Почему wbinfo и getent не видят доменных пользователей?
Доброго времени, коллеги!
Пытаюсь завести линуксовую тачку в домен Windows. Машина с Debian 8, Samba 4. Домен на Win Server 2008R2. В домен подключил успешно, но wbinfo -u | -g и аналогично getnet passwd | groups не видят доменных пользователей и группы.
В доках и мануалах на просторах гугла подобной ситуации не нашел.
Конфиги:
smb.conf:
[global] workgroup = REGIONS realm = REGIONS.LAN dns proxy = no interfaces = eth0 log file = /var/log/samba/log.%m max log size = 10000 syslog = 0 panic action = /usr/share/samba/panic-action %d server role = standalone server passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully*. pam password change = yes map to guest = bad password usershare allow guests = no unix charset = utf8 dos charset = cp1251 security = ADS auth methods = winbind encrypt passwords = yes client use spnego = yes client ntlmv2 auth = yes restrict anonymous = 2 socket options = TCP_NODELAY # Отключаем любые попытки тачки стать контроллером домена domain master = no local master = no preferred master = no os level = 0 # Отключаем поддержку принтеров load printers = no show add printer wizard = no printcap name = /dev/null disable spoolss = yes # Включаем интеграцию с Winbind domain logons = yes idmap uid = 10000 — 40000 idmap gid = 10000 — 40000 winbind refresh tickets = yes winbind enum groups = yes winbind enum users = yes winbind use default domain = yes winbind cache time = 40 template shell = /bin/false winbind refresh tickets = yes [share] comment = Shared folder path = /srv/samba/share read only = no browseable = yes guest ok = no create mask = 0777 directory mask = 0777 writable = yes [users] comment = Users folder path = /srv/samba/users read only = no browseable = yes guest ok = no create mask = 0777 directory mask = 0777 writable = yes
krb5.conf:
[libdefaults] default_realm = REGIONS.LAN krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [realms] REGIONS.LAN = { kdc = dc01 admin_server = dc01 default_REGIONS = REGIONS.LAN } [REGIONS_realm] .regions.tax.nalog.ru = REGIONS.LAN regions.tax.nalog.ru = REGIONS.LAN [login] krb4_convert = false krb4_get_tickets = false
Результат команды testparm:
# testparm Load smb config files from /etc/samba/smb.conf WARNING: The «idmap uid» option is deprecated WARNING: The «idmap gid» option is deprecated Processing section "[share]" Processing section "[users]" Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER
И собственно
# wbinfo -t checking the trust secret for domain REGIONS via RPC calls succeeded
Таким образом машина в домен вошла, авторизация через kerberos успешно проходит, samba с доменом установила доверенные отношения.
Подскажите, куда копать?
NB: К домен контроллеру доступа нет. На его стороне логи посмотреть не могу.
Пытаюсь завести линуксовую тачку в домен Windows. Машина с Debian 8, Samba 4. Домен на Win Server 2008R2. В домен подключил успешно, но wbinfo -u | -g и аналогично getnet passwd | groups не видят доменных пользователей и группы.
В доках и мануалах на просторах гугла подобной ситуации не нашел.
Конфиги:
smb.conf:
[global] workgroup = REGIONS realm = REGIONS.LAN dns proxy = no interfaces = eth0 log file = /var/log/samba/log.%m max log size = 10000 syslog = 0 panic action = /usr/share/samba/panic-action %d server role = standalone server passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully*. pam password change = yes map to guest = bad password usershare allow guests = no unix charset = utf8 dos charset = cp1251 security = ADS auth methods = winbind encrypt passwords = yes client use spnego = yes client ntlmv2 auth = yes restrict anonymous = 2 socket options = TCP_NODELAY # Отключаем любые попытки тачки стать контроллером домена domain master = no local master = no preferred master = no os level = 0 # Отключаем поддержку принтеров load printers = no show add printer wizard = no printcap name = /dev/null disable spoolss = yes # Включаем интеграцию с Winbind domain logons = yes idmap uid = 10000 — 40000 idmap gid = 10000 — 40000 winbind refresh tickets = yes winbind enum groups = yes winbind enum users = yes winbind use default domain = yes winbind cache time = 40 template shell = /bin/false winbind refresh tickets = yes [share] comment = Shared folder path = /srv/samba/share read only = no browseable = yes guest ok = no create mask = 0777 directory mask = 0777 writable = yes [users] comment = Users folder path = /srv/samba/users read only = no browseable = yes guest ok = no create mask = 0777 directory mask = 0777 writable = yes
krb5.conf:
[libdefaults] default_realm = REGIONS.LAN krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [realms] REGIONS.LAN = { kdc = dc01 admin_server = dc01 default_REGIONS = REGIONS.LAN } [REGIONS_realm] .regions.tax.nalog.ru = REGIONS.LAN regions.tax.nalog.ru = REGIONS.LAN [login] krb4_convert = false krb4_get_tickets = false
Результат команды testparm:
# testparm Load smb config files from /etc/samba/smb.conf WARNING: The «idmap uid» option is deprecated WARNING: The «idmap gid» option is deprecated Processing section "[share]" Processing section "[users]" Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER
И собственно
# wbinfo -t checking the trust secret for domain REGIONS via RPC calls succeeded
Таким образом машина в домен вошла, авторизация через kerberos успешно проходит, samba с доменом установила доверенные отношения.
Подскажите, куда копать?
NB: К домен контроллеру доступа нет. На его стороне логи посмотреть не могу.
Похожие публикации
Нет комментариев