[samba] winbind samba Active directory.....

Чт Апр 12 16:57:47 MSD 2007

U menja nepoluchajetsja zapustits sambu s avtorizacijei na Active Directory.
V principe takoe prechustvie shto nesrabativajet naslednosti grupp v Active
directory. Jesli na sharu zapisivaju valid user = domain\username vsjo
rabotajet, a jesli tuda stavlju domennuju gruppu, nechavo
njepaluchajetsa.... v logah pokazijajet wrong password ili no such user!
Pri etom vse komandi vidajut pravilnije znachenija!
kinit rabotajet
getent group vidajot vse domennije grupi
getent passwd vidajot vse domennije usera
id vidajot gid dlja domennih juzerov
pam rabotajet i cherez konsolj domennije juzera mozhet zalogonitsja na
freebsd, tolko home papochki nerabotajut...
getent groupmap list  - pokazivajet shto netu nekokogo mappinga grupp

FreeBSD 6.2, samba 3.0.24

No na sharing nepuskajet, jesli prava dostupa prapisivajetsa na grupi!!!

Faili kofiguracii:

#smb.conf

[global]
   workgroup = CA
   server string = Serveris
   realm = CA.VP
   security = ADS
   log file = /var/log/samba/log.%U
   max log size = 150
   socket options = SO_KEEPALIVE SO_BROADCAST TCP_NODELAY IPTOS_THROUGHPUT
SO_RCVBUF=8192 SO_SNDBUF=8192
   os level = 0
   dns proxy = no
   case sensitive = no
    nt acl support = Yes
    inherit acls = yes
    map acl inherit = yes
    winbind uid = 100-10000000
    winbind gid = 100-10000000
    winbind enum groups = Yes
    winbind enum users = Yes
    winbind use default domain = Yes
    template shell = /bin/bash
    time server = Yes
    template homedir = /home/D%/U%
    template shell = /bin/sh
    hide files = /*.ini/*RECYCLER*/*.db/*.tmp/*.rdp/

[Dati]
    comment = Dati
    path = /dati/share
    valid users = "CA\domain users"
    writable = yes

#nsswitch.conf

group: files winbind
group_compat: nis
hosts: files dns
networks: files
passwd: files winbind
shadow: files winbind
passwd_compat: nis
shells: files

#krb5.conf - (Heimdal)

[libdefaults]
        default_realm = CA.VP
	clockskew = 300
	dns_lookup_realm = true
	dns_lookup_kdc = true
	v4_instance_resolve = false
	v4_name_convert = {
		host = {
			rcmd = host
			ftp = ftp
		}
		plain = {
			something = something-else
		}
	}

[realms]
	CA.VP = {
		kdc = MAJOR.CA.VP
		kdc = CAPTAIN.CA.VP
		admin_server = MAJOR.CA.VP
	}
	OTHER.REALM = {
		v4_instance_convert = {
			kerberos = kerberos
			computer = computer.some.other.domain
		}
	}
[domain_realm]
	.ca.vp = CA.VP

# PAM configuration for the "login" service

auth		sufficient	/usr/local/lib/pam_winbind.so		
auth		required	pam_unix.so		no_warn try_first_pass

account		sufficient	/usr/local/lib/pam_winbind.so
account		required	pam_unix.so

session		include		system
session		required	/usr/local/lib/pam_mkhomedir.so umask=0700
session		required	pam_permit.so
session		sufficient	/usr/local/lib/pam_winbind.so

password	include		system
password	sufficient	/usr/local/lib/pam_winbind.so
----------- ÓÌÅÄÕÝÁÑ ÞÁÓÔØ -----------
???????? ? ??????? HTML ???? ???????...
URL: http://lists.altlinux.org/pipermail/samba/attachments/20070412/fbc7e496/attachment-0001.html 