Добрый день, Уважаемые Коллеги.
Прошу помощи.
Пытаюсь завести компьютер с ALt Linux в домен windows, компьютер заводится успешно, пользователи и группы домена видятся в системе командами getent passwd и wbinfo пример:
[root@host-62 ~]# getent passwd "DOMEN\testuser"
DOMEN\testuser:*:10000:10000::/home/VTC/testuser:/bin/bash
Однако зайти в компьютер под доменной учетной записью невозможно,ответ команды
su -l "DOMEN\testuser"
такой:
su: Insufficient credentials to access authentication data.
Прикладываю конфиг файлы которые я правил для работы компьютера в домене:
/etc/krb5.conf.d/
#includedir /etc/krb5.conf.d/
[logging]
# default = FILE:/var/log/krb5libs.log
# kdc = FILE:/var/log/krb5kdc.log
# admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_kdc = true
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
# default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = CONTROLLER1.DOMEN.LOCAL
[realms]
# EXAMPLE.COM = {
# default_domain = example.com
# }
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
/etc/nsswitch.conf
#
# Please refer to nsswitch.conf(5) for more information on this file.
#
# This is the Name Service Switch configuration file. This file should
# be sorted with the most-used databases at the beginning.
#
# Specifying '[NOTFOUND=return]' means that the search for an entry
# should stop if the search with the previous service turned up nothing.
# Note that if the search failed due to some other reason (like no NIS
# server responding) then the search continues with the next service.
#
# Legal name services are:
#
# files Use local files
# tcb Use local tcb shadow files, see tcb(5)
# db Use local database files under /var/db
# nis or yp Use NIS (NIS version 2), also called YP
# nisplus or nis+ Use NIS+ (NIS version 3)
# dns Use DNS (Domain Name Service)
# compat Use NIS in compatibility mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
passwd: files winbind
shadow: tcb files winbind
group: files role winbind
gshadow: files winbind
hosts: files wins dns nisplus nis mdns4_minimal [NOTFOUND=return] mdns4 fallback myhostname mymachines winbind
# To use db, put the "db" in front of "files" for things you want to be
# looked up first in the db files.
#
#passwd: db files nisplus nis
#shadow: db tcb files nisplus nis
#group: db files nisplus nis
#
#hosts: db files nisplus nis dns
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
netgroup: nisplus
publickey: nisplus
automount: files
aliases: files
/etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
; domains = LDAP
domains = CONTROLLER1.DOMEN.LOCAL
[nss]
[pam]
# Example LDAP domain
; [domain/LDAP]
; id_provider = ldap
; auth_provider = ldap
# ldap_schema can be set to "rfc2307", which stores group member names in the
# "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in
# the "member" attribute. If you do not know this value, ask your LDAP
# administrator.
; ldap_schema = rfc2307
; ldap_uri = ldap://ldap.mydomain.org
; ldap_search_base = dc=mydomain,dc=org
# Note that enabling enumeration will have a moderate performance impact.
# Consequently, the default value for enumeration is FALSE.
# Refer to the sssd.conf man page for full details.
; enumerate = false
# Allow offline logins by locally storing password hashes (default: false).
; cache_credentials = true
# An example Active Directory domain. Please note that this configuration
# works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis
# compliant attribute names. To support UNIX clients with AD 2003 or older,
# you must install Microsoft Services For Unix and map LDAP attributes onto
# msSFU30* attribute names.
; [domain/AD]
; id_provider = ldap
; auth_provider = krb5
; chpass_provider = krb5
;
; ldap_uri = ldap://your.ad.example.com
; ldap_search_base = dc=example,dc=com
; ldap_schema = rfc2307bis
; ldap_sasl_mech = GSSAPI
; ldap_user_object_class = user
; ldap_group_object_class = group
; ldap_user_home_directory = unixHomeDirectory
; ldap_user_principal = userPrincipalName
; ldap_account_expire_policy = ad
; ldap_force_upper_case_realm = true
;
; krb5_server = your.ad.example.com
; krb5_realm = EXAMPLE.COM
[domain/DOMEN.LOCAL]
id_provider = ad
auth_provider = ad
chpass_provider = ad
default_shell = /bin/bash
fallback_homedir = /home/%d/%u
debug_level = 0
[domain/CONTROLLER1.DOMEN.LOCAL]
id_provider = ad
auth_provider = ad
chpass_provider = ad
default_shell = /bin/bash
fallback_homedir = /home/%d/%u
debug_level = 0
[domain/CONTROLLER2.DOMEN.LOCAL]
id_provider = ad
auth_provider = ad
chpass_provider = ad
default_shell = /bin/bash
fallback_homedir = /home/%d/%u
debug_level = 0
/etc/samba/smb.conf
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# For a step to step guide on installing, configuring and using samba,
# read the Samba-HOWTO-Collection. This may be obtained from:
# http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
#
# Many working examples of smb.conf files can be found in the
# Samba-Guide which is generated daily and can be downloaded from:
# http://www.samba.org/samba/docs/Samba-Guide.pdf
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not made any basic syntactic errors.
#
#---------------
# SELINUX NOTES:
#
# If you want to use the useradd/groupadd family of binaries please run:
# setsebool -P samba_domain_controller on
#
# If you want to share home directories via samba please run:
# setsebool -P samba_enable_home_dirs on
#
# If you create a new directory you want to share you should mark it as
# "samba-share_t" so that selinux will let you write into it.
# Make sure not to do that on system directories as they may already have
# been marked with othe SELinux labels.
#
# Use ls -ldZ /path to see which context a directory has
#
# Set labels only on directories you created!
# To set a label use the following: chcon -t samba_share_t /path
#
# If you need to share a system created directory you can use one of the
# following (read-only/read-write):
# setsebool -P samba_export_all_ro on
# or
# setsebool -P samba_export_all_rw on
#
# If you want to run scripts (preexec/root prexec/print command/...) please
# put them into the /var/lib/samba/scripts directory so that smbd will be
# allowed to run them.
# Make sure you COPY them and not MOVE them so that the right SELinux context
# is applied, to check all is ok use restorecon -R -v /var/lib/samba/scripts
#
#--------------
#
#======================= Global Settings =====================================
[global]
security = ads
realm = DOMEN.LOCAL
workgroup = DOMEN
netbios name = COMPUTERNAME
template shell = /bin/bash
kerberos method = system keytab
wins support = no
wins server 192.168.7.23
idmap config * : range = 10000-20000000
idmap config * : backend = tdb
encrypt passwords = true
; dns proxy = no
; socket options = TCP_NODELAY
; domain master = no
; local master = no
; preferred master = no
; os level = 0
; domain logons = no
; load printers = no
; show add printer wizard = no
; printcap name = /dev/null
; disable spoolss = yes
[homes]
comment = Home Directories
browseable = no
writable = yes
; valid users = %S
; valid users = MYDOMAIN\%S
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
# Un-comment the following and create the netlogon directory for Domain Logons
; [netlogon]
; comment = Network Logon Service
; path = /var/lib/samba/netlogon
; guest ok = yes
; writable = no
; share modes = no
# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
; [Profiles]
; path = /var/lib/samba/profiles
; browseable = no
; guest ok = yes
# A publicly accessible directory, but read only, except for people in
# the "staff" group
; [public]
; comment = Public Stuff
; path = /home/samba
; public = yes
; writable = yes
; printable = no
; write list = +staff
Подскажите чего не хватает для полноценной работы компьютера в домене?