Опытный
Профиль
Группа: Участник
Сообщений: 297
Регистрация: 6.11.2006
Репутация: нет
Всего: нет
|
Добрый день. Проблема в следующем: была настроена Samba, winbind и kerberos для работы в локальной сети. Сеть поставлена на две подсети и один контроллер aol-dcp.domen.ru. В сети есть Wins, IP раздаётся DHCP, всё работает нормально... ах да, ещё ISA Proxy наличествует, но, думаю, не суть важно. Итак, проблема вот в чём, при попытке подключения к серверу net выдаёт: | Код |
user's password:
Failed to set password for machine account (NT_STATUS_ACCESS_DENIED)
Failed to join domain!
|
При подсоединении kinit всё проходит молчаливо: | Код |
user@aol-st5:/var/log/samba$ kinit -p user
Password for [email protected]:
domen@aol-st5:/var/log/samba$
|
Логи Samba вроде ничего не говорят: log.nmbd | Код |
[2008/09/11 19:42:54, 0] nmbd/nmbd_namequery.c:query_name_response(109)
query_name_response: Multiple (2) responses received for a query on subnet 192.168.0.156 for name DOMEN<1d>.
This response was from IP 192.168.0.9, reporting an IP address of 192.168.1.9.
[2008/09/11 19:48:06, 0] nmbd/nmbd_namequery.c:query_name_response(109)
query_name_response: Multiple (2) responses received for a query on subnet 192.168.0.156 for name DOMEN<1d>.
This response was from IP 192.168.0.9, reporting an IP address of 192.168.1.9.
[2008/09/11 19:53:06, 0] nmbd/nmbd_namequery.c:query_name_response(109)
query_name_response: Multiple (2) responses received for a query on subnet 192.168.0.156 for name DOMEN<1d>.
This response was from IP 192.168.0.9, reporting an IP address of 192.168.1.9.
[2008/09/11 19:58:05, 0] nmbd/nmbd_namequery.c:query_name_response(109)
query_name_response: Multiple (2) responses received for a query on subnet 192.168.0.156 for name DOMEN<1d>.
This response was from IP 192.168.0.19, reporting an IP address of 192.168.0.19.
[2008/09/11 20:03:14, 0] nmbd/nmbd_namequery.c:query_name_response(109)
query_name_response: Multiple (2) responses received for a query on subnet 192.168.0.156 for name DOMEN<1d>.
This response was from IP 192.168.0.9, reporting an IP address of 192.168.1.9.
[2008/09/11 20:08:13, 0] nmbd/nmbd_namequery.c:query_name_response(109)
query_name_response: Multiple (2) responses received for a query on subnet 192.168.0.156 for name DOMEN<1d>.
This response was from IP 192.168.0.9, reporting an IP address of 192.168.1.9.
[2008/09/11 20:10:06, 0] nmbd/nmbd.c:terminate(58)
Got SIGTERM: going down...
[2008/09/11 20:10:09, 0] nmbd/nmbd.c:main(699)
Netbios nameserver version 3.0.24 started.
Copyright Andrew Tridgell and the Samba Team 1992-2006
[2008/09/11 20:30:23, 0] nmbd/nmbd_namequery.c:query_name_response(109)
query_name_response: Multiple (2) responses received for a query on subnet 192.168.0.156 for name DOMEN
This response was from IP 192.168.0.19, reporting an IP address of 192.168.0.19.
|
log.smbd | Код |
account_policy_get: tdb_fetch_uint32 failed for field 3 (user must logon to change password), returning 0
[2008/09/11 16:43:15, 1] lib/account_pol.c:account_policy_get(332)
account_policy_get: tdb_fetch_uint32 failed for field 4 (maximum password age), returning 0
[2008/09/11 16:43:15, 1] lib/account_pol.c:account_policy_get(332)
account_policy_get: tdb_fetch_uint32 failed for field 5 (minimum password age), returning 0
[2008/09/11 16:43:15, 1] lib/account_pol.c:account_policy_get(332)
account_policy_get: tdb_fetch_uint32 failed for field 6 (lockout duration), returning 0
[2008/09/11 16:43:15, 1] lib/account_pol.c:account_policy_get(332)
account_policy_get: tdb_fetch_uint32 failed for field 7 (reset count minutes), returning 0
[2008/09/11 16:43:15, 1] lib/account_pol.c:account_policy_get(332)
account_policy_get: tdb_fetch_uint32 failed for field 8 (bad lockout attempt), returning 0
[2008/09/11 16:43:15, 1] lib/account_pol.c:account_policy_get(332)
account_policy_get: tdb_fetch_uint32 failed for field 9 (disconnect time), returning 0
[2008/09/11 16:43:15, 1] lib/account_pol.c:account_policy_get(332)
account_policy_get: tdb_fetch_uint32 failed for field 10 (refuse machine password change), returning 0
[2008/09/11 16:43:15, 0] printing/nt_printing.c:nt_printing_init(649)
nt_printing_init: error checking published printers: WERR_ACCESS_DENIED
|
log.wb-DOMAIN | Код |
[2008/09/11 17:07:26, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(552)
spnego_gen_negTokenTarg failed: No credentials cache found
[2008/09/11 17:10:34, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(552)
spnego_gen_negTokenTarg failed: No credentials cache found
[2008/09/11 17:17:01, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(552)
spnego_gen_negTokenTarg failed: No credentials cache found
[2008/09/11 17:27:41, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(552)
spnego_gen_negTokenTarg failed: No credentials cache found
[2008/09/11 17:31:05, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(552)
spnego_gen_negTokenTarg failed: No credentials cache found
[2008/09/11 17:35:29, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(552)
spnego_gen_negTokenTarg failed: No credentials cache found
[2008/09/11 17:41:16, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(552)
spnego_gen_negTokenTarg failed: No credentials cache found
[2008/09/11 17:46:05, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(552)
spnego_gen_negTokenTarg failed: No credentials cache found
|
Вопрос: где бы мне ещё порыться?  Конфигурация Samba: | Код |
[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = DOMEN
# server string is the equivalent of the NT Description field
server string = %h server
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
# wins support = yes
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
wins server = 192.168.0.19
# If we receive WINS server info from DHCP, override the options above.
include = /etc/samba/dhcp.conf
# This will prevent nmbd to search for NetBIOS names through DNS.
dns proxy = no
# What naming service and in what order should we use to resolve host names
# to IP addresses
name resolve order = lmhosts host wins bcast
netbios name = aol-st5
server string = AOL-DCP.DOMEN.RU
password server = 192.168.0.19
realm = domen.ru
winbind use default domain = yes
# кодовая страница
dos charset = 866
unix charset = CP1251
display charset = LOCALE
local master = no
browse list = yes
remote browse sync = 192.168.0.36
auth methods = winbind
case sensitive = no
use sendfile = yes
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind separator = +
winbind uid = 10000-20000
winbind gid = 10000-20000
passdb backend = smbpasswd
client use spnego = yes
client ntlmv2 auth = yes
os level = 0
#### Networking ####
# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
interfaces = 127.0.0.0/8 eth0
# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself. However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
; bind interfaces only = true
#### Debugging/Accounting ####
# This tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
# Put a capping on the size of the log files (in Kb).
max log size = 1000
# If you want Samba to only log through syslog then set the following
# parameter to 'yes'.
; syslog only = no
# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.
syslog = 0
# Do something sensible when Samba crashes: mail the admin a backtrace
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
# "security = user" is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html
# in the samba-doc package for details.
security = ads
# You may wish to use password encryption. See the section on
# 'encrypt passwords' in the smb.conf(5) manpage before enabling.
encrypt passwords = yes
# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.
passdb backend = tdbsam
# obey pam restrictions = yes
; guest account = nobody
# invalid users = root
# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
; unix password sync = no
# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<[email protected]> for
# sending the correct chat script for the passwd program in Debian Sarge).
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
########## Domains ###########
# Is this machine able to authenticate users. Both PDC and BDC
# must have this setting enabled. If you are the BDC you must
# change the 'domain master' setting to no
#
domain logons = no
#
# The following setting only takes effect if 'domain logons' is set
# It specifies the location of the user's profile directory
# from the client point of view)
hosts allow = 192.168.0. 192.168.1. 127.
# The following required a [profiles] share to be setup on the
# samba server (see below)
; logon path = \\%N\profiles\%U
# Another common choice is storing the profile in the user's home directory
; logon path = \\%N\%U\profile
# The following setting only takes effect if 'domain logons' is set
# It specifies the location of a user's home directory (from the client
# point of view)
; logon drive = H:
; logon home = \\%N\%U
# The following setting only takes effect if 'domain logons' is set
# It specifies the script to run during logon. The script must be stored
# in the [netlogon] share
# NOTE: Must be store in 'DOS' file format convention
; logon script = logon.cmd
# This allows Unix users to be created on the domain controller via the SAMR
# RPC pipe. The example command creates a user account with a disabled Unix
# password; please adapt to your needs
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
########## Printing ##########
# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
; load printers = yes
# lpr(ng) printing. You may wish to override the location of the
# printcap file
; printing = bsd
; printcap name = /etc/printcap
############ Misc ############
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /home/samba/etc/smb.conf.%m
# Most people will find that this option gives better performance.
# See smb.conf(5) and /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/speed.html
# for details
# You may want to add the following on a Linux system:
# SO_RCVBUF=8192 SO_SNDBUF=8192
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
# The following parameter is useful only if you have the linpopup package
# installed. The samba maintainer and the linpopup maintainer are
# working to ease installation and configuration of linpopup and samba.
; message command = /bin/sh -c '/usr/bin/linpopup "%f" "%m" %s; rm %s' &
# Domain Master specifies Samba to be the Domain Master Browser. If this
# machine will be configured as a BDC (a secondary logon server), you
# must set this to 'no'; otherwise, the default behavior is recommended.
# Some defaults for winbind (make sure you're not using the ranges
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
template homedir = /home/%D/%U
;
; The following was the default behaviour in sarge
; but samba upstream reverted the default because it might induce
; performance issues in large organizations
; See #368251 for some of the consequences of *not* having
; this setting and smb.conf(5) for all details
;
winbind enum groups = yes
winbind enum users = yes
#======================= Share Definitions =======================
|
|
Проблема с входом в AD из Samba, Failed to join domain! 
Загрузка ...
