[samba] Не работает winbind
Дмитрий
ddv на nevod.ru
Чт Окт 11 08:12:27 MSD 2007
Доброе время суток!
Есть связка AltLinuxServer4.0+Samba-3.0.26a+OpenLDAP.
Samba является контроллером домена.
Контроллер домена работает велликолепно. Но хочется сюда прикрутить ещё
и Squid.
Для этого, как я понимаю должен работать корректно winbind, но у меня
это не так.
# wbinfo -p
Ping to winbindd succeeded on fd 4
# wbinfo -t
checking the trust secret via RPC calls succeeded
# wbinfo -g
BUILTIN на users
# wbinfo -u
Error looking up domain users
# net user
Password:
root
nobody
tester1
tester2
tester3
tester4
tester5
# wbinfo -a tester5
plaintext password authentication failed
error code was NT_STATUS_WRONG_PASSWORD (0xc000006a)
error messsage was: Wrong Password
Could not authenticate user tester5 with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_WRONG_PASSWORD (0xc000006a)
error messsage was: Wrong Password
Could not authenticate user tester5 with challenge/response
# wbinfo -a tester5:123
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user tester5:123 with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user tester5:123 with challenge/response
# getent passwd
..........
root:x:0:0:Netbios Domain Administrator:/root:/bin/false
nobody:x:999:514:nobody:/dev/null:/bin/false
tester1:x:1000:513:System User:/home/domain/tester1:/bin/bash
linuxserver$:*:1001:515:Computer:/dev/null:/bin/false
tester2:x:1003:513:System User:/home/domain/tester2:/bin/bash
tester3:x:1004:513:System User:/home/domain/tester3:/bin/bash
tester4:x:1005:513:System User:/home/domain/tester4:/bin/bash
tester5:x:1006:513:System User:/home/domain/tester5:/bin/bash
авторизация pam работает, как с обычными unix пользователями, так и с
пользователями из ldap. DNS и DHCP тоже работают.
собственно конфиги:
/etc/nsswitch.conf
passwd: files ldap winbind nisplus nis
shadow: tcb ldap winbind files nisplus nis
group: files ldap winbind nisplus nis
hosts: files nisplus nis dns
ethers: files
netmasks: files
networks: files
protocols: files ldap
rpc: files
services: files ldapbootparams: nisplus [NOTFOUND=return] files
netgroup: nisplus ldap
publickey: nisplus
automount: files ldap nisplus
aliases: files nisplus
/etc/nss_ldap.conf
host 192.168.100.1
base dc=domain,dc=local
binddn cn=admin,dc=domain,dc=local
bindpw secret
rootbinddn cn=admin,dc=domain,dc=local
timelimit 5
bind_timelimit 5
bind_policy soft
/etc/pam_ldap.conf
host 192.168.100.1
base dc=domain,dc=local
binddn cn=admin,dc=domain,dc=local
bindpw secret
rootbinddn cn=admin,dc=domain,dc=local
timelimit 5
bind_timelimit 5
bind_policy soft
/etc/pam.d/sytem-auth
auth sufficient /lib/security/pam_ldap.so
auth sufficient /lib/security/pam_winbind.so
auth required pam_tcb.so shadow fork prefix=$2a$ count=8 nullok
auth sufficient pam_unix.so
account sufficient /lib/security/pam_ldap.so
account sufficient /lib/security/pam_winbind.so
account required pam_tcb.so shadow fork
password sufficient /lib/security/pam_ldap.so use_authtok
password sufficient /lib/security/pam_winbind.so use_authtok
password required pam_passwdqc.so min=disabled,24,12,8,7 max=40
passphrase=3 match=4 similar=deny random=42 enforce=users retry=3
password required pam_tcb.so use_authtok shadow fork prefix=$2a$
count=8 nullok write_to=tcb
password sufficient pam_unix.so nullok use_authtok md5 shadow
session optional /lib/security/pam_ldap.so
session optional /lib/security/pam_winbind.so
session required pam_tcb.so
session required pam_mktemp.so
session required pam_limits.so
session required pam_unix.so
/etc/samba.smb.conf
[global]
#panic action = /usr/share/samba/panic-action %d
dos charset = CP866
unix charset = CP1251
workgroup = DOMAIN
netbios name = LinuxServer
server string = Samba server on %h (v. %v)
passdb backend = ldapsam:ldap://192.168.100.1/
enable privileges = yes
encrypt passwords = yes
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = "Changing password for*\nNew password*" %n\n
"*Retype new password*" %n\n"
passwd chat debug = Yes
username map = /etc/samba/smbusers
unix password sync = no
obey pam restrictions = No
log level = 10
log file = /var/log/samba/log.%m
max log size = 50000
acl compatibility = win2k
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
load printers = No
printcap name = cups
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-useradd -m "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x
"%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -w -d /dev/null
-c 'Machine Account' -s /bin/false '%u'
logon path = \\%L\Profiles\%U
logon drive = H:
logon home = \\%L\%u
logon script = logon.bat
domain logons = Yes
os level = 255
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
ldap password sync = Yes
ldap admin dn = cn=admin,dc=domain,dc=local
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers
ldap suffix = dc=domain,dc=local
ldap ssl = no
ldap user suffix = ou=Users
idmap backend = ldap:ldap://192.168.100.1/
idmap uid = 1000-2000
idmap gid = 1000-2000
template shell = /bin/bash
winbind separator = @
wins server = 192.168.100.1
admin users = root
acl group control = Yes
force unknown acl user = Yes
inherit permissions = Yes
inherit acls = Yes
inherit owner = Yes
profile acls = Yes
map acl inherit = Yes
use sendfile = Yes
locking = No
store dos attributes = yes
guest account = nobody
map to guest = Bad User
preserve case = yes
short preserve case = yes
case sensitive = no
[homes]
comment = Home Directory for '%u'
read only = No
create mask = 0755
browseable = No
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = Yes
share modes = No
[Profiles]
path = /var/lib/samba/profiles/
guest ok = Yes
browseable = No
valid users = %U @"Domain Admins"
profile acls = yes
read only = no
create mask = 0600
directory mask = 0700
[admin]
path = /
valid users = "@Domain Admins"
admin users = "@Domain Admins"
read only = No
browseable = No
Что не так?
Подробная информация о списке рассылки Samba