Всем день добрый =)
Знаю, что тема избитая и есть много разных мануалов по настройке аутентификации AD-пользователей win2k в самбе... но у меня ничего не получается
Что имеем: домен на Win2000
Файловый сервер: Ubuntu 9.04 Server, Samba 3.32
Сервер в домене, с включением в домен проблем не было.
Проблма возникла при подключении доменных юзеров к шаре на самбе - выдаётся ообщение, что либо пароль, либо имя юзера не верны.
Команды wbinfo -u и wbinfo -g успешно выдают доменых пользователей и группы в AD.
@venus:~$ sudo testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[TEST]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Конфиг
smb.conf[global]
display charset = UTF-8
idmap gid = 10000-20000
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
obey pam restrictions = yes
hosts allow = 192.168.1.0/24
passwd program = /usr/bin/passwd %u
cups options = raw
netbios name = VENUS
idmap uid = 10000-20000
dos charset = cp866
workgroup = KM
os level = 20
winbind refresh tickets = yes
security = ads
usershare allow guests = yes
max log size = 10000
log file = /var/log/samba/log.%m
wins server = 192.168.1.1
client ntlmv2 auth = Yes
auth methods = winbind
guest ok = yes
map to guest = bad user
encrypt passwords = true
realm = INTRANET.CM.RU
winbind use default domain = no
passdb backend = tdbsam:192.168.1.1
server string = Venus File Server
password server = 192.168.1.1
winbind nested groups = no
unix password sync = yes
winbind enum groups = no
unix charset = UTF-8
pam password change = yes
#guest account = nobody
#username map = /etc/samba/smbusers
#Here shared folders
[TEST]
comment = TEST
valid users = KMandrew,@KMdomain^users,@KMdomain^admins,@KMadministrators
writeable = yes
create mode = 777
path = /home/lin/TEST
directory mode = 777
browseable = yes
guest ok = yes
available = yes
#valid users = YOUR_DOMAIN\username,YOUR_DOMAIN
Конфиг
krb5.conf[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = INTRANET.CM.RU
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
default_tgs_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
default_tkt_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
preferred_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
dns_lookup_kdc = false
dns_lookup_realm = false
ticket_lifetime = 24h
clockskew = 300
[realms]
INTRANET.CM.RU = {
kdc = 192.168.1.1
admin_server = 192.168.1.1
default_domain = INTRANET.CM.RU
auth_to_local = RULE:[1:$0\$1](^INTRANET\.CM\.RU\\.*)s/^INTRANET\.CM\.RU/KM/
auth_to_local = DEFAULT
}
[domain_realm]
.intranet.cm.ru = INTRANET.CM.RU
intranet.cm.ru = INTRANET.CM.RU
[login]
krb4_convert = true
krb4_get_tickets = false
[appdefaults]
pam = {
mappings = KM\\(.*) $1@INTRANET.CM.RU
forwardable = true
validate = true
debug = false
ticket_lifetime = 1d
renew_lifetime = 1d
krb4_convert = false
proxiable = false
minimum_uid = 0
external = sshd
use_shmem = sshd
retain_after_close = false
try_first_pass = true
}
httpd = {
mappings = KM\\(.*) $1@INTRANET.CM.RU
reverse_mappings = (.*)@INTRANET\.CM\.RU KM\$1
}
Конфиг
nsswitch.conf#passwd: compat lsass
#group: compat lsass
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
passwd: compat winbind lsass
group: compat winbind lsass
shadow: compat
networks: files
protokols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
И вот что я имею в логах:
[2009/11/26 15:00:27, 0] smbd/service.c:make_connection_snum(744)
create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
[2009/11/26 15:00:47, 0] smbd/service.c:make_connection_snum(1000)
Can't become connected user!
[2009/11/26 15:00:49, 0] smbd/service.c:make_connection_snum(1000)
Can't become connected user!
[2009/11/26 15:16:22, 0] smbd/service.c:make_connection_snum(1000)
Can't become connected user!
[2009/11/26 14:39:30, 0] auth/auth_winbind.c:check_winbind_security(101)
check_winbind_security: ERROR! my_private_data == NULL!
[2009/11/26 14:39:30, 0] auth/auth_winbind.c:check_winbind_security(101)
check_winbind_security: ERROR! my_private_data == NULL!
Лог
smbd[2009/11/26 15:14:36, 0] lib/util_sock.c:get_peer_addr_internal(1676)
getpeername failed. Error was Transport endpoint is not connected
Лог
winbindd[2009/11/26 14:57:04, 1] libads/cldap.c:recv_cldap_netlogon(157)
no reply received to cldap netlogon
[2009/11/26 14:58:00, 1] libads/cldap.c:recv_cldap_netlogon(157)
no reply received to cldap netlogon
[2009/11/26 14:59:49, 1] libads/cldap.c:recv_cldap_netlogon(157)
no reply received to cldap netlogon
Лог
winbindd-dc-connect[2009/11/26 15:17:04, 1] rpc_client/cli_pipe.c:rpc_pipe_destructor(2362)
rpc_pipe_destructor: cli_close failed on pipe host km-main.intranet.cm.ru, pipe \NETLOGON, fnum 0xc005. Error was SUCCESS - 0
[2009/11/26 15:17:09, 1] libads/cldap.c:recv_cldap_netlogon(157)
no reply received to cldap netlogon
[2009/11/26 15:17:09, 1] libads/cldap.c:recv_cldap_netlogon(157)
no reply received to cldap netlogon
Лог
winbindd-idmap[2009/11/26 13:30:49, 1] winbindd/idmap_tdb.c:idmap_tdb_alloc_init(341)
idmap uid or idmap gid missing
[2009/11/26 13:30:49, 0] winbindd/idmap.c:idmap_alloc_init(587)
ERROR: Initialization failed for alloc backend, deferred!
Естественно, что по много раз гуглил по теме указанных ошибок, но их решения приводят только к худшему
Изменеия параметров в PAM, по тем "рабочим" примерам, что я нашёл тут на сайте и в инете, постоянно приводят к тому, что я либо не могу залогинится удалённо по SSH, либо даже локально, ну а про пользователей и говорить ничего
Заранее благодарю всех, кто откликнется !! Ибо у самого уже идей нет
Тема: Прошу помощи!! Ubuntu 9.04 + Samba и AD-юзеры (Прочитано 3979 раз)
