LINUX.ORG.RU
решено ФорумGeneral

Ввод Astra в домен Windows

 


0

1

Проблема такова контролер домена работает на Windows server 2008 R2 с SMB V1. Первоначальные настройки сети произведены и контроллер пингуется. Файлы конфига прилагаю. Ошибка Failed to join domain: failed to lookup DC info for domain ‘GZHIRO.local’ over rpc: {Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired. SMB.conf #astra-winbind [global] server string = Astra linux usershare allow guests = Yes map to guest = Bad User obey pam restrictions = Yes pam password change = Yes passwd chat = Enter\snew\s\spassword:* %n\n Retype\snew\s\spassword:* %n\n password\supdated\ssuccessfully . passwd program = /usr/bin/passwd %u server role = standalone server unix password sync = Yes

workgroup = GZHIRO
server min protocol = NT1
client min protocol = NT1
min protocol = NT1
realm = GZHIRO.LOCAL
security = ADS
encrypt passwords = true
dns proxy = no
socket options = TCP_NODELAY
domain master = no
local master = no
preferred master = no
os level = 0
domain logons = no
kerberos method = secrets and keytab
load printers = no
show add printer wizard = no
printcap name = /dev/null
disable spoolss = yes
idmap config * : range = 100000-199999
idmap config * : backend = tdb
idmap config GZHIRO.LOCAL : range = 200000-299999
idmap config GZHIRO.LOCAL : backend = rid
winbind nss info = rfc2307
winbind enum groups = no
winbind enum users = no
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
winbind refresh tickets = yes
winbind offline logon = yes
winbind cache time = 1440
password server 10
unix charset = UTF8
dos charset = CP866


Последнее исправление: dad823 (всего исправлений: 1)

Ответ на: комментарий от dad823

Ну помимо указания DNS серверов ещё нужно настроить /etc/krb5.conf, nsswitch, pamd.

Правки одного конфига samba недостаточно.

Вот пример с Debian:

apt install samba winbind krb5-user libpam-krb5 libnss-winbind libpam-winbind

В файле /etc/krb5.conf описываешь свой DNS суффикс и указываешь имя контроллера домена

[libdefaults]
        default_realm = GZHIRO.LOCAL

[realms]
        OMEGA.LOCAL={
                kdc = dc-01.gzhiro.local
                admin_server = dc-01.gzhiro.local
                default_domain = GZHIRO.LOCAL
        }

[domain_realm]
        .gzhiro.local = GZHIRO.LOCAL

В файле /etc/nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind files systemd
group:          compat winbind files systemd
shadow:         files
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Указываешь, что группы (group) и пользователи (passwd) можно искать так же и в winbind.

В /etc/samba/smb.conf делаешь примерно так:

/etc/samba/smb.conf

[global]

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
#   workgroup = WORKGROUP

   workgroup = GZHIRO
   realm = GZHIRO.LOCAL
   security = ADS
   netbios name = WS-01

   winbind enum users = yes
   winbind enum groups = yes

   vfs objects = acl_xattr
   map acl inherit = yes
   store dos attributes = yes
   allocation roundup size = 4096

   client use spnego = yes
   client ntlmv2 auth = yes
   encrypt passwords = yes
   winbind use default domain = No
   #restrict anonymous = 2
   domain master = no
   local master = no
   preferred master = no
   os level = 0
   admin users = @"GZHIRO.LOCAL\Администраторы домена"

   passdb backend = tdbsam
   
   
   idmap uid = 10000-400000
   idmap gid = 10000-400000
   template shell = /bin/bash
#  idmap config * : range = 10000-400000

   idmap config LAN : backend = rid
   idmap config LAN : default = yes
   idmap config LAN : range = 10000-89999

   idmap config * : backend = autorid
   idmap config * : range = 100000-400000

Надо указать параметр netbios name, без него машину в домен не введёшь.

Настраиваешь pam.d:

/etc/pam.d/common-session

# here are the per-package modules (the "Primary" block)
session [default=1]                     pam_permit.so
# here's the fallback if no module succeeds
session requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required                        pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional                        pam_umask.so
# and here are more per-package modules (the "Additional" block)
session optional                        pam_krb5.so minimum_uid=1000
session required        pam_unix.so
session required        pam_mkhomedir.so umask=0022 skel=/etc/skel
session optional                        pam_winbind.so
session optional                        pam_sss.so
session optional        pam_systemd.so
# end of pam-auth-update config

Добавляя поддержку winbind. Обрати внимание на mkhomedir, чтобы создавались домашние директории доменных пользователей.

/etc/pam.d/common-auth

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
auth    [success=4 default=ignore]      pam_krb5.so minimum_uid=1000
auth    [success=3 default=ignore]      pam_unix.so nullok try_first_pass
auth    [success=2 default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth    [success=1 default=ignore]      pam_sss.so use_first_pass
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth    optional                        pam_cap.so
# end of pam-auth-update config

Перезапускаешь только

systemctl restart nmbd
systemctl restart smbd

Делаешь join:

net ads join -U admin@GZHIRO

Смотри как прошёл join, если успешно, то делаешь:

systemctl restart winbind

Если не успешно прошёл join, то разбираешься почему.

После перезапуска winbind проверяешь, что система видит доменных пользователей и группы:

getent passwd
getent group
kostik87 ★★★★★
()
Последнее исправление: kostik87 (всего исправлений: 2)
Ответ на: комментарий от kostik87

Всё равно выдаёт ошибку: Failed to join domain: failed to lookup DC info for domain ‘GZHIRO.LOCAL’ over rpc: {Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired. На Windows 10 выдавал такую же, победить её получилось только отключением SMB V2 и включением SMB V1.

dad823
() автор топика
General