
Retype new SMB password:
Failed to find entry for user zzuser.

그래서 무슨 일이야? jan과거에 Samba에 사용자를 추가했다는 것을 기억하는 것 같습니다. 차이점이 있을 수 있지만 Samba를 실행하기 위해 Samba가 필요한 경우 LDAP 사용의 전체 지점이 사라집니다.

관련 정보