Ситуация следующая: есть pdc на W2K, сервер FreeBSD с шарой. Надо чтоб юзеры домена на эту шару ходили так же как и на шары виндовых серверов.
Изначально pdc pdc.Bdomain.adomain.ru IP=192.168.0.2
Делал все по "многотиражной" доке "Samba + AD"
Ставлю FreeBSD 7.0
hostname core.Bdomain.adomain.ru IP=192.168.0.8
Обновляю порты
Ставлю самбу 3.0.32
пишу в файлы:hosts
::1 localhost localhost.bdomain.adomain.ru
127.0.0.1 localhost localhost.Bdomain.adomain.ru
192.168.0.2 pdc.Bdomain.adomain.ru pdc
192.168.0.8 core.Bdomain.adomain.ru core
resolv.conf
domain BDOMAIN.ADOMAIN.RU
nameserver 192.168.0.2
nsswitch.conf
group: files winbind
group_compat: nis
hosts: files dns
networks: files
passwd: files winbind
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
krb5.conf
[libdefaults]
default_realm = BDOMAIN.ADOMAIN.RU
dns_lookup_realm = false
dns_lookup_kdc = false
krb4_get_tickets = false
default_etypes = des-cbc-crc des-cbc-md5
default_etypes_des = des-cbc-crc des-cbc-md5
[appdefaults]
proxiable = true
ticket_lifetime = 24h
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
[realms]
BDOMAIN.ADOMAIN.RU = {
kdc = tcp/pdc.BDOMAIN.ADOMAIN:88
admin_server = pdc.BDOMAIN.ADOMAIN.RU
default_domain = BDOMAIN.ADOMAIN.RU
}
[domain_realm]
.BDOMAIN.ADOMAIN.RU = BDOMAIN.ADOMAIN.RU
BDOMAIN.ADOMAIN.RU = BDOMAIN.ADOMAIN.RU
[kdc]
enable-kerberos4 = false
[logging]
default = FILE:/nas-1/logs/samba/krb5libs.log
kdc = FILE:/nas-1/logs/samba/krb5kdc.log
admin_server = FILE:/nas-1/logs/samba/kadmind.log
smb.conf
[global]
log file = /var/log/samba/log.%m
display charset = koi8-r
load printers = no
socket options = TCP_NODELAY
winbind trusted domains only = yes
hosts allow = 192.168.0.0/24 127.0.0.1
realm = BDOMAIN.ADOMAIN.RU
winbind use default domain = yes
dns proxy = no
netbios name = core
server string = CORE
password server = 192.168.0.2
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
workgroup = ADOMAIN
os level = 1
winbind enum groups = yes
create mode = 777
security = ads
unix charset = koi8-r
max log size = 500
directory mode = 777
[qwerty]
writeable = yes
valid users = pupkin@ADOMAIN
path = /nas-1
write list = pupkin@ADOMAIN,@"domain admins"
После загрузки
core# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: admin@BDOMAIN.ADOMAIN.RU
Issued Expires Principal
Sep 22 14:45:10 Sep 22 22:45:10 krbtgt/BDOMAIN.ADOMAIN.RU@BDOMAIN.ADOMAIN.RU
core# kinit admin
admin@BDOMAIN.ADOMAIN.RU's Password:
kinit: NOTICE: ticket renewable lifetime is 8 hours
core# net ads join -U admin
admin's password:
Using short domain name -- ADOMAIN
DNS update failed!
Joined 'CORE' to realm 'BDOMAIN.ADOMAIN.RU'
core# net ads info
LDAP server: 192.168.0.2
LDAP server name: pdc.Bdomain.adomain.ru
Realm: BDOMAIN.ADOMAIN.RU
Bind Path: dc=BDOMAIN,dc=ADOMAIN,dc=RU
LDAP port: 389
Server time: Mon, 22 Sep 2008 15:49:08 MSD
KDC server: 192.168.0.2
Server time offset: 2
core# wbinfo -t
checking the trust secret via RPC calls failed
error code was (0x0)
Could not check secret
core# wbinfo -u
Error looking up domain users
Рестарт самбы:
core# /etc/rc.d/samba stop
core# /etc/rc.d/samba start
после чего:
core# wbinfo -t
checking the trust secret via RPC calls succeeded
core# wbinfo -D ADOMAIN
Name : ADOMAIN
Alt_Name : Bdomain.adomain.ru
SID : S-1-5-21-789336058-152049171-1801674531
Active Directory : Yes
Native : No
Primary : Yes
Sequence : 1744635
core# wbinfo -u
Много юзеров
core# wbinfo -g
куча групп
core# wbinfo -a pupkin%password
plaintext password authentication succeeded
challenge/response password authentication succeeded
core# testparm
Load smb config files from /usr/local/etc/smb.conf
Processing section "[qwerty]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
-= НО!!!!! =-
core# id admin
id: admin: no such user
-= =-
Пытаюсь виндами с 192.168.0.38 зайти на шару qwerty в сетевом окружении - бросает запрос авторизации. Ввожу pupkin@ADOMAIN и пароль - не пускает.
Смотрю - появился в /var/log/samba лог с именем log.192.168.0.38 в котором написано:
[2008/09/22 16:42:38, 1] smbd/sesssetup.c:reply_spnego_kerberos(439)
Username ADOMAIN\pupkin is invalid on this system
При более полной детализации:
[2008/09/22 18:10:17, 2] lib/access.c:check_access(323)
Allowed connection from (192.168.0.38)
[2008/09/22 18:10:17, 2] smbd/reply.c:reply_special(324)
netbios connect: name1=CORE name2=STANLEY_38
[2008/09/22 18:10:17, 2] smbd/reply.c:reply_special(331)
netbios connect: local=core remote=stanley_38, name type = 0
[2008/09/22 18:10:27, 2] lib/access.c:check_access(323)
Allowed connection from (192.168.0.38)
[2008/09/22 18:10:27, 2] smbd/sesssetup.c:setup_new_vc_session(1212)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2008/09/22 18:10:27, 1] smbd/sesssetup.c:reply_spnego_kerberos(439)
Username ADOMAIN\pupkin is invalid on this system
кусочек еще более детального
[2008/09/22 18:12:58, 2] smbd/sesssetup.c:setup_new_vc_session(1212)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2008/09/22 18:12:58, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1038)
Doing spnego session setup
[2008/09/22 18:12:58, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1069)
NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[]
[2008/09/22 18:12:58, 3] smbd/sesssetup.c:reply_spnego_negotiate(697)
reply_spnego_negotiate: Got secblob of size 1280
[2008/09/22 18:12:58, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(279)
ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Message size is incompatible with encryption type
[2008/09/22 18:12:58, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(279)
ads_secrets_verify_ticket: enc type [3] failed to decrypt with error Message size is incompatible with encryption type
[2008/09/22 18:12:58, 3] smbd/sesssetup.c:reply_spnego_kerberos(321)
Ticket name is [pupkin@BDOMAIN.ADOMAIN.RU]
[2008/09/22 18:12:58, 1] smbd/sesssetup.c:reply_spnego_kerberos(439)
Username ADOMAIN\pupkin is invalid on this system
[2008/09/22 18:12:58, 3] smbd/error.c:error_packet_set(106)
error packet at smbd/sesssetup.c(444) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2008/09/22 18:12:58, 3] smbd/process.c:timeout_processing(1329)
timeout_processing: End of file from client (client has disconnected).
Отсюда и вопросы. Их собственно два.
1.Username ADOMAIN\pupkin is invalid on this system
Как сделать чтоб в шару пускала?
Подозреваю что две траблы пофиксяться одним решением, но каким?
2. core# id admin
id: admin: no such user
как исправить? Подозреваю что дело где-то в /usr/local/etc/samba/secrets.tdp
log.winbindd
[2008/09/23 01:20:00, 0] lib/util_tdb.c:tdb_log(664)
tdb(/var/db/samba/messages.tdb): tdb_reopen: open failed (No such file or directory)
[2008/09/23 01:20:00, 0] nsswitch/winbindd_dual.c:fork_domain_child(935)
tdb_reopen_all failed.
[2008/09/23 01:20:00, 1] nsswitch/winbindd_util.c:trustdom_recv(230)
Could not receive trustdoms
