Итак, на работе имеется windows server 2003 с active directory и linux под управлением opensuse 13.1
задача - входить на машину с линуксом под именем пользователя с домена
Решение и проблемы.
кратко: В первую очередь начинаю все с имен компьютера и yast. Задал имя сервера имен и его адрес, запустил настройку кербероса и запустил настройку "членство в домене windows" - в домен меня пустило, все хорошо. На всякий случай проверил LDAP клиент - и он тоже хорошо отозвался о моем сервисе, а ldap обозреватель увидел всех юзеров в дереве. Перезагружаеюсь - на заставке входа в систему появился выбор домена (локальный или виндузовый). Выбираю нужный мне домен, пишу пароль - ошибка входа в систему. Пишу имя в формате user@домен - тоже самое. домен\ (\\)user - все равно ошибка. Зашел вновь под локальным, запускаю консоль, пробую net join -U admin@domain - пишет, что все хорошо. Однако ж wbinfo -u и -g просто ничего не выводит (т.е. щелкаю энтер и тут же новая строка запроса команды). kinit проходит хорошо, без ошибок.
Теперь подробно:
log журнала системы
Spoiler
Данный лог начинается от моих попыток войти под именем пользователя
Код: Выделить всё
2014-09-05T11:32:25.039856+04:00 701-001 winbindd[6771]: [2014/09/05 11:32:25.039718, 0] ../lib/util/debug.c:595(reopen_logs_internal)
2014-09-05T11:32:25.040134+04:00 701-001 kernel: [ 380.342327] audit_printk_skb: 36 callbacks suppressed
2014-09-05T11:32:25.040150+04:00 701-001 kernel: [ 380.342332] type=1400 audit(1409902345.038:324): apparmor="DENIED" operation="mknod" parent=5757 profile="/usr/sbin/winbindd" name="/var/log/samba/log.winbindd-dc-connect" pid=6771 comm="winbindd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
2014-09-05T11:32:25.040271+04:00 701-001 winbindd[6771]: Unable to open new log file '/var/log/samba/log.winbindd-dc-connect': Permission denied
2014-09-05T11:32:25.041869+04:00 701-001 winbindd[6771]: [2014/09/05 11:32:25.041777, 0] ../source3/libads/kerberos.c:926(create_local_private_krb5_conf_for_domain)
2014-09-05T11:32:25.042131+04:00 701-001 kernel: [ 380.344398] type=1400 audit(1409902345.040:325): apparmor="DENIED" operation="mknod" parent=5757 profile="/usr/sbin/winbindd" name="/var/lib/samba/smb_tmp_krb5.yI1j7C" pid=6771 comm="winbindd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
2014-09-05T11:32:25.042261+04:00 701-001 winbindd[6771]: create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file /var/lib/samba/smb_tmp_krb5.yI1j7C. Errno Permission denied
2014-09-05T11:32:25.043852+04:00 701-001 winbindd[5757]: [2014/09/05 11:32:25.043750, 0] ../source3/libads/kerberos.c:926(create_local_private_krb5_conf_for_domain)
2014-09-05T11:32:25.044101+04:00 701-001 kernel: [ 380.346372] type=1400 audit(1409902345.042:326): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/sbin/winbindd" name="/var/lib/samba/smb_tmp_krb5.yfmL7C" pid=5757 comm="winbindd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
2014-09-05T11:32:25.044179+04:00 701-001 winbindd[5757]: create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file /var/lib/samba/smb_tmp_krb5.yfmL7C. Errno Permission denied
2014-09-05T11:32:25.045640+04:00 701-001 winbindd[5757]: [2014/09/05 11:32:25.045561, 0] ../source3/libads/kerberos.c:926(create_local_private_krb5_conf_for_domain)
2014-09-05T11:32:25.045984+04:00 701-001 winbindd[5757]: create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file /var/lib/samba/smb_tmp_krb5.X5Ecxd. Errno Permission denied
2014-09-05T11:32:25.046133+04:00 701-001 kernel: [ 380.348183] type=1400 audit(1409902345.044:327): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/sbin/winbindd" name="/var/lib/samba/smb_tmp_krb5.X5Ecxd" pid=5757 comm="winbindd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
2014-09-05T11:32:25.046143+04:00 701-001 kernel: [ 380.348350] type=1400 audit(1409902345.044:328): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/winbindd" name="/var/lib/samba/mutex.tdb" pid=5757 comm="winbindd" requested_mask="rwc" denied_mask="rwc" fsuid=0 ouid=0
2014-09-05T11:32:25.046261+04:00 701-001 winbindd[5757]: [2014/09/05 11:32:25.045741, 0] ../source3/winbindd/winbindd_cm.c:825(cm_prepare_connection)
2014-09-05T11:32:25.046510+04:00 701-001 winbindd[5757]: cm_prepare_connection: mutex grab failed for server.domain.local
2014-09-05T11:32:25.047215+04:00 701-001 winbindd[5757]: [2014/09/05 11:32:25.047137, 0] ../source3/libads/kerberos.c:926(create_local_private_krb5_conf_for_domain)
2014-09-05T11:32:25.047528+04:00 701-001 winbindd[5757]: create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file /var/lib/samba/smb_tmp_krb5.0NLZWN. Errno Permission denied
2014-09-05T11:32:25.048111+04:00 701-001 kernel: [ 380.349758] type=1400 audit(1409902345.046:329): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/sbin/winbindd" name="/var/lib/samba/smb_tmp_krb5.0NLZWN" pid=5757 comm="winbindd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
2014-09-05T11:32:25.049011+04:00 701-001 winbindd[5757]: [2014/09/05 11:32:25.048933, 0] ../source3/libads/kerberos.c:926(create_local_private_krb5_conf_for_domain)
2014-09-05T11:32:25.049114+04:00 701-001 kernel: [ 380.351555] type=1400 audit(1409902345.047:330): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/sbin/winbindd" name="/var/lib/samba/smb_tmp_krb5.09Hbno" pid=5757 comm="winbindd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
2014-09-05T11:32:25.049141+04:00 701-001 kernel: [ 380.351763] type=1400 audit(1409902345.048:331): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/winbindd" name="/var/lib/samba/mutex.tdb" pid=5757 comm="winbindd" requested_mask="rwc" denied_mask="rwc" fsuid=0 ouid=0
2014-09-05T11:32:25.049347+04:00 701-001 winbindd[5757]: create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file /var/lib/samba/smb_tmp_krb5.09Hbno. Errno Permission denied
2014-09-05T11:32:25.049612+04:00 701-001 winbindd[5757]: [2014/09/05 11:32:25.049155, 0] ../source3/winbindd/winbindd_cm.c:825(cm_prepare_connection)
2014-09-05T11:32:25.049871+04:00 701-001 winbindd[5757]: cm_prepare_connection: mutex grab failed for server.domain.local
2014-09-05T11:32:25.050817+04:00 701-001 winbindd[5757]: [2014/09/05 11:32:25.050742, 0] ../source3/libads/kerberos.c:926(create_local_private_krb5_conf_for_domain)
2014-09-05T11:32:25.051147+04:00 701-001 kernel: [ 380.353364] type=1400 audit(1409902345.049:332): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/sbin/winbindd" name="/var/lib/samba/smb_tmp_krb5.uHCMNY" pid=5757 comm="winbindd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
2014-09-05T11:32:25.051134+04:00 701-001 winbindd[5757]: create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file /var/lib/samba/smb_tmp_krb5.uHCMNY. Errno Permission denied
2014-09-05T11:32:25.052824+04:00 701-001 winbindd[5757]: [2014/09/05 11:32:25.052749, 0] ../source3/libads/kerberos.c:926(create_local_private_krb5_conf_for_domain)
2014-09-05T11:32:25.053107+04:00 701-001 kernel: [ 380.355362] type=1400 audit(1409902345.051:333): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/sbin/winbindd" name="/var/lib/samba/smb_tmp_krb5.Oa8Oez" pid=5757 comm="winbindd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
2014-09-05T11:32:25.053131+04:00 701-001 winbindd[5757]: create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file /var/lib/samba/smb_tmp_krb5.Oa8Oez. Errno Permission denied
2014-09-05T11:32:25.053396+04:00 701-001 winbindd[5757]: [2014/09/05 11:32:25.052934, 0] ../source3/winbindd/winbindd_cm.c:825(cm_prepare_connection)
2014-09-05T11:32:25.053643+04:00 701-001 winbindd[5757]: cm_prepare_connection: mutex grab failed for server.domain.local
2014-09-05T11:32:25.079569+04:00 701-001 winbindd[6772]: [2014/09/05 11:32:25.079441, 0] ../lib/util/debug.c:595(reopen_logs_internal)
2014-09-05T11:32:25.079908+04:00 701-001 winbindd[6772]: Unable to open new log file '/var/log/samba/log.winbindd-dc-connect': Permission denied
2014-09-05T11:32:25.081637+04:00 701-001 winbindd[6772]: [2014/09/05 11:32:25.081549, 0] ../source3/libads/kerberos.c:926(create_local_private_krb5_conf_for_domain)
2014-09-05T11:32:25.082016+04:00 701-001 winbindd[6772]: create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file /var/lib/samba/smb_tmp_krb5.fNR68D. Errno Permission denied
2014-09-05T11:32:25.083619+04:00 701-001 winbindd[5794]: [2014/09/05 11:32:25.083538, 0] ../source3/libads/kerberos.c:926(create_local_private_krb5_conf_for_domain)
2014-09-05T11:32:25.083929+04:00 701-001 winbindd[5794]: create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file /var/lib/samba/smb_tmp_krb5.vPly9D. Errno Permission denied
2014-09-05T11:32:25.085607+04:00 701-001 winbindd[5794]: [2014/09/05 11:32:25.085534, 0] ../source3/libads/kerberos.c:926(create_local_private_krb5_conf_for_domain)
2014-09-05T11:32:25.085913+04:00 701-001 winbindd[5794]: create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file /var/lib/samba/smb_tmp_krb5.4TXTHe. Errno Permission denied
2014-09-05T11:32:25.086173+04:00 701-001 winbindd[5794]: [2014/09/05 11:32:25.085699, 0] ../source3/winbindd/winbindd_cm.c:825(cm_prepare_connection)
2014-09-05T11:32:25.086429+04:00 701-001 winbindd[5794]: cm_prepare_connection: mutex grab failed for server.domain.local
2014-09-05T11:32:25.087251+04:00 701-001 winbindd[5794]: [2014/09/05 11:32:25.087161, 0] ../source3/libads/kerberos.c:926(create_local_private_krb5_conf_for_domain)
2014-09-05T11:32:25.087554+04:00 701-001 winbindd[5794]: create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file /var/lib/samba/smb_tmp_krb5.xd4BgP. Errno Permission denied
2014-09-05T11:32:25.089037+04:00 701-001 winbindd[5794]: [2014/09/05 11:32:25.088958, 0] ../source3/libads/kerberos.c:926(create_local_private_krb5_conf_for_domain)
2014-09-05T11:32:25.089346+04:00 701-001 winbindd[5794]: create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file /var/lib/samba/smb_tmp_krb5.0QXIPp. Errno Permission denied
2014-09-05T11:32:25.089584+04:00 701-001 winbindd[5794]: [2014/09/05 11:32:25.089148, 0] ../source3/winbindd/winbindd_cm.c:825(cm_prepare_connection)
2014-09-05T11:32:25.089838+04:00 701-001 winbindd[5794]: cm_prepare_connection: mutex grab failed for server.domain.local
2014-09-05T11:32:25.090585+04:00 701-001 winbindd[5794]: [2014/09/05 11:32:25.090515, 0] ../source3/libads/kerberos.c:926(create_local_private_krb5_conf_for_domain)
2014-09-05T11:32:25.090883+04:00 701-001 winbindd[5794]: create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file /var/lib/samba/smb_tmp_krb5.vvhbp0. Errno Permission denied
2014-09-05T11:32:25.092407+04:00 701-001 winbindd[5794]: [2014/09/05 11:32:25.092327, 0] ../source3/libads/kerberos.c:926(create_local_private_krb5_conf_for_domain)
2014-09-05T11:32:25.092704+04:00 701-001 winbindd[5794]: create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file /var/lib/samba/smb_tmp_krb5.UrC2YA. Errno Permission denied
2014-09-05T11:32:25.092944+04:00 701-001 winbindd[5794]: [2014/09/05 11:32:25.092488, 0] ../source3/winbindd/winbindd_cm.c:825(cm_prepare_connection)
2014-09-05T11:32:25.093213+04:00 701-001 winbindd[5794]: cm_prepare_connection: mutex grab failed for server.domain.localКонфигурашки
/etc/nsswitch.conf
Spoiler
Код: Выделить всё
passwd: compat winbind sss
group: compat winbind sss
hosts: files mdns_minimal [NOTFOUND=return] dns
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files nis
publickey: files
bootparams: files
automount: files nis
aliases: files/etc/krb5.conf
Spoiler
Код: Выделить всё
[libdefaults]
default_realm = DOMAIN.LOCAL
clockskew = 300
# default_realm = EXAMPLE.COM
[realms]
DOMAIN.LOCAL = {
kdc = 192.168.3.1
default_domain = domain.local
admin_server = 192.168.3.1
}
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
.DOMAIN.LOCAL = DOMAIN.LOCAL
.domain.local = DOMAIN.LOCAL
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimum_uid = 1
clockskew = 300
validate = false
}/etc/samba/smb.conf
Spoiler
Код: Выделить всё
замечание: ldap я настраивал, как уже последнее отчаяние. без строчек с ldap тоже не работало
[global]
workgroup = DOMAIN
passdb backend = ldapsam:ldap://server.domain.local
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
usershare allow guests = Yes
idmap gid = 10000-20000
idmap uid = 10000-20000
kerberos method = secrets and keytab
realm = DOMAIN.LOCAL
security = ADS
template homedir = /home/%D/%U
template shell = /bin/bash
usershare max shares = 100
winbind offline logon = yes
winbind refresh tickets = yes
domain logons = No
domain master = No
idmap backend = ldap:ldap://server.domain.local
ldap admin dn = spooky@domain.local
ldap delete dn = No
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Machines
ldap passwd sync = Yes
ldap replication sleep = 1000
ldap ssl = No
ldap suffix = DC=domain,DC=local
ldap timeout = 5
ldap user suffix = ou=Users
password server = *
wins support = NoNTP синхронизируется.
А и еще если в дельфине зайти в сеть -> samba то рабочая группа домена видна и, соответственно, все компьютеры в домене тоже видны. При попытке зайти запрашивает логин и пароль, что логично, ввожу доменного юзера и спокойно захожу на другие рабочие станции в шары. Т.е. вся проблема в том, что не может Я войти в систему под доменной учеткой. любой.
(в сети компьютер с линуксом тоже виден).
В конфиге самбы я не указал расшаренные директории для краткости кода - они в сетевом окружении видны и проблем с ними не было.
Спасибо за прочтение проблемы в пятницу, в обед :-)