2 votos

¿Cómo se conecta a un recurso compartido de Samba desde MacOS cuando se utiliza una cuenta de Microsoft?

He configurado Samba para que utilice el mismo nombre de usuario y contraseña que mi cuenta de Microsoft, por lo que en Windows la autenticación es automática al abrir los recursos compartidos. Sin embargo, con la misma configuración no puedo conectarme desde MacOS 10.14, obteniendo un error de autenticación.

Estoy sirviendo desde Ubuntu 19.04 con samba 4.10.0+dfsg-0ubuntu2.4 .

  • Hay una cuenta de linux normal para cada usuario, con el nombre de usuario establecido como user@example.com .
  • Las cuentas de linux tienen el shell configurado en /usr/sbin/nologin .
  • La contraseña es la misma que la de la cuenta de Microsoft.
  • También se han añadido cuentas Samba, con el mismo nombre de usuario y contraseña.

Cuando me conecto desde Windows 10, veo que envía un dominio de MicrosoftAccount y funciona bien. También funciona bien desde la página de Samba smbclient .

Desde MacOS, no importa si envío MicrosoftAccount\user@example.com o user@example.com como nombre de usuario, siempre envía el dominio como example.com y la autentificación falla. Veo el mismo comportamiento en el buscador y con smbview .

Pude solucionar esto añadiendo username map = /etc/samba/username_map a [global] en smb.conf con una línea user@example.com = user .

¿Hay alguna configuración en el lado de MacOS para hacer que respete el dominio como se ha especificado? ¿O se trata de una configuración estándar que la mayoría de los NAS y otras unidades utilizarán para que funcionen con MacOS?

Editar: Aquí hay una entrada de registro de una autenticación fallida, intentando como microsoftaccount\user@example.com . Cabe destacar que la primera línea de autentificación muestra example.com, y no microsoftaccount como el dominio:

[2019/10/06 00:22:54.879743, 3] ../../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth) Got user=[microsoftaccount \user ] domain=[ejemplo.com] workstation=[MAC] len1=24 len2=184

[2019/10/06 00:22:54.740866,  3] ../../lib/util/access.c:365(allow_access)
  Allowed connection from 192.168.20.104 (192.168.20.104)
[2019/10/06 00:22:54.741239,  3] ../../source3/smbd/oplock.c:1422(init_oplocks)
  init_oplocks: initializing messages.
[2019/10/06 00:22:54.741382,  3] ../../source3/smbd/process.c:1948(process_smb)
  Transaction 0 of length 73 (0 toread)
[2019/10/06 00:22:54.741464,  3] ../../source3/smbd/process.c:1541(switch_message)
  switch message SMBnegprot (pid 2332) conn 0x0
[2019/10/06 00:22:54.774931,  3] ../../source3/smbd/negprot.c:636(reply_negprot)
  Requested protocol [NT LM 0.12]
[2019/10/06 00:22:54.775036,  3] ../../source3/smbd/negprot.c:636(reply_negprot)
  Requested protocol [SMB 2.002]
[2019/10/06 00:22:54.775114,  3] ../../source3/smbd/negprot.c:636(reply_negprot)
  Requested protocol [SMB 2.???]
[2019/10/06 00:22:54.775380,  3] ../../source3/smbd/smb2_negprot.c:294(smbd_smb2_request_process_negprot)
  Selected protocol SMB2_FF
[2019/10/06 00:22:54.836522,  3] ../../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'gssapi_spnego' registered
[2019/10/06 00:22:54.836625,  3] ../../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'gssapi_krb5' registered
[2019/10/06 00:22:54.836700,  3] ../../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'gssapi_krb5_sasl' registered
[2019/10/06 00:22:54.836786,  3] ../../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'spnego' registered
[2019/10/06 00:22:54.836845,  3] ../../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'schannel' registered
[2019/10/06 00:22:54.837231,  3] ../../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'naclrpc_as_system' registered
[2019/10/06 00:22:54.837334,  3] ../../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'sasl-EXTERNAL' registered
[2019/10/06 00:22:54.837408,  3] ../../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'ntlmssp' registered
[2019/10/06 00:22:54.837486,  3] ../../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'ntlmssp_resume_ccache' registered
[2019/10/06 00:22:54.837566,  3] ../../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'http_basic' registered
[2019/10/06 00:22:54.837639,  3] ../../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'http_ntlm' registered
[2019/10/06 00:22:54.837751,  3] ../../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'http_negotiate' registered
[2019/10/06 00:22:54.837827,  3] ../../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'krb5' registered
[2019/10/06 00:22:54.841888,  3] ../../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'fake_gssapi_krb5' registered
[2019/10/06 00:22:54.842332,  3] ../../source3/smbd/negprot.c:771(reply_negprot)
  Selected protocol SMB 2.???
[2019/10/06 00:22:54.844972,  3] ../../source3/smbd/smb2_negprot.c:294(smbd_smb2_request_process_negprot)
  Selected protocol SMB3_02
[2019/10/06 00:22:54.874939,  3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62888215
[2019/10/06 00:22:54.879743,  3] ../../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth)
  Got user=[microsoftaccount\user] domain=[example.com] workstation=[MAC] len1=24 len2=184
[2019/10/06 00:22:54.879870,  3] ../../source3/param/loadparm.c:3872(lp_load_ex)
  lp_load_ex: refreshing parameters
[2019/10/06 00:22:54.880055,  3] ../../source3/param/loadparm.c:550(init_globals)
  Initialising global parameters
[2019/10/06 00:22:54.880219,  3] ../../source3/param/loadparm.c:2786(lp_do_section)
  Processing section "[global]"
[2019/10/06 00:22:54.880649,  2] ../../source3/param/loadparm.c:2803(lp_do_section)
  Processing section "[printers]"
[2019/10/06 00:22:54.880859,  2] ../../source3/param/loadparm.c:2803(lp_do_section)
  Processing section "[print$]"
[2019/10/06 00:22:54.881558,  2] ../../source3/param/loadparm.c:2803(lp_do_section)
  Processing section "[photos]"
[2019/10/06 00:22:54.881761,  2] ../../source3/param/loadparm.c:2803(lp_do_section)
  adding IPC service
[2019/10/06 00:22:54.882109,  3] ../../source3/auth/auth.c:189(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [example.com]\[microsoftaccount\user]@[MAC] with the new password interface
[2019/10/06 00:22:54.882189,  3] ../../source3/auth/auth.c:192(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [example.com]\[microsoftaccount\user]@[MAC]
[2019/10/06 00:22:54.882352,  3] ../../source3/auth/check_samsec.c:399(check_sam_security)
  check_sam_security: Couldn't find user 'microsoftaccount\user' in passdb.
[2019/10/06 00:22:54.889113,  2] ../../source3/auth/auth.c:334(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [microsoftaccount\user] -> [microsoftaccount\user] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2019/10/06 00:22:54.889240,  2] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [example.com]\[microsoftaccount\\user] at [Sun, 06 Oct 2019 00:22:54.889207 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [MAC] remote host [ipv4:192.168.20.104:51103] mapped to [example.com]\[microsoftaccount\\user]. local host [ipv4:192.168.20.177:445]
  {"timestamp": "2019-10-06T00:22:54.889398+0000", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 1}, "eventId": 4625, "logonType": 3, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:192.168.20.177:445", "remoteAddress": "ipv4:192.168.20.104:51103", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "example.com", "clientAccount": "microsoftaccount\\user", "workstation": "MAC", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "microsoftaccount\\user", "mappedDomain": "example.com", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 14644}}
[2019/10/06 00:22:54.889565,  3] ../../source3/auth/auth_util.c:2192(do_map_to_guest_server_info)
  No such user microsoftaccount\user [example.com] - using guest account
[2019/10/06 00:22:54.903462,  3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62888215
[2019/10/06 00:22:54.907333,  3] ../../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth)
  Got user=[microsoftaccount\user] domain=[SAMBA] workstation=[MAC] len1=24 len2=184
[2019/10/06 00:22:54.907430,  3] ../../source3/param/loadparm.c:3872(lp_load_ex)
  lp_load_ex: refreshing parameters
[2019/10/06 00:22:54.907519,  3] ../../source3/param/loadparm.c:550(init_globals)
  Initialising global parameters
[2019/10/06 00:22:54.907650,  3] ../../source3/param/loadparm.c:2786(lp_do_section)
  Processing section "[global]"
[2019/10/06 00:22:54.907903,  2] ../../source3/param/loadparm.c:2803(lp_do_section)
  Processing section "[printers]"
[2019/10/06 00:22:54.907995,  2] ../../source3/param/loadparm.c:2803(lp_do_section)
  Processing section "[print$]"
[2019/10/06 00:22:54.917347,  2] ../../source3/param/loadparm.c:2803(lp_do_section)
  Processing section "[photos]"
[2019/10/06 00:22:54.917663,  3] ../../source3/param/loadparm.c:1621(lp_add_ipc)
  adding IPC service
[2019/10/06 00:22:54.917730,  3] ../../source3/auth/auth.c:189(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [SAMBA]\[microsoftaccount\user]@[MAC] with the new password interface
[2019/10/06 00:22:54.917852,  3] ../../source3/auth/auth.c:192(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [SAMBA]\[microsoftaccount\user]@[MAC]
[2019/10/06 00:22:54.918003,  3] ../../source3/auth/check_samsec.c:399(check_sam_security)
  check_sam_security: Couldn't find user 'microsoftaccount\user' in passdb.
[2019/10/06 00:22:54.918070,  2] ../../source3/auth/auth.c:334(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [microsoftaccount\user] -> [microsoftaccount\user] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2019/10/06 00:22:54.918190,  2] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [SAMBA]\[microsoftaccount\\user] at [Sun, 06 Oct 2019 00:22:54.918167 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [MAC] remote host [ipv4:192.168.20.104:51103] mapped to [SAMBA]\[microsoftaccount\\user]. local host [ipv4:192.168.20.177:445]
  {"timestamp": "2019-10-06T00:22:54.918332+0000", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 1}, "eventId": 4625, "logonType": 3, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:192.168.20.177:445", "remoteAddress": "ipv4:192.168.20.104:51103", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "SAMBA", "clientAccount": "microsoftaccount\\user", "workstation": "MAC", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "microsoftaccount\\user", "mappedDomain": "SAMBA", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 15008}}
[2019/10/06 00:22:54.918523,  3] ../../source3/auth/auth_util.c:2192(do_map_to_guest_server_info)
  No such user microsoftaccount\user [SAMBA] - using guest account
[2019/10/06 00:22:54.931366,  3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62888215
[2019/10/06 00:22:54.935125,  3] ../../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth)
  Got user=[user] domain=[example.com@\samba.lan] workstation=[MAC] len1=24 len2=184
[2019/10/06 00:22:54.935213,  3] ../../source3/param/loadparm.c:3872(lp_load_ex)
  lp_load_ex: refreshing parameters
[2019/10/06 00:22:54.935573,  3] ../../source3/param/loadparm.c:550(init_globals)
  Initialising global parameters
[2019/10/06 00:22:54.935798,  3] ../../source3/param/loadparm.c:2786(lp_do_section)
  Processing section "[global]"
[2019/10/06 00:22:54.936127,  2] ../../source3/param/loadparm.c:2803(lp_do_section)
  Processing section "[printers]"
[2019/10/06 00:22:54.936260,  2] ../../source3/param/loadparm.c:2803(lp_do_section)
  Processing section "[print$]"
[2019/10/06 00:22:54.936359,  2] ../../source3/param/loadparm.c:2803(lp_do_section)
  Processing section "[photos]"
[2019/10/06 00:22:54.937227,  2] ../../source3/param/loadparm.c:2803(lp_do_section)
[2019/10/06 00:22:54.937520,  3] ../../source3/auth/auth.c:189(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [example.com@\samba.lan]\[user]@[MAC] with the new password interface
[2019/10/06 00:22:54.937590,  3] ../../source3/auth/auth.c:192(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [example.com@\samba.lan]\[user]@[MAC]
[2019/10/06 00:22:54.937705,  3] ../../source3/auth/check_samsec.c:399(check_sam_security)
  check_sam_security: Couldn't find user 'user' in passdb.
[2019/10/06 00:22:54.937775,  2] ../../source3/auth/auth.c:334(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [user] -> [user] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2019/10/06 00:22:54.937878,  2] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [example.com@\\samba.lan]\[user] at [Sun, 06 Oct 2019 00:22:54.937855 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [MAC] remote host [ipv4:192.168.20.104:51103] mapped to [example.com@\\samba.lan]\[user]. local host [ipv4:192.168.20.177:445]
  {"timestamp": "2019-10-06T00:22:54.937988+0000", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 1}, "eventId": 4625, "logonType": 3, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:192.168.20.177:445", "remoteAddress": "ipv4:192.168.20.104:51103", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "example.com@\\samba.lan", "clientAccount": "user", "workstation": "MAC", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "user", "mappedDomain": "example.com@\\samba.lan", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 6752}}
[2019/10/06 00:22:54.938073,  3] ../../source3/auth/auth_util.c:2192(do_map_to_guest_server_info)
  No such user user [example.com@\samba.lan] - using guest account

Y aquí está mi smb.conf:

[global]
   log level = 3
   workgroup = WORKGROUP
   server string = %h server (Samba, Ubuntu)
   max log size = 1000
   logging = file
   panic action = /usr/share/samba/panic-action %d
   server role = standalone server
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user
   usershare allow guests = yes

   # Mapping users for macOS clients
   # username map = /etc/samba/username_map

   # Netatalk support
   vfs objects = catia fruit streams_xattr
   fruit:encoding = native
   fruit:resource = file
   fruit:metadata = netatalk
   fruit:locking = netatalk
   fruit:copyfile = yes
   ea support = Yes
   hide files = /.DS_Store/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/Temporary Items/.TemporaryItems/.VolumeIcon.icns/Icon?/.FBCIndex/.FBCLockFolder/

[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = no
   read only = yes
   create mask = 0700

[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no

[photos]
  comment = photos
  browseable = yes
  valid users = user@example.com
  force user = media
  writeable = yes
  path = /main/photos
  create mask = 0774
  directory mask = 0775
  inherit permissions = yes

1voto

Oskar Puntos 1242

No tienes que hacer nada en MacOS más que abrir el finder y conectarte usando Comando K - conectar con el servidor.

Cuando aparezca el cuadro de diálogo, introduzca su UPN o dominio \user.name @this.that e introducir la contraseña correcta y, opcionalmente, guardar en el llavero.

Cualquier cosa que hagas para editar los archivos /etc complicará las cosas, así que yo los revertiría. Si quieres vincular ligeramente la cuenta de usuario a un directorio, puedes mirar cosas como Apple Enterprise Connect o NomAD o Jamf Connect . La vinculación de la Mac a AD causa mucho dolor, por lo que la mayoría de los profesionales evitan eso ahora y utilizan una herramienta diferente si no se puede utilizar la configuración fuera de la caja con Keychain.

AppleAyuda.com

AppleAyuda es una comunidad de usuarios de los productos de Apple en la que puedes resolver tus problemas y dudas.
Puedes consultar las preguntas de otros usuarios, hacer tus propias preguntas o resolver las de los demás.

Powered by:

X