Estamos ejecutando un servidor de intercambio de archivos con MacOS 10.15 que está vinculado (por razones fuera de mi control) a un servidor openldap (slapd) desnudo que se ejecuta en Ubuntu Server 18.04. El servidor LDAP está usando un certificado "autofirmado" en su interfaz SSL, ya que la organización en la que estoy tiene su propia CA.
Después de hacer algo de magia para cargar el apple.schema y rellenar los apple guids para cada usuario/grupo, todos los servicios que ofrecemos para nuestros clientes mac vinculados a LDAP (AFP, compartir pantalla, ssh, etc) autenticarán con éxito a los usuarios/grupos de red autorizados, excepto en el caso de SMB . Ahora mismo estoy tratando de conseguir compartir smb desde un cliente mac al archivo compartido.
Algunas notas:
-
Inicialmente, SMB no funcionaba para las cuentas locales que no eran de administrador. He añadido manualmente el grupo SACL de SMB,
com.apple.access_smbya que no estaba ahí por defecto. El resuelve los problemas de acceso para las cuentas locales, pero no las cuentas de red. No estoy seguro de por qué no viene con ese grupo ya que el módulo PAM hace referencia a él específicamente:% cat /etc/pam.d/smbd
smbd: service ACL account management support
account required pam_sacl.so sacl_service=smb allow_trustacct session required pam_permit.so
Puedo confirmar que el usuario de mi red es un miembro,
% dseditgroup -o checkmember -m $USER com.apple.access_smb
yes $USER is a member of com.apple.access_smb-
Siguiendo las instrucciones de: https://support.apple.com/en-us/HT204021 En este caso, he desestimado las solicitudes de negociación de validación desde el cliente y sólo he permitido SMB v2 en el servidor. No hay opciones de "authenticated binds" o de réplica de Open Directory, como también se indica en el enlace.
-
La configuración para el enlace LDAP en la utilidad de directorio utiliza mapeos personalizados y autenticación como usuario de sólo lectura. He añadido algunos mapeos personalizados para apple-y y otras cosas, e incluido la salida de odutil en la parte inferior en caso de que haya algún mapeo obvio que me esté perdiendo.
-
La cola de los registros de depuración al intentar montar unidades compartidas usando SMB como usuario de red muestra algunos errores de ocspd, así que por el momento he añadido
127.0.0.1 ocsp.apple.coma mi/etc/hosts.
En resumen, yo todavía no puede conseguir que los usuarios de la red monten las unidades compartidas a través de SMB. Desde el cliente, el cuadro de inicio de sesión da error con la solicitud inválida "shake". Desde el servidor de archivos compartidos, saco lo siguiente usando smbdiagnose - nota que todavía tenemos el error ocspd, y el smbd: transact: gss_accept_sec_context: major_status: 0xd0000, minor_status: 0xa2e9a74a no parece ir a ninguna parte...
smbd: (Security) [com.apple.securityd:security_exception] mach error: 1100
smbd: (Security) [com.apple.securityd:ocspdError] ocspdGlobals: error contacting server
smbd: (Security) [com.apple.securityd:ocspdError] ocspdTrustSettingsRead: OCSPD server error
smbd: (Security) [com.apple.securityd:trustSettings] TrustSettings: record not found for domain 1
smbd: (Security) [com.apple.securityd:trustSettings] TrustSettings(domain 1) destructor
smbd: (Security) [com.apple.securityd:trustSettings] tsGetGlobalTrustSettings: could not connect to ocspd for domain (1)
smbd: (Security) [com.apple.securityd:trustSettingsEval] evaluateCert: no trust settings
smbd: (Security) [com.apple.securityd:trustSettings] SecTrustSettingsEvaluateCert: found in domain 2
smbd: (Security) [com.apple.securityd:codedir] 0x7fb400437110 validating slot -2
smbd: (Security) [com.apple.securityd:unixio] open(/System/Library/KerberosPlugins/KerberosFrameworkPlugins/SCKerberosConfig.bundle/Contents/Info.plist,0x0,0x1b6) = 7
smbd: (Security) [com.apple.securityd:unixio] close(7) err: 0
smbd: (Security) [com.apple.securityd:codedir] 0x7fb400437110 validating slot -1
smbd: (Security) [com.apple.securityd:cfloadfile] failed to fetch /System/Library/KerberosPlugins/KerberosFrameworkPlugins/SCKerberosConfig.bundle/Contents/_CodeSignature/CodeTopDirectory error=-10
smbd: (Security) [com.apple.securityd:unixio] open(/System/Library/KerberosPlugins/KerberosFrameworkPlugins/SCKerberosConfig.bundle/Contents/MacOS/SCKerberosConfig,0x0,0x1b6) = 7
smbd: (Security) [com.apple.securityd:unixio] 7 fcntl(48,0x1) = 0
smbd: (Security) [com.apple.securityd:unixio] close(7) err: 0
smbd: (Security) [com.apple.securityd:codedir] 0x7fb400437110 validating slot -1
smbd: (Security) [com.apple.securityd:staticCode] 0x7fb40041c908 loaded InfoDict 0x7fb401a14790
smbd: (Security) [com.apple.securityd:cfloadfile] failed to fetch /System/Library/KerberosPlugins/KerberosFrameworkPlugins/SCKerberosConfig.bundle/Contents/_CodeSignature/CodeEntitlements error=-10
smbd: (Security) [com.apple.securityd:handleobj] create 0x7fb401a0fd1d for 0x7fb401a0fd00
smbd: (Security) [com.apple.securityd:cssm] 0x7fb401a0fd00 attached module 0x7fb40052ee50(AppleX509CL) (ssid 0 type 8)
smbd: (Security) [com.apple.securityd:cssm] 0x7fb401a0fd00 detach module 0x7fb40052ee50(AppleX509CL)
smbd: (Security) [com.apple.securityd:unixio] close(8) err: 0
smbd: logoff_dequeue_session: Processing session id: 0xc86e29a600000001
smbd: handle_logoff_event: Session not in active state, sessid: 0xc86e29a600000001, state: 1
smbd: transact: gss_accept_sec_context: major_status: 0xd0000, minor_status: 0xa2e9a74a¿Alguien tiene alguna sugerencia sobre otras rutas para intentar re: samba autenticado contra un servidor openldap? ¿Es posible? Si no es así, ¿hay algún protocolo alternativo para compartir archivos que permita montar unidades compartidas a clientes tanto de MacOS como de Windows?
¡Gracias por toda la ayuda que puedan brindar!
La configuración del DO para el servidor LDAP, como se ha mencionado:
% sudo odutil show configuration /LDAPv3/$LDAP_SERVER
{
description = "$LDAP_SERVER";
mappings = {
attributes = (
objectClass
);
function = "ldap:translate_recordtype";
recordtypes = {
"dsRecTypeStandard:Groups" = {
attributetypes = {
"dsAttrTypeStandard:CreationTimestamp" = {
native = createTimestamp;
};
"dsAttrTypeStandard:GeneratedUID" = {
native = "apple-generateduid";
};
"dsAttrTypeStandard:GroupMembers" = {
native = "apple-group-memberguid";
};
"dsAttrTypeStandard:GroupMembership" = {
native = memberUid;
};
"dsAttrTypeStandard:Member" = {
native = memberUid;
};
"dsAttrTypeStandard:ModificationTimestamp" = {
native = modifyTimestamp;
};
"dsAttrTypeStandard:PrimaryGroupID" = {
native = gidNumber;
};
"dsAttrTypeStandard:RealName" = {
native = cn;
};
"dsAttrTypeStandard:RecordName" = {
native = cn;
};
};
info = {
"Group Object Classes" = OR;
"Object Classes" = (
posixGroup,
"apple-group"
);
"Search Base" = "...";
};
};
"dsRecTypeStandard:Mounts" = {
attributetypes = {
"dsAttrTypeStandard:CreationTimestamp" = {
native = createTimestamp;
};
"dsAttrTypeStandard:ModificationTimestamp" = {
native = modifyTimestamp;
};
"dsAttrTypeStandard:RecordName" = {
native = cn;
};
"dsAttrTypeStandard:VFSDumpFreq" = {
native = mountDumpFrequency;
};
"dsAttrTypeStandard:VFSLinkDir" = {
native = mountDirectory;
};
"dsAttrTypeStandard:VFSOpts" = {
native = mountOption;
};
"dsAttrTypeStandard:VFSPassNo" = {
native = mountPassNo;
};
"dsAttrTypeStandard:VFSType" = {
native = mountType;
};
};
info = {
"Group Object Classes" = OR;
"Object Classes" = (
mount
);
"Search Base" = "...";
};
};
"dsRecTypeStandard:OrganizationalUnit" = {
attributetypes = {
"dsAttrTypeStandard:AddressLine1" = {
native = street;
};
"dsAttrTypeStandard:City" = {
native = l;
};
"dsAttrTypeStandard:Comment" = {
native = description;
};
"dsAttrTypeStandard:Country" = {
native = c;
};
"dsAttrTypeStandard:FAXNumber" = {
native = facsimileTelephoneNumber;
};
"dsAttrTypeStandard:Password" = {
native = userPassword;
};
"dsAttrTypeStandard:PhoneNumber" = {
native = telephoneNumber;
};
"dsAttrTypeStandard:PostalAddress" = {
native = postalAddress;
};
"dsAttrTypeStandard:PostalCode" = {
native = postalCode;
};
"dsAttrTypeStandard:RealName" = {
native = cn;
};
"dsAttrTypeStandard:RecordName" = {
native = ou;
};
"dsAttrTypeStandard:State" = {
native = st;
};
"dsAttrTypeStandard:Street" = {
native = street;
};
};
info = {
"Group Object Classes" = OR;
"Object Classes" = (
organizationalUnit
);
"Search Base" = "...";
};
};
"dsRecTypeStandard:People" = {
attributetypes = {
"dsAttrTypeStandard:AddressLine1" = {
native = street;
};
"dsAttrTypeStandard:Building" = {
native = buildingName;
};
"dsAttrTypeStandard:City" = {
native = l;
};
"dsAttrTypeStandard:Country" = {
native = c;
};
"dsAttrTypeStandard:CreationTimestamp" = {
native = createTimestamp;
};
"dsAttrTypeStandard:Department" = {
native = departmentNumber;
};
"dsAttrTypeStandard:EMailAddress" = {
native = mail;
};
"dsAttrTypeStandard:FAXNumber" = {
native = facsimileTelephoneNumber;
};
"dsAttrTypeStandard:FirstName" = {
native = givenName;
};
"dsAttrTypeStandard:HomePhoneNumber" = {
native = homePhone;
};
"dsAttrTypeStandard:JobTitle" = {
native = title;
};
"dsAttrTypeStandard:LastName" = {
native = sn;
};
"dsAttrTypeStandard:MobileNumber" = {
native = mobile;
};
"dsAttrTypeStandard:ModificationTimestamp" = {
native = modifyTimestamp;
};
"dsAttrTypeStandard:OrganizationName" = {
native = o;
};
"dsAttrTypeStandard:PagerNumber" = {
native = pager;
};
"dsAttrTypeStandard:PhoneNumber" = {
native = telephoneNumber;
};
"dsAttrTypeStandard:PostalAddress" = {
native = postalAddress;
};
"dsAttrTypeStandard:PostalCode" = {
native = postalCode;
};
"dsAttrTypeStandard:RealName" = {
native = cn;
};
"dsAttrTypeStandard:RecordName" = {
native = cn;
};
"dsAttrTypeStandard:State" = {
native = st;
};
"dsAttrTypeStandard:Street" = {
native = street;
};
"dsAttrTypeStandard:UserCertificate" = {
native = "userCertificate;binary";
};
"dsAttrTypeStandard:UserPKCS12Data" = {
native = userPKCS12;
};
"dsAttrTypeStandard:UserSMIMECertificate" = {
native = userSMIMECertificate;
};
};
info = {
"Group Object Classes" = OR;
"Object Classes" = (
inetOrgPerson
);
"Search Base" = "...";
};
};
"dsRecTypeStandard:Users" = {
attributetypes = {
"dsAttrTypeStandard:Change" = {
native = shadowLastChange;
};
"dsAttrTypeStandard:Comment" = {
native = description;
};
"dsAttrTypeStandard:CreationTimestamp" = {
native = createTimestamp;
};
"dsAttrTypeStandard:Expire" = {
native = shadowExpire;
};
"dsAttrTypeStandard:GeneratedUID" = {
native = "apple-generateduid";
};
"dsAttrTypeStandard:ModificationTimestamp" = {
native = modifyTimestamp;
};
"dsAttrTypeStandard:NFSHomeDirectory" = {
native = "#/System/Volumes/Data/Users/$uid$";
};
"dsAttrTypeStandard:Password" = {
native = userPassword;
};
"dsAttrTypeStandard:PrimaryGroupID" = {
native = gidNumber;
};
"dsAttrTypeStandard:RealName" = {
native = cn;
};
"dsAttrTypeStandard:RecordName" = {
native = uid;
};
"dsAttrTypeStandard:UniqueID" = {
native = uidNumber;
};
"dsAttrTypeStandard:UserShell" = {
native = loginShell;
};
};
info = {
"Group Object Classes" = OR;
"Object Classes" = (
posixAccount,
inetOrgPerson,
shadowAccount,
"apple-user"
);
"Search Base" = "...";
};
};
};
};
"module options" = {
AppleODClient = {
"Server Mappings" = 0;
};
ldap = {
"Denied SASL Methods" = (
"DIGEST-MD5",
"CRAM-MD5",
NTLM,
GSSAPI
);
"LDAP Referrals" = 0;
"Template Search Base Suffix" = "...";
"Use DNS replicas" = 0;
};
};
"node name" = "$LDAP_SERVER";
options = {
"connection idle disconnect" = 60;
"connection setup timeout" = 30;
destination = {
host = "LDAP_HOST";
other = ldaps;
port = 636;
};
"man-in-the-middle" = 0;
"no cleartext authentication" = 0;
"packet encryption" = 3;
"packet signing" = 1;
"query timeout" = 60;
};
template = LDAPv3;
trustaccount = "$TRUSTED_ACCOUNT";
trustoptions = (
"system keychain"
);
trusttype = authenticated;
uuid = "...";
}
