Добрый день!
Пытаюсь создать на базе Альт Домена (Samba) в ALT Linux Server 11 тестовый файловый сервер для перемещаемых профилей. У меня настроены и соединены два виртуальных контроллера домена, которые работают исправно, но появились проблемы с запуском SSSD. Конфигурировал SSSD по данному руководству: https://docs.altlinux.org/ru-RU/alt-domain/11.0/html/alt-domain/sssd-winbind.html. Я уверен, что сделал ошибку как минимум в конфигурации PAM (/etc/pam.d/system-auth), так как не понял что конкретно нужно делать в нем.
× sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; preset: disabled)
Active: failed (Result: exit-code) since Wed 2026-01-14 17:34:04 +10; 10min ago
Invocation: ecb4f8fd688f4018a1f80035ade6a208
Process: 10236 ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER} (code=exited, status=4)
Main PID: 10236 (code=exited, status=4)
Mem peak: 4.9M
CPU: 105ms
янв 14 17:34:03 dc1.doomin11.alt systemd[1]: Starting sssd.service - System Security Services Daemon...
янв 14 17:34:04 dc1.doomin11.alt sssd[10236]: SSSD couldn't load the configuration database [1432158246]: No domain is enabled
янв 14 17:34:04 dc1.doomin11.alt systemd[1]: sssd.service: Main process exited, code=exited, status=4/NOPERMISSION
янв 14 17:34:04 dc1.doomin11.alt systemd[1]: sssd.service: Failed with result 'exit-code'.
янв 14 17:34:04 dc1.doomin11.alt systemd[1]: Failed to start sssd.service - System Security Services Daemon.
Конфиги связанные с SSSD:
/etc/pam.d/system-auth
#%PAM-1.0
auth [success=4 perm_denied=ignore default=die] pam_localuser.so
auth [success=1 default=bad] pam_succeed_if.so uid >= 500 quiet
auth [default=1] pam_permit.so
auth substack system-auth-sss-only
auth [default=1] pam_permit.so
auth substack system-auth-local-only
auth substack system-auth-common
account [success=4 perm_denied=ignore default=die] pam_localuser.so
account [success=1 default=bad] pam_succeed_if.so uid >= 500 quiet
account [default=1] pam_permit.so
account substack system-auth-sss-only
account [default=1] pam_permit.so
account substack system-auth-local-only
account substack system-auth-common
password [success=4 perm_denied=ignore default=die] pam_localuser.so
password [success=1 default=bad] pam_succeed_if.so uid >= 500 quiet
password [default=1] pam_permit.so
password substack system-auth-sss-only
password [default=1] pam_permit.so
password substack system-auth-local-only
password substack system-auth-common
session [success=4 perm_denied=ignore default=die] pam_localuser.so
session [success=1 default=bad] pam_succeed_if.so uid >= 500 quiet
session [default=1] pam_permit.so
session substack system-auth-sss-only
session [default=1] pam_permit.so
session substack system-auth-local-only
session substack system-auth-common
/etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam
enumerate = true
# Managed by system facility command:
## control sssd-drop-privileges unprivileged|privileged|default
user = root
# SSSD will not start if you do not configure any domains.
[nss]
debug_level = 1
[pam]
debug_level = 1
[domain/DOOMIN11.ALT]
use_fully_qualified_names = false
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
default_shell = /bin/bash
fallback_homedir = /home/%d/%u
debug_level = 0
cache_credentials = true
ad_gpo_ignore_unreadable = true
ad_gpo_access_control = permissive
ad_update_samba_machine_account_password = true
/etc/nsswitch.conf
#
# Please refer to nsswitch.conf(5) for more information on this file.
#
# This is the Name Service Switch configuration file. This file should
# be sorted with the most-used databases at the beginning.
#
# Specifying '[NOTFOUND=return]' means that the search for an entry
# should stop if the search with the previous service turned up nothing.
# Note that if the search failed due to some other reason (like no NIS
# server responding) then the search continues with the next service.
#
# Legal name services are:
#
# files Use local files
# tcb Use local tcb shadow files, see tcb(5)
# db Use local database files under /var/db
# nis or yp Use NIS (NIS version 2), also called YP
# nisplus or nis+ Use NIS+ (NIS version 3)
# dns Use DNS (Domain Name Service)
# compat Use NIS in compatibility mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
passwd: files sss
shadow: tcb files sss
group: files [SUCCESS=merge] sss
gshadow: files
hosts: files myhostname dns
# To use db, put the "db" in front of "files" for things you want to be
# looked up first in the db files.
#
#passwd: db files nisplus nis
#shadow: db tcb files nisplus nis
#group: db files nisplus nis
#
#hosts: db files nisplus nis dns
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
#bootparams: nisplus [NOTFOUND=return] files
#netgroup: nisplus
#publickey: nisplus
automount: files
aliases: files
P.S. Неужели эти конфиги нужно редактировать на рабочих машинах, а не КД?
