Здравствуй ALL! Возникли проблемы, при авторизации доменных пользователей на samba сервере. Основная цель - настроить самбу для доступа пользователей из определенных доменных групп к ресурсам. Если правильно понимаю, то доменные группы, должны мапиться на локальные группы, которые указываются в доступе:
bash-4.2# net groupmap list
TestGRP (S-1-5-21-2964534465-993562162-1457843554-1003) -> dba
Но авторизация пользователя почему-то не проходит. Конфиги samba, krb5 и логи сессии ниже.
[global]
auth methods = winbind
netbios name = ibmblade9_1_tst
workgroup = CORP
realm = CORP
password server = adc03.corp
encrypt passwords = yes
server string = File Server
security = ADS
allow trusted domains = Yes
map untrusted to domain = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
os level = 0
preferred master = No
local master = No
domain master = No
dns proxy = No
ldap ssl = no
time server = Yes
max log size = 500 0
log file = /var/log/sambalog
log level = 5
load printers = No
disable spoolss = Yes
case sensitive = no
default case = lower
preserve case = yes
winbind separator = +
lock directory = /var/locks
strict locking = No
passdb backend = tdbsam
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 60
winbind uid = 1000-6553400
winbind gid = 1000-6553400
winbind use default domain = yes
winbind refresh tickets = yes
template shell = /dev/null
winbind offline logon = no
[public]
comment = Shara for Test
path = /home/samba/
valid users = @dba
read list = @dba
write list = @dba
force user = oracle
force group = dba
create mask = 0777
directory mask = 0777
browseable = yes
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
allow_weak_crypto = true
default_realm = CORP
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
retain_after_close = false
minimum_uid = 0
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes = arcfour-hmac aes256-cts aes128-cts
default_tgs_enctypes = arcfour-hmac aes256-cts aes128-cts
[realms]
CORP = {
kdc = adc03
admin_server = adc03
}
[domain_realm]
.corp = CORP
corp = CORP
[2015/04/16 18:03:47.585425, 5] auth/token_util.c:527(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2015/04/16 18:03:47.585498, 5] smbd/uid.c:400(change_to_root_user)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2015/04/16 18:03:47.585554, 3] smbd/sesssetup.c:1345(reply_sesssetup_and_X)
wct=12 flg2=0xc807
[2015/04/16 18:03:47.585601, 2] smbd/sesssetup.c:1291(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2015/04/16 18:03:47.585643, 3] smbd/sesssetup.c:1072(reply_sesssetup_and_X_spnego)
Doing spnego session setup
[2015/04/16 18:03:47.585730, 3] smbd/sesssetup.c:1114(reply_sesssetup_and_X_spnego)
NativeOS=[[]] NativeLanMan=[[]] PrimaryDomain=[[]]
[2015/04/16 18:03:47.585940, 5] smbd/sesssetup.c:607(parse_spnego_mechanisms)
parse_spnego_mechanisms: Got OID 1.2.840.48018.1.2.2
[2015/04/16 18:03:47.585988, 5] smbd/sesssetup.c:607(parse_spnego_mechanisms)
parse_spnego_mechanisms: Got OID 1.2.840.113554.1.2.2
[2015/04/16 18:03:47.586037, 5] smbd/sesssetup.c:607(parse_spnego_mechanisms)
parse_spnego_mechanisms: Got OID 1.3.6.1.4.1.311.2.2.30
[2015/04/16 18:03:47.586082, 5] smbd/sesssetup.c:607(parse_spnego_mechanisms)
parse_spnego_mechanisms: Got OID 1.3.6.1.4.1.311.2.2.10
[2015/04/16 18:03:47.586128, 3] smbd/sesssetup.c:660(reply_spnego_negotiate)
reply_spnego_negotiate: Got secblob of size 3883
[2015/04/16 18:03:47.628626, 3] libads/authdata.c:332(decode_pac_data)
Found account name from PAC: user [Пупкин Василий Иванович]
[2015/04/16 18:03:47.628718, 3] auth/user_krb5.c:50(get_user_from_kerberos_info)
Kerberos ticket principal name is [user@CORP.ICBA.BIZ]
[2015/04/16 18:03:47.628780, 5] lib/username.c:171(Get_Pwnam_alloc)
Finding user CORP+user
[2015/04/16 18:03:47.628827, 5] lib/username.c:116(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as lowercase is corp+user
[2015/04/16 18:03:47.629422, 5] lib/username.c:124(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as given is CORP+user
[2015/04/16 18:03:47.629767, 5] lib/username.c:134(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as uppercase is CORP+USER
[2015/04/16 18:03:47.630109, 5] lib/username.c:143(Get_Pwnam_internals)
Checking combinations of 0 uppercase letters in corp+user
[2015/04/16 18:03:47.630160, 5] lib/username.c:149(Get_Pwnam_internals)
Get_Pwnam_internals didn't find user [CORP+user]!
[2015/04/16 18:03:47.630206, 5] lib/username.c:171(Get_Pwnam_alloc)
Finding user user
[2015/04/16 18:03:47.630249, 5] lib/username.c:116(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as lowercase is user
[2015/04/16 18:03:47.630585, 5] lib/username.c:124(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as given is user
[2015/04/16 18:03:47.630921, 5] lib/username.c:134(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as uppercase is USER
[2015/04/16 18:03:47.631261, 5] lib/username.c:143(Get_Pwnam_internals)
Checking combinations of 0 uppercase letters in user
[2015/04/16 18:03:47.631311, 5] lib/username.c:149(Get_Pwnam_internals)
Get_Pwnam_internals didn't find user [user]!
[2015/04/16 18:03:47.631610, 3] winbindd/winbindd_misc.c:384(winbindd_interface_version)
[[10420410]]: request interface version
[2015/04/16 18:03:47.631767, 3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
[[10420410]]: request location of privileged pipe
[2015/04/16 18:03:47.632102, 1] auth/user_krb5.c:162(get_user_from_kerberos_info)
Username CORP+user is invalid on this system
[2015/04/16 18:03:47.632180, 3] smbd/error.c:81(error_packet_set)
error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
