[samba] Не работает winbind

Дмитрий ddv на nevod.ru
Чт Окт 11 08:12:27 MSD 2007


Доброе время суток!

Есть связка AltLinuxServer4.0+Samba-3.0.26a+OpenLDAP.

Samba является контроллером домена.
Контроллер домена работает велликолепно. Но хочется сюда прикрутить ещё
и Squid.

Для этого, как я понимаю должен работать корректно winbind, но у меня
это не так.

# wbinfo -p
Ping to winbindd succeeded on fd 4

# wbinfo -t
checking the trust secret via RPC calls succeeded

# wbinfo -g
BUILTIN на users

# wbinfo -u
Error looking up domain users

# net user
Password:
root
nobody
tester1
tester2
tester3
tester4
tester5

# wbinfo -a tester5
plaintext password authentication failed
error code was NT_STATUS_WRONG_PASSWORD (0xc000006a)
error messsage was: Wrong Password
Could not authenticate user tester5 with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_WRONG_PASSWORD (0xc000006a)
error messsage was: Wrong Password
Could not authenticate user tester5 with challenge/response

# wbinfo -a tester5:123
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user tester5:123 with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user tester5:123 with challenge/response

# getent passwd
..........
root:x:0:0:Netbios Domain Administrator:/root:/bin/false
nobody:x:999:514:nobody:/dev/null:/bin/false
tester1:x:1000:513:System User:/home/domain/tester1:/bin/bash
linuxserver$:*:1001:515:Computer:/dev/null:/bin/false
tester2:x:1003:513:System User:/home/domain/tester2:/bin/bash
tester3:x:1004:513:System User:/home/domain/tester3:/bin/bash
tester4:x:1005:513:System User:/home/domain/tester4:/bin/bash
tester5:x:1006:513:System User:/home/domain/tester5:/bin/bash

авторизация pam работает, как с обычными unix пользователями, так и с
пользователями из ldap. DNS и DHCP тоже работают.

собственно конфиги:

/etc/nsswitch.conf
passwd:     files ldap winbind nisplus nis
shadow:     tcb ldap winbind files nisplus nis
group:      files ldap winbind nisplus nis

hosts:      files nisplus nis dns

ethers:     files
netmasks:   files
networks:   files
protocols:  files ldap
rpc:        files
services:   files ldapbootparams: nisplus [NOTFOUND=return] files

netgroup:   nisplus ldap

publickey:  nisplus

automount:  files ldap nisplus
aliases:    files nisplus


/etc/nss_ldap.conf
host 192.168.100.1
base dc=domain,dc=local
binddn cn=admin,dc=domain,dc=local
bindpw secret
rootbinddn cn=admin,dc=domain,dc=local
timelimit 5
bind_timelimit 5
bind_policy soft

/etc/pam_ldap.conf
host 192.168.100.1
base dc=domain,dc=local
binddn cn=admin,dc=domain,dc=local
bindpw secret
rootbinddn cn=admin,dc=domain,dc=local
timelimit 5
bind_timelimit 5
bind_policy soft

/etc/pam.d/sytem-auth
auth     sufficient /lib/security/pam_ldap.so
auth     sufficient /lib/security/pam_winbind.so
auth     required       pam_tcb.so shadow fork prefix=$2a$ count=8 nullok
auth     sufficient     pam_unix.so

account  sufficient /lib/security/pam_ldap.so
account  sufficient /lib/security/pam_winbind.so
account  required       pam_tcb.so shadow fork

password sufficient /lib/security/pam_ldap.so use_authtok
password sufficient /lib/security/pam_winbind.so use_authtok
password required       pam_passwdqc.so min=disabled,24,12,8,7 max=40
passphrase=3 match=4 similar=deny random=42 enforce=users retry=3
password required       pam_tcb.so use_authtok shadow fork prefix=$2a$
count=8 nullok write_to=tcb
password sufficient     pam_unix.so nullok use_authtok md5 shadow

session  optional   /lib/security/pam_ldap.so
session  optional   /lib/security/pam_winbind.so
session  required       pam_tcb.so
session  required       pam_mktemp.so
session  required       pam_limits.so
session  required       pam_unix.so


/etc/samba.smb.conf
[global]
        #panic action = /usr/share/samba/panic-action %d
        dos charset = CP866
        unix charset = CP1251
        workgroup = DOMAIN
        netbios name = LinuxServer
        server string = Samba server on %h (v. %v)
        passdb backend = ldapsam:ldap://192.168.100.1/
        enable privileges = yes
        encrypt passwords = yes
        passwd program = /usr/sbin/smbldap-passwd %u
        passwd chat = "Changing password for*\nNew password*" %n\n
"*Retype new password*" %n\n"
        passwd chat debug = Yes
        username map = /etc/samba/smbusers
        unix password sync = no
        obey pam restrictions = No
        log level = 10
        log file = /var/log/samba/log.%m
        max log size = 50000
        acl compatibility = win2k
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        load printers = No
        printcap name = cups
        add user script = /usr/sbin/smbldap-useradd -m "%u"
        delete user script = /usr/sbin/smbldap-useradd -m "%u"
        add group script = /usr/sbin/smbldap-groupadd -p "%g"
        delete group script = /usr/sbin/smbldap-groupdel "%g"
        add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
        delete user from group script = /usr/sbin/smbldap-groupmod -x
"%u" "%g"
        set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
        add machine script = /usr/sbin/smbldap-useradd -w -d /dev/null
-c 'Machine Account' -s /bin/false '%u'
        logon path = \\%L\Profiles\%U
        logon drive = H:
        logon home = \\%L\%u
        logon script = logon.bat
        domain logons = Yes
        os level = 255
        preferred master = Yes
        domain master = Yes
        dns proxy = No
        wins support = Yes
        ldap password sync = Yes
	ldap admin dn = cn=admin,dc=domain,dc=local
        ldap group suffix = ou=Groups
        ldap idmap suffix = ou=Idmap
        ldap machine suffix = ou=Computers
        ldap suffix = dc=domain,dc=local
        ldap ssl = no
        ldap user suffix = ou=Users
        idmap backend = ldap:ldap://192.168.100.1/
        idmap uid = 1000-2000
        idmap gid = 1000-2000
        template shell = /bin/bash
        winbind separator = @
        wins server = 192.168.100.1
        admin users = root
        acl group control = Yes
        force unknown acl user = Yes
        inherit permissions = Yes
        inherit acls = Yes
        inherit owner = Yes
        profile acls = Yes
        map acl inherit = Yes
        use sendfile = Yes
        locking = No
        store dos attributes = yes
        guest account = nobody
        map to guest = Bad User
        preserve case = yes
        short preserve case = yes
        case sensitive = no

[homes]
        comment = Home Directory for '%u'
        read only = No
        create mask = 0755
        browseable = No

[netlogon]
        comment = Network Logon Service
        path = /var/lib/samba/netlogon
        guest ok = Yes
        share modes = No

[Profiles]
        path = /var/lib/samba/profiles/
        guest ok = Yes
        browseable = No
        valid users = %U @"Domain Admins"
        profile acls = yes
        read only = no
        create mask = 0600
        directory mask = 0700

[admin]
        path = /
        valid users = "@Domain Admins"
        admin users = "@Domain Admins"
        read only = No
        browseable = No


Что не так?


Подробная информация о списке рассылки Samba