LINUX.ORG.RU
ФорумAdmin

Samba 3.6.24 + AIX 7.1 + ADS

 , ,


0

1

Здравствуй ALL! Возникли проблемы, при авторизации доменных пользователей на samba сервере. Основная цель - настроить самбу для доступа пользователей из определенных доменных групп к ресурсам. Если правильно понимаю, то доменные группы, должны мапиться на локальные группы, которые указываются в доступе:

bash-4.2# net groupmap list
TestGRP (S-1-5-21-2964534465-993562162-1457843554-1003) -> dba

Но авторизация пользователя почему-то не проходит. Конфиги samba, krb5 и логи сессии ниже.

[global]
	auth methods = winbind
	netbios name = ibmblade9_1_tst
	workgroup = CORP
	realm = CORP
	password server = adc03.corp
	encrypt passwords = yes
	server string = File Server
	security = ADS
	allow trusted domains = Yes
	map untrusted to domain = Yes
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	os level = 0
	preferred master = No
	local master = No
	domain master = No
	dns proxy = No
	ldap ssl = no
	time server = Yes
	max log size = 500 0
        log file = /var/log/sambalog
	log level = 5 
	load printers = No
	disable spoolss = Yes
	case sensitive = no
	default case = lower
	preserve case = yes
	winbind separator = +
	lock directory = /var/locks
	strict locking = No 
	passdb backend = tdbsam

	winbind enum users = yes
	winbind enum groups = yes
	winbind cache time = 60
	winbind uid = 1000-6553400
	winbind gid = 1000-6553400
	winbind use default domain = yes
	winbind refresh tickets = yes

	template shell = /dev/null
	winbind offline logon = no	

[public]
	comment = Shara for Test
	path = /home/samba/
	valid users = @dba
	read list = @dba
	write list = @dba
	force user = oracle
	force group = dba
	create mask = 0777
	directory mask = 0777
	browseable = yes

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 allow_weak_crypto = true
 default_realm = CORP 
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 1d
 renew_lifetime = 1d
 forwardable = true
 retain_after_close = false
 minimum_uid = 0
 
 default_keytab_name = FILE:/etc/krb5/krb5.keytab
 default_tkt_enctypes = arcfour-hmac aes256-cts aes128-cts
 default_tgs_enctypes = arcfour-hmac aes256-cts aes128-cts

[realms]
 CORP = {
  kdc = adc03
  admin_server = adc03
 }

[domain_realm]
 .corp = CORP 
 corp = CORP
[2015/04/16 18:03:47.585425,  5] auth/token_util.c:527(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2015/04/16 18:03:47.585498,  5] smbd/uid.c:400(change_to_root_user)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2015/04/16 18:03:47.585554,  3] smbd/sesssetup.c:1345(reply_sesssetup_and_X)
  wct=12 flg2=0xc807
[2015/04/16 18:03:47.585601,  2] smbd/sesssetup.c:1291(setup_new_vc_session)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2015/04/16 18:03:47.585643,  3] smbd/sesssetup.c:1072(reply_sesssetup_and_X_spnego)
  Doing spnego session setup
[2015/04/16 18:03:47.585730,  3] smbd/sesssetup.c:1114(reply_sesssetup_and_X_spnego)
  NativeOS=[[]] NativeLanMan=[[]] PrimaryDomain=[[]]
[2015/04/16 18:03:47.585940,  5] smbd/sesssetup.c:607(parse_spnego_mechanisms)
  parse_spnego_mechanisms: Got OID 1.2.840.48018.1.2.2
[2015/04/16 18:03:47.585988,  5] smbd/sesssetup.c:607(parse_spnego_mechanisms)
  parse_spnego_mechanisms: Got OID 1.2.840.113554.1.2.2
[2015/04/16 18:03:47.586037,  5] smbd/sesssetup.c:607(parse_spnego_mechanisms)
  parse_spnego_mechanisms: Got OID 1.3.6.1.4.1.311.2.2.30
[2015/04/16 18:03:47.586082,  5] smbd/sesssetup.c:607(parse_spnego_mechanisms)
  parse_spnego_mechanisms: Got OID 1.3.6.1.4.1.311.2.2.10
[2015/04/16 18:03:47.586128,  3] smbd/sesssetup.c:660(reply_spnego_negotiate)
  reply_spnego_negotiate: Got secblob of size 3883
[2015/04/16 18:03:47.628626,  3] libads/authdata.c:332(decode_pac_data)
  Found account name from PAC: user [Пупкин Василий Иванович]
[2015/04/16 18:03:47.628718,  3] auth/user_krb5.c:50(get_user_from_kerberos_info)
  Kerberos ticket principal name is [user@CORP.ICBA.BIZ]
[2015/04/16 18:03:47.628780,  5] lib/username.c:171(Get_Pwnam_alloc)
  Finding user CORP+user
[2015/04/16 18:03:47.628827,  5] lib/username.c:116(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is corp+user
[2015/04/16 18:03:47.629422,  5] lib/username.c:124(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as given is CORP+user
[2015/04/16 18:03:47.629767,  5] lib/username.c:134(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as uppercase is CORP+USER
[2015/04/16 18:03:47.630109,  5] lib/username.c:143(Get_Pwnam_internals)
  Checking combinations of 0 uppercase letters in corp+user
[2015/04/16 18:03:47.630160,  5] lib/username.c:149(Get_Pwnam_internals)
  Get_Pwnam_internals didn't find user [CORP+user]!
[2015/04/16 18:03:47.630206,  5] lib/username.c:171(Get_Pwnam_alloc)
  Finding user user
[2015/04/16 18:03:47.630249,  5] lib/username.c:116(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is user
[2015/04/16 18:03:47.630585,  5] lib/username.c:124(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as given is user
[2015/04/16 18:03:47.630921,  5] lib/username.c:134(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as uppercase is USER
[2015/04/16 18:03:47.631261,  5] lib/username.c:143(Get_Pwnam_internals)
  Checking combinations of 0 uppercase letters in user
[2015/04/16 18:03:47.631311,  5] lib/username.c:149(Get_Pwnam_internals)
  Get_Pwnam_internals didn't find user [user]!
[2015/04/16 18:03:47.631610,  3] winbindd/winbindd_misc.c:384(winbindd_interface_version)
  [[10420410]]: request interface version
[2015/04/16 18:03:47.631767,  3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
  [[10420410]]: request location of privileged pipe
[2015/04/16 18:03:47.632102,  1] auth/user_krb5.c:162(get_user_from_kerberos_info)
  Username CORP+user is invalid on this system
[2015/04/16 18:03:47.632180,  3] smbd/error.c:81(error_packet_set)
  error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE

Не стал смотреть конфиги и долго разбираться :) Я прочитал вашу конечную цель. У меня самба настроена и работает как раз в соответствии с вашей конечой целью. Вот по этой статье пробуйте сделать: http://typical-admin.ru/obshaya/linux-fedora/samba-server-with-backup1

technotrance ()
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.