[samba] Не работает winbind
Дмитрий
ddv на nevod.ru
Чт Окт 11 16:30:26 MSD 2007
Дмитрий пишет:
> Доброе время суток!
>
> Есть связка AltLinuxServer4.0+Samba-3.0.26a+OpenLDAP.
>
> Samba является контроллером домена.
> Контроллер домена работает велликолепно. Но хочется сюда прикрутить ещё
> и Squid.
>
> Для этого, как я понимаю должен работать корректно winbind, но у меня
> это не так.
>
> # wbinfo -p
> Ping to winbindd succeeded on fd 4
>
> # wbinfo -t
> checking the trust secret via RPC calls succeeded
>
> # wbinfo -g
> BUILTIN на users
>
> # wbinfo -u
> Error looking up domain users
>
> # net user
> Password:
> root
> nobody
> tester1
> tester2
> tester3
> tester4
> tester5
>
> # wbinfo -a tester5
> plaintext password authentication failed
> error code was NT_STATUS_WRONG_PASSWORD (0xc000006a)
> error messsage was: Wrong Password
> Could not authenticate user tester5 with plaintext password
> challenge/response password authentication failed
> error code was NT_STATUS_WRONG_PASSWORD (0xc000006a)
> error messsage was: Wrong Password
> Could not authenticate user tester5 with challenge/response
>
> # wbinfo -a tester5:123
> plaintext password authentication failed
> error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
> error messsage was: No such user
> Could not authenticate user tester5:123 with plaintext password
> challenge/response password authentication failed
> error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
> error messsage was: No such user
> Could not authenticate user tester5:123 with challenge/response
>
> # getent passwd
> ..........
> root:x:0:0:Netbios Domain Administrator:/root:/bin/false
> nobody:x:999:514:nobody:/dev/null:/bin/false
> tester1:x:1000:513:System User:/home/domain/tester1:/bin/bash
> linuxserver$:*:1001:515:Computer:/dev/null:/bin/false
> tester2:x:1003:513:System User:/home/domain/tester2:/bin/bash
> tester3:x:1004:513:System User:/home/domain/tester3:/bin/bash
> tester4:x:1005:513:System User:/home/domain/tester4:/bin/bash
> tester5:x:1006:513:System User:/home/domain/tester5:/bin/bash
>
> авторизация pam работает, как с обычными unix пользователями, так и с
> пользователями из ldap. DNS и DHCP тоже работают.
>
> собственно конфиги:
>
> /etc/nsswitch.conf
> passwd: files ldap winbind nisplus nis
> shadow: tcb ldap winbind files nisplus nis
> group: files ldap winbind nisplus nis
>
> hosts: files nisplus nis dns
>
> ethers: files
> netmasks: files
> networks: files
> protocols: files ldap
> rpc: files
> services: files ldapbootparams: nisplus [NOTFOUND=return] files
>
> netgroup: nisplus ldap
>
> publickey: nisplus
>
> automount: files ldap nisplus
> aliases: files nisplus
>
>
> /etc/nss_ldap.conf
> host 192.168.100.1
> base dc=domain,dc=local
> binddn cn=admin,dc=domain,dc=local
> bindpw secret
> rootbinddn cn=admin,dc=domain,dc=local
> timelimit 5
> bind_timelimit 5
> bind_policy soft
>
> /etc/pam_ldap.conf
> host 192.168.100.1
> base dc=domain,dc=local
> binddn cn=admin,dc=domain,dc=local
> bindpw secret
> rootbinddn cn=admin,dc=domain,dc=local
> timelimit 5
> bind_timelimit 5
> bind_policy soft
>
> /etc/pam.d/sytem-auth
> auth sufficient /lib/security/pam_ldap.so
> auth sufficient /lib/security/pam_winbind.so
> auth required pam_tcb.so shadow fork prefix=$2a$ count=8 nullok
> auth sufficient pam_unix.so
>
> account sufficient /lib/security/pam_ldap.so
> account sufficient /lib/security/pam_winbind.so
> account required pam_tcb.so shadow fork
>
> password sufficient /lib/security/pam_ldap.so use_authtok
> password sufficient /lib/security/pam_winbind.so use_authtok
> password required pam_passwdqc.so min=disabled,24,12,8,7 max=40
> passphrase=3 match=4 similar=deny random=42 enforce=users retry=3
> password required pam_tcb.so use_authtok shadow fork prefix=$2a$
> count=8 nullok write_to=tcb
> password sufficient pam_unix.so nullok use_authtok md5 shadow
>
> session optional /lib/security/pam_ldap.so
> session optional /lib/security/pam_winbind.so
> session required pam_tcb.so
> session required pam_mktemp.so
> session required pam_limits.so
> session required pam_unix.so
>
>
> /etc/samba.smb.conf
> [global]
> #panic action = /usr/share/samba/panic-action %d
> dos charset = CP866
> unix charset = CP1251
> workgroup = DOMAIN
> netbios name = LinuxServer
> server string = Samba server on %h (v. %v)
> passdb backend = ldapsam:ldap://192.168.100.1/
> enable privileges = yes
> encrypt passwords = yes
> passwd program = /usr/sbin/smbldap-passwd %u
> passwd chat = "Changing password for*\nNew password*" %n\n
> "*Retype new password*" %n\n"
> passwd chat debug = Yes
> username map = /etc/samba/smbusers
> unix password sync = no
> obey pam restrictions = No
> log level = 10
> log file = /var/log/samba/log.%m
> max log size = 50000
> acl compatibility = win2k
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> load printers = No
> printcap name = cups
> add user script = /usr/sbin/smbldap-useradd -m "%u"
> delete user script = /usr/sbin/smbldap-useradd -m "%u"
> add group script = /usr/sbin/smbldap-groupadd -p "%g"
> delete group script = /usr/sbin/smbldap-groupdel "%g"
> add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
> delete user from group script = /usr/sbin/smbldap-groupmod -x
> "%u" "%g"
> set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
> add machine script = /usr/sbin/smbldap-useradd -w -d /dev/null
> -c 'Machine Account' -s /bin/false '%u'
> logon path = \\%L\Profiles\%U
> logon drive = H:
> logon home = \\%L\%u
> logon script = logon.bat
> domain logons = Yes
> os level = 255
> preferred master = Yes
> domain master = Yes
> dns proxy = No
> wins support = Yes
> ldap password sync = Yes
> ldap admin dn = cn=admin,dc=domain,dc=local
> ldap group suffix = ou=Groups
> ldap idmap suffix = ou=Idmap
> ldap machine suffix = ou=Computers
> ldap suffix = dc=domain,dc=local
> ldap ssl = no
> ldap user suffix = ou=Users
> idmap backend = ldap:ldap://192.168.100.1/
> idmap uid = 1000-2000
> idmap gid = 1000-2000
> template shell = /bin/bash
> winbind separator = @
> wins server = 192.168.100.1
> admin users = root
> acl group control = Yes
> force unknown acl user = Yes
> inherit permissions = Yes
> inherit acls = Yes
> inherit owner = Yes
> profile acls = Yes
> map acl inherit = Yes
> use sendfile = Yes
> locking = No
> store dos attributes = yes
> guest account = nobody
> map to guest = Bad User
> preserve case = yes
> short preserve case = yes
> case sensitive = no
>
> [homes]
> comment = Home Directory for '%u'
> read only = No
> create mask = 0755
> browseable = No
>
> [netlogon]
> comment = Network Logon Service
> path = /var/lib/samba/netlogon
> guest ok = Yes
> share modes = No
>
> [Profiles]
> path = /var/lib/samba/profiles/
> guest ok = Yes
> browseable = No
> valid users = %U @"Domain Admins"
> profile acls = yes
> read only = no
> create mask = 0600
> directory mask = 0700
>
> [admin]
> path = /
> valid users = "@Domain Admins"
> admin users = "@Domain Admins"
> read only = No
> browseable = No
>
>
> Что не так?
> _______________________________________________
> Samba mailing list
> Samba на lists.altlinux.org
> https://lists.altlinux.org/mailman/listinfo/samba
#wbinfo -a tester5%123
plaintext password authentication succeeded
challenge/response password authentication succeeded
это тоже работает.
не работает именно wbinfo -u
вот вывод winbindd:
winbindd -i -d3
winbindd version 3.0.26a started.
Copyright Andrew Tridgell and the Samba Team 1992-2007
lp_load: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
WARNING: The "acl group control" option is deprecated
Processing section "[homes]"
Processing section "[netlogon]"
Processing section "[Profiles]"
Processing section "[admin]"
Processing section "[share]"
adding IPC service
added interface ip=192.168.100.1 bcast=192.168.100.255 nmask=255.255.255.0
added interface ip=192.168.100.1 bcast=192.168.100.255 nmask=255.255.255.0
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
initialize_winbindd_cache: clearing cache and re-creating with version
number 1
Added domain DOMAIN S-1-5-21-2911723968-3870073998-3710310165
Added domain BUILTIN S-1-5-32
get_dc_list: preferred server list: ", *"
fcntl_lock: lock failed at offset 0 count 1 op 13 type 0 (Ресурс
временно недоступен)
cm_get_ipc_userpass: No auth-user defined
Doing spnego session setup (blob length=58)
got OID=1 3 6 1 4 1 311 2 2 10
got principal=NONE
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
[20911]: request interface version
[20911]: request location of privileged pipe
[20911]: sid to gid S-1-1-0
[20911]: ping
[20911]: sid to gid S-1-5-2
[20911]: ping
[20911]: sid to gid S-1-5-32-546
[20909]: lookupsid S-1-5-32-546
[20909]: sid to gid S-1-5-32-546
Initializing idmap domains
Initializing idmap alloc module
smbldap_open_connection: connection opened
ldap_connect_system: succesful connection to the LDAP server
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=DOMAIN))]
smbldap_open_connection: connection opened
ldap_connect_system: succesful connection to the LDAP server
[20911]: ping
rpc_pipe_bind: Remote machine LINUXSERVER pipe \lsarpc fnum 0x75d6 bind
request returned ok.
rpc_pipe_bind: Remote machine LINUXSERVER pipe \lsarpc fnum 0x75d7 bind
request returned ok.
lsa_io_sec_qos: length c does not match size 8
cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR
received from remote machine LINUXSERVER pipe \lsarpc fnum 0x75d7!
lsa_io_sec_qos: length c does not match size 8
cm_get_ipc_userpass: No auth-user defined
Doing spnego session setup (blob length=58)
got OID=1 3 6 1 4 1 311 2 2 10
got principal=NONE
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
Receiving SMB: Server stopped responding
get_dc_list: preferred server list: ", *"
fcntl_lock: lock failed at offset 0 count 1 op 13 type 0 (Ресурс
временно недоступен)
cm_get_ipc_userpass: No auth-user defined
Doing spnego session setup (blob length=58)
got OID=1 3 6 1 4 1 311 2 2 10
got principal=NONE
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
Receiving SMB: Server stopped responding
get_dc_list: preferred server list: ", *"
fcntl_lock: lock failed at offset 0 count 1 op 13 type 0 (Ресурс
временно недоступен)
cm_get_ipc_userpass: No auth-user defined
Doing spnego session setup (blob length=58)
got OID=1 3 6 1 4 1 311 2 2 10
got principal=NONE
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
Receiving SMB: Server stopped responding
[20915]: request interface version
[20917]: request interface version
[20918]: request interface version
[20920]: request interface version
[20915]: request interface version
[20909]: list trusted domains
[20915]: request location of privileged pipe
[20920]: request location of privileged pipe
[20918]: request location of privileged pipe
[20915]: ping
[20920]: sid to gid S-1-1-0
[20920]: ping
[20915]: sid to gid S-1-5-2
[20918]: sid to gid S-1-1-0
[20918]: ping
[20920]: sid to gid S-1-5-2
[20915]: ping
[20918]: sid to gid S-1-5-2
[20920]: ping
[20915]: sid to gid S-1-5-32-546
[20918]: ping
[20920]: sid to gid S-1-5-32-546
[20918]: sid to gid S-1-5-32-546
[20917]: request location of privileged pipe
[20917]: list users
[20909]: lookupsid S-1-5-32-546
[20909]: lookupsid S-1-5-32-546
[20909]: lookupsid S-1-5-32-546
[20909]: sid to gid S-1-5-32-546
[20915]: ping
[20909]: sid to gid S-1-5-32-546
[20920]: ping
[20909]: sid to gid S-1-5-32-546
[20918]: ping
wbinfo -a tester5%123get_dc_list: preferred server list: ", *"
get_dc_list: preferred server list: ", *"
fcntl_lock: lock failed at offset 0 count 1 op 13 type 0 (Ресурс
временно недоступен)
Подробная информация о списке рассылки Samba