Обязательно отруби на 2003 серваке ЛДАП реквае сайнинг политиках безопасности и контроллера и домена имел то же горе..
вывел линух из адс, в smb.conf оставил только строки с вибиндом
# Global parameters
[global]
security = ads
workgroup = KIT
realm = KIT.ZSU.ZP.UA
update encrypted = Yes
os level = 32
preferred master = No
local master = No
domain master = No
dns proxy = No
wins server = 10.1.100.25
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind cache time = 10
winbind enable local accounts = Yes
winbind nested groups = Yes
winbind use default domain = yes
в krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = KIT.ZSU.ZP.UA
[realms]
KIT.ZSU.ZP.UA = {
default_domain = kit.zsu.zp.ua
admin_server = kit-server.kit.zsu.zp.ua
kdc = kit-server.kit.zsu.zp.ua
kdc = 10.1.100.39
}
[domain_realm]
kit.zsu.zp.ua = KIT.ZSU.ZP.UA
.kit.zsu.zp.ua = KIT.ZSU.ZP.UA
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
#service smb stop
#service winbind stop
#kinit Administrator
#net ads join -U Administrator
#service smb start
#service winbind start
все остальное по классике причем не рекомендуют:
use spnego = yes ( лучше но)
client use spnego = yes
у себя вооще закоментировал. Когда отработал wbinfo -t
стал дописывать в конфу самбы по вкусу
не хило бы
#getent group
#getent passwd
в /etc/pam.d/login
#%PAM-1.0
auth required pam_securetty.so
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so use_first_pass
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account sufficient /lib/security/pam_winbind.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_stack.so service=system-auth
session optional pam_console.so
# pam_selinux.so open should be the last session rule
session required pam_selinux.so multiple open
в /etc/pam.d/samba
#%PAM-1.0
auth required pam_nologin.so
auth required pam_stack.so service=system-auth
auth sufficient pam_winbind.so
account sufficient pam_winbind.so
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
успехов