Исходное сообщение
"Samba 3 и DC win2003" Отправлено georgyip, 23-Фев-05 11:22
мдяяя, не получается, мои последние действия: FreeBSD 4.10, Samba 3.0.11, DC - W2k3 поставил heimdal-0.6.3 /etc/krb5.conf: [logging] default = FILE:/var/log/krb5/libs.log kdc = FILE:/var/log/krb5/kdc.log admin_server = FILE:/var/log/krb5/admin.log [libdefaults] ticket_lifetime = 24000 default_realm = SIGMA.NET default_tgs_enctypes = des-cbc-crc des-cbc-md5 default_tkt_enctypes = des-cbc-crc des-cbc-md5 forwardable = true proxiable = true dns_lookup_realm = true dns_lookup_kdc = true [realms] SIGMA.NET = { kdc = gateway.sigma.net:88 default_domain = sigma.net } [domain_realm] .sigma.net = SIGMA.NET sigma.net = SIGMA.NET [kdc] profile = /var/heimdal/kdc.conf [pam] debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false Непонятно что там должно быть: [kdc] profile = /var/heimdal/kdc.conf - ??? weasel# /usr/heimdal/bin/kinit georgy@SIGMA.NET's Password: kinit: NOTICE: ticket renewable lifetime is 1 week weasel# Далее, поставил последний openldap, 2.2.23 ./configure --enable-bdb=no поставил самбу ./configure  --with-winbind --with-winbind-auth-challenge --with-krb5=/usr/heimdal --with-ads --with-ldap /etc/local/samba/lib/smb.conf: [global] dos charset=CP866 unix charset=KOI8-R workgroup=sigma server string=Samba Server security=ADS realm=SIGMA.NET password server=* hosts allow=192.168. 127. netbios name=weasel load printers=no encrypt passwords=yes obey pam restrictions=yes winbind uid=10000-20000 winbind gid=10000-20000 template shell=/bin/false winbind enum users=yes winbind enum groups=yes winbind use default domain=yes nt acl support=yes wins server=gateway.sigma.net interfaces=fxp0 log file=/var/log/samba.log max log size=50 use spnego=yes client use spnego=yes local master=no allow trusted domains=yes username map=/usr/local/samba/lib/users.map [Common] comment=Test share path=/usr/common browseable=yes public=yes writable=yes printable=no create mask=0775 force create mode=0664 force directory mode=0755 Из чего не понятно, что должно быть в /usr/local/samba/lib/users.map и нужен он вообще??? winbindd запущен weasel# /usr/local/samba/bin/net ads join Using short domain name -- SIGMA Joined 'WEASEL' to realm 'SIGMA.NET' weasel# Даже никакого пароля не хотело weasel# ./wbinfo -t checking the trust secret via RPC calls succeeded weasel# weasel# ./wbinfo -g weasel# ./wbinfo -u все как положено, доменных список групп и юзеров со всех доменов в трасте с моим. /etc/nsswitch.conf: passwd:    files winbind shadow:    files winbind group:    files winbind скопировал из ../source/nsswitch/libnss_winbind.so в /usr/lib сделал по доке симлинки ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1 ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1 ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2 /usr/local/samba/sbin/nmbd -D /usr/local/samba/sbin/smbd -D и на этом все, при попытке зайти на шару просит логин/пароль, не пускает, в логах самбы: [2005/02/23 08:47:15, 0] smbd/server.c:open_sockets_smbd(388)   open_sockets_smbd: accept: Software caused connection abort [2005/02/23 08:47:15, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)   Username SIGMA\Georgy is invalid on this system [2005/02/23 08:47:15, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)   Username SIGMA\Georgy is invalid on this system [2005/02/23 08:47:16, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)   Username SIGMA\Georgy is invalid on this system [2005/02/23 08:47:16, 0] auth/auth_util.c:make_server_info_info3(1163)   make_server_info_info3: pdb_init_sam failed! Надо было компилить самбу с --with-pam??? Что нужно наковырять в /etc/pam.conf??? мой /etc/pam.conf: # If the user can authenticate with S/Key, that's sufficient; allow clear # password. Try kerberos, then try plain unix password. login    auth    sufficient    pam_skey.so login    auth    sufficient    pam_opie.so    no_fake_prompts #login    auth    requisite    pam_opieaccess.so login    auth    requisite    pam_cleartext_pass_ok.so #login    auth    sufficient    pam_kerberosIV.s  try_first_pass #login    auth    sufficient    pam_krb5.so    try_first_pass login    auth    required    pam_unix.so    try_first_pass login    account    required    pam_unix.so login    password required    pam_permit.so login    session    required    pam_permit.so # Same requirement for ftpd as login ftpd    auth    sufficient    pam_skey.so ftpd    auth    sufficient    pam_opie.so    no_fake_prompts #ftpd    auth    requisite    pam_opieaccess.so ftpd    auth    requisite    pam_cleartext_pass_ok.so #ftpd    auth    sufficient    pam_kerberosIV.so    try_first_pass #ftpd    auth    sufficient    pam_krb5.so        try_first_pass ftpd    auth    required    pam_unix.so        try_first_pass # OpenSSH with PAM support requires similar modules.  The session one is # a bit strange, though... sshd    auth    sufficient    pam_skey.so sshd    auth    sufficient    pam_opie.so    no_fake_prompts #sshd    auth    requisite    pam_opieaccess.so #sshd    auth    sufficient    pam_kerberosIV.so    try_first_pass #sshd    auth    sufficient    pam_krb5.so        try_first_pass sshd    auth    required    pam_unix.so        try_first_pass sshd    account    required    pam_unix.so sshd    password required    pam_permit.so sshd    session    required    pam_permit.so # "telnetd" is for SRA authenticated telnet only. Non-SRA uses 'login' telnetd    auth    required    pam_unix.so    try_first_pass # Don't break startx xserver    auth    required    pam_permit.so # XDM is difficult; it fails or moans unless there are modules for each # of the four management groups; auth, account, session and password. xdm    auth    required    pam_unix.so #xdm    auth    sufficient    pam_kerberosIV.so    try_first_pass #xdm    auth    sufficient    pam_krb5.so        try_first_pass xdm    account    required    pam_unix.so        try_first_pass xdm    session    required    pam_deny.so xdm    password required    pam_deny.so # GDM (GNOME Display Manager) gdm    auth    required    pam_unix.so #gdm    auth    sufficient    pam_kerberosIV.so    try_first_pass #gdm    auth    sufficient    pam_krb5.so        try_first_pass gdm    account    required    pam_unix.so        try_first_pass gdm    session    required    pam_permit.so gdm    password required    pam_deny.so # Mail services imap    auth    required    pam_unix.so        try_first_pass pop3    auth    required    pam_unix.so        try_first_pass # If we don't match anything else, default to using getpwnam(). other    auth    sufficient    pam_skey.so other    auth    required    pam_unix.so        try_first_pass other    account    required    pam_unix.so        try_first_pass Подскажите в каком направлении копать??? HELP!!!

Ваше сообщение
Имя*:
EMail:	Для отправки новых сообщений в текущей нити на email укажите знак ! перед адресом, например, !user@host.ru (!! - не показывать email). Более тонкая настройка отправки ответов производится в профиле зарегистрированного участника форума.
Заголовок*:
Сообщение*:	> мдяяя, не получается, мои последние действия: > FreeBSD 4.10, Samba 3.0.11, DC - W2k3 > поставил heimdal-0.6.3 > /etc/krb5.conf: > [logging] > default = FILE:/var/log/krb5/libs.log > kdc = FILE:/var/log/krb5/kdc.log > admin_server = FILE:/var/log/krb5/admin.log > [libdefaults] > ticket_lifetime = 24000 > default_realm = SIGMA.NET > default_tgs_enctypes = des-cbc-crc des-cbc-md5 > default_tkt_enctypes = des-cbc-crc des-cbc-md5 > forwardable = true > proxiable = true > dns_lookup_realm = true > dns_lookup_kdc = true > [realms] > SIGMA.NET = { > kdc = gateway.sigma.net:88 > default_domain = sigma.net > } > [domain_realm] > .sigma.net = SIGMA.NET > sigma.net = SIGMA.NET > [kdc] > profile = /var/heimdal/kdc.conf > [pam] > debug = false > ticket_lifetime = 36000 > renew_lifetime = 36000 > forwardable = true > krb4_convert = false > Непонятно что там должно быть: > [kdc] > profile = /var/heimdal/kdc.conf - ??? > weasel# /usr/heimdal/bin/kinit > georgy@SIGMA.NET's Password: > kinit: NOTICE: ticket renewable lifetime is 1 week > weasel# > Далее, поставил последний openldap, 2.2.23 > ./configure --enable-bdb=no > поставил самбу > ./configure --with-winbind --with-winbind-auth-challenge --with-krb5=/usr/heimdal > --with-ads --with-ldap > /etc/local/samba/lib/smb.conf: > [global] > dos charset=CP866 > unix charset=KOI8-R > workgroup=sigma > server string=Samba Server > security=ADS > realm=SIGMA.NET > password server=* > hosts allow=192.168. 127. > netbios name=weasel > load printers=no > encrypt passwords=yes > obey pam restrictions=yes > winbind uid=10000-20000 > winbind gid=10000-20000 > template shell=/bin/false > winbind enum users=yes > winbind enum groups=yes > winbind use default domain=yes > nt acl support=yes > wins server=gateway.sigma.net > interfaces=fxp0 > log file=/var/log/samba.log > max log size=50 > use spnego=yes > client use spnego=yes > local master=no > allow trusted domains=yes > username map=/usr/local/samba/lib/users.map > [Common] > comment=Test share > path=/usr/common > browseable=yes > public=yes > writable=yes > printable=no > create mask=0775 > force create mode=0664 > force directory mode=0755 > Из чего не понятно, что должно быть в > /usr/local/samba/lib/users.map > и нужен он вообще??? > winbindd запущен > weasel# /usr/local/samba/bin/net ads join > Using short domain name -- SIGMA > Joined 'WEASEL' to realm 'SIGMA.NET' > weasel# > Даже никакого пароля не хотело > weasel# ./wbinfo -t > checking the trust secret via RPC calls succeeded > weasel# > weasel# ./wbinfo -g > weasel# ./wbinfo -u > все как положено, доменных список групп и юзеров со всех доменов в > трасте с моим. > /etc/nsswitch.conf: > passwd: files winbind > shadow: files winbind > group: files winbind > скопировал из ../source/nsswitch/libnss_winbind.so в /usr/lib > сделал по доке симлинки > ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1 > ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1 > ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2 > /usr/local/samba/sbin/nmbd -D > /usr/local/samba/sbin/smbd -D > и на этом все, при попытке зайти на шару просит логин/пароль, не > пускает, в логах самбы: > [2005/02/23 08:47:15, 0] smbd/server.c:open_sockets_smbd(388) > open_sockets_smbd: accept: Software caused connection abort > [2005/02/23 08:47:15, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) > Username SIGMA\Georgy is invalid on this system > [2005/02/23 08:47:15, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) > Username SIGMA\Georgy is invalid on this system > [2005/02/23 08:47:16, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) > Username SIGMA\Georgy is invalid on this system > [2005/02/23 08:47:16, 0] auth/auth_util.c:make_server_info_info3(1163) > make_server_info_info3: pdb_init_sam failed! > Надо было компилить самбу с --with-pam??? > Что нужно наковырять в /etc/pam.conf??? > мой /etc/pam.conf: > # If the user can authenticate with S/Key, that's sufficient; allow clear > # password. Try kerberos, then try plain unix password. > login auth sufficient pam_skey.so > login auth sufficient pam_opie.so no_fake_prompts > #login auth requisite pam_opieaccess.so > login auth requisite pam_cleartext_pass_ok.so > #login auth sufficient pam_kerberosIV.s try_first_pass > #login auth sufficient pam_krb5.so try_first_pass > login auth required pam_unix.so try_first_pass > login account required pam_unix.so > login password required pam_permit.so > login session required pam_permit.so > # Same requirement for ftpd as login > ftpd auth sufficient pam_skey.so > ftpd auth sufficient pam_opie.so no_fake_prompts > #ftpd auth requisite pam_opieaccess.so > ftpd auth requisite pam_cleartext_pass_ok.so > #ftpd auth sufficient pam_kerberosIV.so try_first_pass > #ftpd auth sufficient pam_krb5.so try_first_pass > ftpd auth required pam_unix.so try_first_pass > # OpenSSH with PAM support requires similar modules. The session one > is > # a bit strange, though... > sshd auth sufficient pam_skey.so > sshd auth sufficient pam_opie.so no_fake_prompts > #sshd auth requisite pam_opieaccess.so > #sshd auth sufficient pam_kerberosIV.so try_first_pass > #sshd auth sufficient pam_krb5.so try_first_pass > sshd auth required pam_unix.so try_first_pass > sshd account required pam_unix.so > sshd password required pam_permit.so > sshd session required pam_permit.so > # "telnetd" is for SRA authenticated telnet only. Non-SRA uses 'login' > telnetd auth required pam_unix.so try_first_pass > # Don't break startx > xserver auth required pam_permit.so > # XDM is difficult; it fails or moans unless there are modules > for each > # of the four management groups; auth, account, session and password. > xdm auth required pam_unix.so > #xdm auth sufficient pam_kerberosIV.so try_first_pass > #xdm auth sufficient pam_krb5.so try_first_pass > xdm account required pam_unix.so try_first_pass > xdm session required pam_deny.so > xdm password required pam_deny.so > # GDM (GNOME Display Manager) > gdm auth required pam_unix.so > #gdm auth sufficient pam_kerberosIV.so try_first_pass > #gdm auth sufficient pam_krb5.so try_first_pass > gdm account required pam_unix.so try_first_pass > gdm session required pam_permit.so > gdm password required pam_deny.so > # Mail services > imap auth required pam_unix.so try_first_pass > pop3 auth required pam_unix.so try_first_pass > # If we don't match anything else, default to using getpwnam(). > other auth sufficient pam_skey.so > other auth required pam_unix.so try_first_pass > other account required pam_unix.so try_first_pass > Подскажите в каком направлении копать??? HELP!!!
	Введите код, изображенный на картинке: