Я пытаюсь подключиться к общему ресурсу SMB, который настроен на интегрированном в AD сервере CentOS 7, с ПК, не подключенного к домену, с использованием сети, и соединение не работает с ошибкой «Сбой доверительных отношений между этой рабочей станцией и основным доменом» Эта ошибка возникает независимо от того, как я ввожу имя пользователя в поле входа для общего доступа (например, имя пользователя, домен \ имя пользователя, домен.com \ имя пользователя или имя пользователя @ домен.com). Также не имеет значения, какая ОС находится на компьютере, не являющемся доменом. Я получаю тот же результат в Win XP, 7, 10, пока машина не присоединена к домену.
Подключение к той же общей папке с компьютера, подключенного к AD, с использованием тех же учетных данных, работает безупречно.
Версия Samba, работающая на сервер 4.4.4, интеграция AD производится с помощью SSSD.
Конфигурация Samba:
[global]
workgroup = DOMAIN
server string = Samba srv ver %v
max protocol = SMB3
map untrusted to domain = Yes
# Log...
log file = /var/log/samba/%m.log
max log size = 50
log level = 3
security = ads
encrypt passwords = yes
passdb backend = tdbsam
realm = DOMAIN.COM
create mode = 644
directory mode = 755
default case = lower
hide dot files = true
unix extensions = no
allow insecure wide links = yes
follow symlinks = yes
#printers
load printers = yes
cups options = raw
printcap name = /etc/printcap
printing = cups
#Test share:
[share]
comment = Test Share
path = /var/test
public = no
writable = true
guest ok = no
#user1 is domain user (OK from domain join PC, NOK from workgrp PC)
valid users = @"domain users@domain.com" user1
sssd.conf:
[sssd]
domains = domain.com
config_file_version = 2
services = nss, pam, ifp
[domain/domain.com]
ad_domain = domain.com
auth_provider = ad
krb5_realm = DOMAIN.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%d/%u
access_provider = ad
Журнал SMB для попытки подключения с компьютера, не являющегося доменом:
[2017/05/01 14:24:37.300092, 3] ../source3/smbd/oplock.c:1310(init_oplocks)
init_oplocks: initializing messages.
[2017/05/01 14:24:37.300280, 3] ../source3/smbd/process.c:1957(process_smb)
Transaction 0 of length 108 (0 toread)
[2017/05/01 14:24:37.300412, 3] ../source3/smbd/smb2_negprot.c:278(smbd_smb2_request_process_negprot)
Selected protocol SMB2_10
[2017/05/01 14:24:37.440766, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0xe2088297
[2017/05/01 14:24:37.442468, 3] ../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)
Got user=[user1] domain=[domain] workstation=[3060-W7U-502292] len1=24 len2=302
[2017/05/01 14:24:37.442527, 3] ../source3/param/loadparm.c:3742(lp_load_ex)
lp_load_ex: refreshing parameters
[2017/05/01 14:24:37.442579, 3] ../source3/param/loadparm.c:544(init_globals)
Initialising global parameters
[2017/05/01 14:24:37.442659, 3] ../source3/param/loadparm.c:2671(lp_do_section)
Processing section "[global]"
[2017/05/01 14:24:37.442795, 2] ../source3/param/loadparm.c:2688(lp_do_section)
Processing section "[share]"
[2017/05/01 14:24:37.444445, 3] ../source3/param/loadparm.c:1588(lp_add_ipc)
adding IPC service
[2017/05/01 14:24:37.444605, 3] ../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: "DC1.domain.com, *"
[2017/05/01 14:24:37.445186, 3] ../source3/libads/ldap.c:618(ads_connect)
Successfully contacted LDAP server 192.168.1.10
[2017/05/01 14:24:37.445226, 3] ../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: "DC1.domain.com, *"
[2017/05/01 14:24:37.445530, 3] ../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: "DC1.domain.com, *"
[2017/05/01 14:24:37.547935, 3] ../source3/lib/util_sock.c:515(open_socket_out_send)
Connecting to 192.168.1.10 at port 445
[2017/05/01 14:24:37.548715, 3] ../source3/libsmb/cliconnect.c:1837(cli_session_setup_spnego_send)
Doing spnego session setup (blob length=120)
[2017/05/01 14:24:37.548759, 3] ../source3/libsmb/cliconnect.c:1864(cli_session_setup_spnego_send)
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
[2017/05/01 14:24:37.548775, 3] ../source3/libsmb/cliconnect.c:1874(cli_session_setup_spnego_send)
got principal=not_defined_in_RFC4178@please_ignore
[2017/05/01 14:24:37.549680, 3] ../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
Got challenge flags:
[2017/05/01 14:24:37.549699, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62898215
[2017/05/01 14:24:37.549746, 3] ../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
NTLMSSP: Set final flags:
[2017/05/01 14:24:37.549783, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
[2017/05/01 14:24:37.549797, 3] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2017/05/01 14:24:37.549805, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
[2017/05/01 14:24:37.550315, 3] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2017/05/01 14:24:37.550329, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
[2017/05/01 14:24:37.550983, 3] ../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [domain]\[user1]@[3060-W7U-502292] with the new password interface
[2017/05/01 14:24:37.551003, 3] ../source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [domain]\[user1]@[3060-W7U-502292]
[2017/05/01 14:24:37.551080, 3] ../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: "DC1.domain.com, *"
[2017/05/01 14:24:37.551481, 3] ../source3/libads/ldap.c:618(ads_connect)
Successfully contacted LDAP server 192.168.1.10
[2017/05/01 14:24:37.551523, 3] ../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: "DC1.domain.com, *"
[2017/05/01 14:24:37.551777, 3] ../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: "DC1.domain.com, *"
[2017/05/01 14:24:37.653364, 3] ../source3/lib/util_sock.c:515(open_socket_out_send)
Connecting to 192.168.1.10 at port 445
[2017/05/01 14:24:37.654407, 3] ../source3/libsmb/cliconnect.c:1837(cli_session_setup_spnego_send)
Doing spnego session setup (blob length=120)
[2017/05/01 14:24:37.654448, 3] ../source3/libsmb/cliconnect.c:1864(cli_session_setup_spnego_send)
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
[2017/05/01 14:24:37.654464, 3] ../source3/libsmb/cliconnect.c:1874(cli_session_setup_spnego_send)
got principal=not_defined_in_RFC4178@please_ignore
[2017/05/01 14:24:37.654937, 3] ../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
Got challenge flags:
[2017/05/01 14:24:37.654952, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62898215
[2017/05/01 14:24:37.654990, 3] ../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
NTLMSSP: Set final flags:
[2017/05/01 14:24:37.655000, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
[2017/05/01 14:24:37.655009, 3] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2017/05/01 14:24:37.655022, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
[2017/05/01 14:24:37.655515, 3] ../source3/libsmb/cliconnect.c:2216(cli_session_setup_done_spnego)
SPNEGO login failed: Access denied
[2017/05/01 14:24:37.656269, 3] ../source3/lib/util_sock.c:515(open_socket_out_send)
Connecting to 192.168.1.10 at port 445
[2017/05/01 14:24:37.658575, 3] ../source3/libsmb/cliconnect.c:1837(cli_session_setup_spnego_send)
Doing spnego session setup (blob length=120)
[2017/05/01 14:24:37.658613, 3] ../source3/libsmb/cliconnect.c:1864(cli_session_setup_spnego_send)
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
[2017/05/01 14:24:37.658627, 3] ../source3/libsmb/cliconnect.c:1874(cli_session_setup_spnego_send)
got principal=not_defined_in_RFC4178@please_ignore
[2017/05/01 14:24:37.659571, 3] ../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
Got challenge flags:
[2017/05/01 14:24:37.659589, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62898215
[2017/05/01 14:24:37.659625, 3] ../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
NTLMSSP: Set final flags:
[2017/05/01 14:24:37.659635, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
[2017/05/01 14:24:37.659643, 3] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2017/05/01 14:24:37.659651, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
[2017/05/01 14:24:37.660838, 3] ../source3/libsmb/cliconnect.c:2216(cli_session_setup_done_spnego)
SPNEGO login failed: Access denied
[2017/05/01 14:24:37.661344, 3] ../source3/lib/util_sock.c:515(open_socket_out_send)
Connecting to 192.168.1.10 at port 445
[2017/05/01 14:24:37.662126, 3] ../source3/libsmb/cliconnect.c:1837(cli_session_setup_spnego_send)
Doing spnego session setup (blob length=120)
[2017/05/01 14:24:37.662164, 3] ../source3/libsmb/cliconnect.c:1864(cli_session_setup_spnego_send)
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
[2017/05/01 14:24:37.662178, 3] ../source3/libsmb/cliconnect.c:1874(cli_session_setup_spnego_send)
got principal=not_defined_in_RFC4178@please_ignore
[2017/05/01 14:24:37.663428, 3] ../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
Got challenge flags:
[2017/05/01 14:24:37.663445, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62898215
[2017/05/01 14:24:37.663473, 3] ../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
NTLMSSP: Set final flags:
[2017/05/01 14:24:37.663482, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
[2017/05/01 14:24:37.663490, 3] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2017/05/01 14:24:37.663497, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
[2017/05/01 14:24:37.667426, 3] ../source3/libsmb/cliconnect.c:2216(cli_session_setup_done_spnego)
SPNEGO login failed: Access denied
[2017/05/01 14:24:37.667512, 0] ../source3/auth/auth_domain.c:184(domain_client_validate)
domain_client_validate: Domain password server not available.
[2017/05/01 14:24:37.667560, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [user1] -> [user1] FAILED with error NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
[2017/05/01 14:24:37.667584, 2] ../auth/gensec/spnego.c:719(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
[2017/05/01 14:24:37.667628, 3] ../source3/smbd/smb2_server.c:3098(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:134
[2017/05/01 14:24:37.668447, 3] ../source3/smbd/server_exit.c:246(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
Проблема решена частично. На контроллере домена мы настроили параметр «Сетевая безопасность: уровень проверки подлинности LAN Manager» с «отправлять только ответ NTLMv2» на «Отправить LM & NTLM - использовать сеансовую безопасность NTLMv2, если согласовано». Однако из-за проблем с безопасностью LM \ NTLM мне не очень нравится это решение. Так что если кто-то может указать на лучшую, я был бы очень, очень благодарен!