Nous utilisons un serveur de partage de fichiers sous MacOS 10.15 qui est lié (pour des raisons indépendantes de ma volonté) à un serveur openldap (slapd) nu fonctionnant sur Ubuntu Server 18.04. Le serveur LDAP utilise un certificat "auto-signé" sur son interface SSL, car l'organisation dans laquelle je travaille possède sa propre autorité de certification.
Après avoir fait un peu de magie pour charger le schéma apple.schema et remplir les guides apple pour chaque utilisateur/groupe, tous les services que nous offrons pour nos clients mac liés à LDAP (AFP, partage d'écran, ssh, etc.) authentifieront avec succès les utilisateurs/groupes autorisés du réseau, sauf pour le SMB . Pour l'instant, j'essaie simplement d'obtenir le partage smb d'un client mac vers le partage de fichiers.
Quelques notes :
-
Au départ, le SMB ne fonctionnait pas pour les comptes locaux non administrateurs. J'ai ajouté manuellement le groupe SACL SMB,
com.apple.access_smbcar il n'était pas présent par défaut. Il résout les problèmes d'accès pour les comptes locaux, mais pas pour les comptes réseau. Je ne sais pas pourquoi il n'est pas livré avec ce groupe puisque le module PAM y fait spécifiquement référence :% cat /etc/pam.d/smbd
smbd: service ACL account management support
account required pam_sacl.so sacl_service=smb allow_trustacct session required pam_permit.so
Je peux confirmer que l'utilisateur de mon réseau est membre,
% dseditgroup -o checkmember -m $USER com.apple.access_smb
yes $USER is a member of com.apple.access_smb-
En suivant les instructions de : https://support.apple.com/en-us/HT204021 J'ai désactivé les demandes de validation de négociation du client et autorisé uniquement SMB v2 sur le serveur. Il n'y a pas d'options pour les "liens authentifiés" ou la réplique Open Directory, comme le mentionne également le lien.
-
La configuration de la liaison LDAP dans l'utilitaire de répertoire utilise des mappages personnalisés et une authentification en tant qu'utilisateur en lecture seule. J'ai ajouté quelques mappings personnalisés pour apple-y et d'autres choses, et j'ai inclus la sortie de odutil en bas au cas où il y aurait des mappings évidents que j'aurais manqués.
-
La fin des journaux de débogage lorsque l'on essaie de monter des lecteurs partagés en utilisant SMB en tant qu'utilisateur du réseau montre quelques erreurs ocspd, donc pour l'instant j'ai ajouté
127.0.0.1 ocsp.apple.comà mon/etc/hosts.
Pour faire court, je toujours ne peut pas faire en sorte que les utilisateurs du réseau montent des disques partagés via SMB. Depuis le client, la boîte de connexion se bloque avec la requête invalide "shake". À partir du serveur de partage de fichiers, j'obtiens ce qui suit en utilisant smbdiagnose - Notez que nous avons toujours l'erreur ocspd, et la smbd: transact: gss_accept_sec_context: major_status: 0xd0000, minor_status: 0xa2e9a74a ne semble aller nulle part...
smbd: (Security) [com.apple.securityd:security_exception] mach error: 1100
smbd: (Security) [com.apple.securityd:ocspdError] ocspdGlobals: error contacting server
smbd: (Security) [com.apple.securityd:ocspdError] ocspdTrustSettingsRead: OCSPD server error
smbd: (Security) [com.apple.securityd:trustSettings] TrustSettings: record not found for domain 1
smbd: (Security) [com.apple.securityd:trustSettings] TrustSettings(domain 1) destructor
smbd: (Security) [com.apple.securityd:trustSettings] tsGetGlobalTrustSettings: could not connect to ocspd for domain (1)
smbd: (Security) [com.apple.securityd:trustSettingsEval] evaluateCert: no trust settings
smbd: (Security) [com.apple.securityd:trustSettings] SecTrustSettingsEvaluateCert: found in domain 2
smbd: (Security) [com.apple.securityd:codedir] 0x7fb400437110 validating slot -2
smbd: (Security) [com.apple.securityd:unixio] open(/System/Library/KerberosPlugins/KerberosFrameworkPlugins/SCKerberosConfig.bundle/Contents/Info.plist,0x0,0x1b6) = 7
smbd: (Security) [com.apple.securityd:unixio] close(7) err: 0
smbd: (Security) [com.apple.securityd:codedir] 0x7fb400437110 validating slot -1
smbd: (Security) [com.apple.securityd:cfloadfile] failed to fetch /System/Library/KerberosPlugins/KerberosFrameworkPlugins/SCKerberosConfig.bundle/Contents/_CodeSignature/CodeTopDirectory error=-10
smbd: (Security) [com.apple.securityd:unixio] open(/System/Library/KerberosPlugins/KerberosFrameworkPlugins/SCKerberosConfig.bundle/Contents/MacOS/SCKerberosConfig,0x0,0x1b6) = 7
smbd: (Security) [com.apple.securityd:unixio] 7 fcntl(48,0x1) = 0
smbd: (Security) [com.apple.securityd:unixio] close(7) err: 0
smbd: (Security) [com.apple.securityd:codedir] 0x7fb400437110 validating slot -1
smbd: (Security) [com.apple.securityd:staticCode] 0x7fb40041c908 loaded InfoDict 0x7fb401a14790
smbd: (Security) [com.apple.securityd:cfloadfile] failed to fetch /System/Library/KerberosPlugins/KerberosFrameworkPlugins/SCKerberosConfig.bundle/Contents/_CodeSignature/CodeEntitlements error=-10
smbd: (Security) [com.apple.securityd:handleobj] create 0x7fb401a0fd1d for 0x7fb401a0fd00
smbd: (Security) [com.apple.securityd:cssm] 0x7fb401a0fd00 attached module 0x7fb40052ee50(AppleX509CL) (ssid 0 type 8)
smbd: (Security) [com.apple.securityd:cssm] 0x7fb401a0fd00 detach module 0x7fb40052ee50(AppleX509CL)
smbd: (Security) [com.apple.securityd:unixio] close(8) err: 0
smbd: logoff_dequeue_session: Processing session id: 0xc86e29a600000001
smbd: handle_logoff_event: Session not in active state, sessid: 0xc86e29a600000001, state: 1
smbd: transact: gss_accept_sec_context: major_status: 0xd0000, minor_status: 0xa2e9a74aEst-ce que quelqu'un a des suggestions sur d'autres voies à essayer concernant l'authentification de samba par rapport à un serveur openldap ? Est-ce même possible ? Sinon, existe-t-il un autre protocole de partage de fichiers qui permettrait de monter des disques partagés pour les clients MacOS et Windows ?
Merci pour toute aide que vous pourrez apporter !
La configuration OD pour le serveur LDAP, comme mentionné :
% sudo odutil show configuration /LDAPv3/$LDAP_SERVER
{
description = "$LDAP_SERVER";
mappings = {
attributes = (
objectClass
);
function = "ldap:translate_recordtype";
recordtypes = {
"dsRecTypeStandard:Groups" = {
attributetypes = {
"dsAttrTypeStandard:CreationTimestamp" = {
native = createTimestamp;
};
"dsAttrTypeStandard:GeneratedUID" = {
native = "apple-generateduid";
};
"dsAttrTypeStandard:GroupMembers" = {
native = "apple-group-memberguid";
};
"dsAttrTypeStandard:GroupMembership" = {
native = memberUid;
};
"dsAttrTypeStandard:Member" = {
native = memberUid;
};
"dsAttrTypeStandard:ModificationTimestamp" = {
native = modifyTimestamp;
};
"dsAttrTypeStandard:PrimaryGroupID" = {
native = gidNumber;
};
"dsAttrTypeStandard:RealName" = {
native = cn;
};
"dsAttrTypeStandard:RecordName" = {
native = cn;
};
};
info = {
"Group Object Classes" = OR;
"Object Classes" = (
posixGroup,
"apple-group"
);
"Search Base" = "...";
};
};
"dsRecTypeStandard:Mounts" = {
attributetypes = {
"dsAttrTypeStandard:CreationTimestamp" = {
native = createTimestamp;
};
"dsAttrTypeStandard:ModificationTimestamp" = {
native = modifyTimestamp;
};
"dsAttrTypeStandard:RecordName" = {
native = cn;
};
"dsAttrTypeStandard:VFSDumpFreq" = {
native = mountDumpFrequency;
};
"dsAttrTypeStandard:VFSLinkDir" = {
native = mountDirectory;
};
"dsAttrTypeStandard:VFSOpts" = {
native = mountOption;
};
"dsAttrTypeStandard:VFSPassNo" = {
native = mountPassNo;
};
"dsAttrTypeStandard:VFSType" = {
native = mountType;
};
};
info = {
"Group Object Classes" = OR;
"Object Classes" = (
mount
);
"Search Base" = "...";
};
};
"dsRecTypeStandard:OrganizationalUnit" = {
attributetypes = {
"dsAttrTypeStandard:AddressLine1" = {
native = street;
};
"dsAttrTypeStandard:City" = {
native = l;
};
"dsAttrTypeStandard:Comment" = {
native = description;
};
"dsAttrTypeStandard:Country" = {
native = c;
};
"dsAttrTypeStandard:FAXNumber" = {
native = facsimileTelephoneNumber;
};
"dsAttrTypeStandard:Password" = {
native = userPassword;
};
"dsAttrTypeStandard:PhoneNumber" = {
native = telephoneNumber;
};
"dsAttrTypeStandard:PostalAddress" = {
native = postalAddress;
};
"dsAttrTypeStandard:PostalCode" = {
native = postalCode;
};
"dsAttrTypeStandard:RealName" = {
native = cn;
};
"dsAttrTypeStandard:RecordName" = {
native = ou;
};
"dsAttrTypeStandard:State" = {
native = st;
};
"dsAttrTypeStandard:Street" = {
native = street;
};
};
info = {
"Group Object Classes" = OR;
"Object Classes" = (
organizationalUnit
);
"Search Base" = "...";
};
};
"dsRecTypeStandard:People" = {
attributetypes = {
"dsAttrTypeStandard:AddressLine1" = {
native = street;
};
"dsAttrTypeStandard:Building" = {
native = buildingName;
};
"dsAttrTypeStandard:City" = {
native = l;
};
"dsAttrTypeStandard:Country" = {
native = c;
};
"dsAttrTypeStandard:CreationTimestamp" = {
native = createTimestamp;
};
"dsAttrTypeStandard:Department" = {
native = departmentNumber;
};
"dsAttrTypeStandard:EMailAddress" = {
native = mail;
};
"dsAttrTypeStandard:FAXNumber" = {
native = facsimileTelephoneNumber;
};
"dsAttrTypeStandard:FirstName" = {
native = givenName;
};
"dsAttrTypeStandard:HomePhoneNumber" = {
native = homePhone;
};
"dsAttrTypeStandard:JobTitle" = {
native = title;
};
"dsAttrTypeStandard:LastName" = {
native = sn;
};
"dsAttrTypeStandard:MobileNumber" = {
native = mobile;
};
"dsAttrTypeStandard:ModificationTimestamp" = {
native = modifyTimestamp;
};
"dsAttrTypeStandard:OrganizationName" = {
native = o;
};
"dsAttrTypeStandard:PagerNumber" = {
native = pager;
};
"dsAttrTypeStandard:PhoneNumber" = {
native = telephoneNumber;
};
"dsAttrTypeStandard:PostalAddress" = {
native = postalAddress;
};
"dsAttrTypeStandard:PostalCode" = {
native = postalCode;
};
"dsAttrTypeStandard:RealName" = {
native = cn;
};
"dsAttrTypeStandard:RecordName" = {
native = cn;
};
"dsAttrTypeStandard:State" = {
native = st;
};
"dsAttrTypeStandard:Street" = {
native = street;
};
"dsAttrTypeStandard:UserCertificate" = {
native = "userCertificate;binary";
};
"dsAttrTypeStandard:UserPKCS12Data" = {
native = userPKCS12;
};
"dsAttrTypeStandard:UserSMIMECertificate" = {
native = userSMIMECertificate;
};
};
info = {
"Group Object Classes" = OR;
"Object Classes" = (
inetOrgPerson
);
"Search Base" = "...";
};
};
"dsRecTypeStandard:Users" = {
attributetypes = {
"dsAttrTypeStandard:Change" = {
native = shadowLastChange;
};
"dsAttrTypeStandard:Comment" = {
native = description;
};
"dsAttrTypeStandard:CreationTimestamp" = {
native = createTimestamp;
};
"dsAttrTypeStandard:Expire" = {
native = shadowExpire;
};
"dsAttrTypeStandard:GeneratedUID" = {
native = "apple-generateduid";
};
"dsAttrTypeStandard:ModificationTimestamp" = {
native = modifyTimestamp;
};
"dsAttrTypeStandard:NFSHomeDirectory" = {
native = "#/System/Volumes/Data/Users/$uid$";
};
"dsAttrTypeStandard:Password" = {
native = userPassword;
};
"dsAttrTypeStandard:PrimaryGroupID" = {
native = gidNumber;
};
"dsAttrTypeStandard:RealName" = {
native = cn;
};
"dsAttrTypeStandard:RecordName" = {
native = uid;
};
"dsAttrTypeStandard:UniqueID" = {
native = uidNumber;
};
"dsAttrTypeStandard:UserShell" = {
native = loginShell;
};
};
info = {
"Group Object Classes" = OR;
"Object Classes" = (
posixAccount,
inetOrgPerson,
shadowAccount,
"apple-user"
);
"Search Base" = "...";
};
};
};
};
"module options" = {
AppleODClient = {
"Server Mappings" = 0;
};
ldap = {
"Denied SASL Methods" = (
"DIGEST-MD5",
"CRAM-MD5",
NTLM,
GSSAPI
);
"LDAP Referrals" = 0;
"Template Search Base Suffix" = "...";
"Use DNS replicas" = 0;
};
};
"node name" = "$LDAP_SERVER";
options = {
"connection idle disconnect" = 60;
"connection setup timeout" = 30;
destination = {
host = "LDAP_HOST";
other = ldaps;
port = 636;
};
"man-in-the-middle" = 0;
"no cleartext authentication" = 0;
"packet encryption" = 3;
"packet signing" = 1;
"query timeout" = 60;
};
template = LDAPv3;
trustaccount = "$TRUSTED_ACCOUNT";
trustoptions = (
"system keychain"
);
trusttype = authenticated;
uuid = "...";
}
