мдяяя, не получается, мои последние действия:
FreeBSD 4.10, Samba 3.0.11, DC - W2k3
поставил heimdal-0.6.3
/etc/krb5.conf:
[logging]
default = FILE:/var/log/krb5/libs.log
kdc = FILE:/var/log/krb5/kdc.log
admin_server = FILE:/var/log/krb5/admin.log
[libdefaults]
ticket_lifetime = 24000
default_realm = SIGMA.NET
default_tgs_enctypes = des-cbc-crc des-cbc-md5
default_tkt_enctypes = des-cbc-crc des-cbc-md5
forwardable = true
proxiable = true
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
SIGMA.NET = {
kdc = gateway.sigma.net:88
default_domain = sigma.net
}
[domain_realm]
.sigma.net = SIGMA.NET
sigma.net = SIGMA.NET
[kdc]
profile = /var/heimdal/kdc.conf
[pam]
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
Непонятно что там должно быть:
[kdc]
profile = /var/heimdal/kdc.conf - ???
weasel# /usr/heimdal/bin/kinit
georgy@SIGMA.NET's Password:
kinit: NOTICE: ticket renewable lifetime is 1 week
weasel#
Далее, поставил последний openldap, 2.2.23
./configure --enable-bdb=no
поставил самбу
./configure --with-winbind --with-winbind-auth-challenge --with-krb5=/usr/heimdal --with-ads --with-ldap
/etc/local/samba/lib/smb.conf:
[global]
dos charset=CP866
unix charset=KOI8-R
workgroup=sigma
server string=Samba Server
security=ADS
realm=SIGMA.NET
password server=*
hosts allow=192.168. 127.
netbios name=weasel
load printers=no
encrypt passwords=yes
obey pam restrictions=yes
winbind uid=10000-20000
winbind gid=10000-20000
template shell=/bin/false
winbind enum users=yes
winbind enum groups=yes
winbind use default domain=yes
nt acl support=yes
wins server=gateway.sigma.net
interfaces=fxp0
log file=/var/log/samba.log
max log size=50
use spnego=yes
client use spnego=yes
local master=no
allow trusted domains=yes
username map=/usr/local/samba/lib/users.map
[Common]
comment=Test share
path=/usr/common
browseable=yes
public=yes
writable=yes
printable=no
create mask=0775
force create mode=0664
force directory mode=0755
Из чего не понятно, что должно быть в
/usr/local/samba/lib/users.map
и нужен он вообще???
winbindd запущен
weasel# /usr/local/samba/bin/net ads join
Using short domain name -- SIGMA
Joined 'WEASEL' to realm 'SIGMA.NET'
weasel#
Даже никакого пароля не хотело
weasel# ./wbinfo -t
checking the trust secret via RPC calls succeeded
weasel#
weasel# ./wbinfo -g
weasel# ./wbinfo -u
все как положено, доменных список групп и юзеров со всех доменов в трасте с моим.
/etc/nsswitch.conf:
passwd: files winbind
shadow: files winbind
group: files winbind
скопировал из ../source/nsswitch/libnss_winbind.so в /usr/lib
сделал по доке симлинки
ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1
ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1
ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2
/usr/local/samba/sbin/nmbd -D
/usr/local/samba/sbin/smbd -D
и на этом все, при попытке зайти на шару просит логин/пароль, не пускает, в логах самбы:
[2005/02/23 08:47:15, 0] smbd/server.c:open_sockets_smbd(388)
open_sockets_smbd: accept: Software caused connection abort
[2005/02/23 08:47:15, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username SIGMA\Georgy is invalid on this system
[2005/02/23 08:47:15, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username SIGMA\Georgy is invalid on this system
[2005/02/23 08:47:16, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username SIGMA\Georgy is invalid on this system
[2005/02/23 08:47:16, 0] auth/auth_util.c:make_server_info_info3(1163)
make_server_info_info3: pdb_init_sam failed!
Надо было компилить самбу с --with-pam???
Что нужно наковырять в /etc/pam.conf???
мой /etc/pam.conf:
# If the user can authenticate with S/Key, that's sufficient; allow clear
# password. Try kerberos, then try plain unix password.
login auth sufficient pam_skey.so
login auth sufficient pam_opie.so no_fake_prompts
#login auth requisite pam_opieaccess.so
login auth requisite pam_cleartext_pass_ok.so
#login auth sufficient pam_kerberosIV.s try_first_pass
#login auth sufficient pam_krb5.so try_first_pass
login auth required pam_unix.so try_first_pass
login account required pam_unix.so
login password required pam_permit.so
login session required pam_permit.so
# Same requirement for ftpd as login
ftpd auth sufficient pam_skey.so
ftpd auth sufficient pam_opie.so no_fake_prompts
#ftpd auth requisite pam_opieaccess.so
ftpd auth requisite pam_cleartext_pass_ok.so
#ftpd auth sufficient pam_kerberosIV.so try_first_pass
#ftpd auth sufficient pam_krb5.so try_first_pass
ftpd auth required pam_unix.so try_first_pass
# OpenSSH with PAM support requires similar modules. The session one is
# a bit strange, though...
sshd auth sufficient pam_skey.so
sshd auth sufficient pam_opie.so no_fake_prompts
#sshd auth requisite pam_opieaccess.so
#sshd auth sufficient pam_kerberosIV.so try_first_pass
#sshd auth sufficient pam_krb5.so try_first_pass
sshd auth required pam_unix.so try_first_pass
sshd account required pam_unix.so
sshd password required pam_permit.so
sshd session required pam_permit.so
# "telnetd" is for SRA authenticated telnet only. Non-SRA uses 'login'
telnetd auth required pam_unix.so try_first_pass
# Don't break startx
xserver auth required pam_permit.so
# XDM is difficult; it fails or moans unless there are modules for each
# of the four management groups; auth, account, session and password.
xdm auth required pam_unix.so
#xdm auth sufficient pam_kerberosIV.so try_first_pass
#xdm auth sufficient pam_krb5.so try_first_pass
xdm account required pam_unix.so try_first_pass
xdm session required pam_deny.so
xdm password required pam_deny.so
# GDM (GNOME Display Manager)
gdm auth required pam_unix.so
#gdm auth sufficient pam_kerberosIV.so try_first_pass
#gdm auth sufficient pam_krb5.so try_first_pass
gdm account required pam_unix.so try_first_pass
gdm session required pam_permit.so
gdm password required pam_deny.so
# Mail services
imap auth required pam_unix.so try_first_pass
pop3 auth required pam_unix.so try_first_pass
# If we don't match anything else, default to using getpwnam().
other auth sufficient pam_skey.so
other auth required pam_unix.so try_first_pass
other account required pam_unix.so try_first_pass
Подскажите в каком направлении копать??? HELP!!!