- Samba-3.0.23c, Kerberos и W2K Srv AD,
 xasm, 00:48 , 16-Ноя-06 (1) - Samba-3.0.23c, Kerberos и W2K Srv AD, Дмитрий, 18:11 , 20-Ноя-06 (2)
- Samba-3.0.23c, Kerberos и W2K Srv AD, Basileo, 14:41 , 22-Ноя-06 (5)
- Samba-3.0.23c, Kerberos и W2K Srv AD, Дмитрий, 16:04 , 22-Ноя-06 (6)
- Samba-3.0.23c, Kerberos и W2K Srv AD, Basileo, 17:37 , 22-Ноя-06 (7)
- Samba-3.0.23c, Kerberos и W2K Srv AD, Дмитрий, 17:58 , 22-Ноя-06 (8)
- Samba-3.0.23c, Kerberos и W2K Srv AD, Basileo, 10:00 , 23-Ноя-06 (9)
- Samba-3.0.23c, Kerberos и W2K Srv AD, VVD, 20:18 , 19-Янв-07 (10)
После апгрейда c 3.0.22 на 3.0.23 самба перестала пускать на шары с сообщениями в логах:
[2006/12/14 17:28:38, 2] lib/access.c:check_access(323)
Allowed connection from (10.0.0.27)
[2006/12/14 17:28:39, 2] smbd/service.c:make_connection_snum(580)
user 'user_name' (from session setup) not permitted to access this share (share_name)
[2006/12/14 17:28:46, 2] lib/access.c:check_access(323)
Allowed connection from (10.0.0.27)
[2006/12/14 17:28:46, 2] smbd/sesssetup.c:setup_new_vc_session(799)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2006/12/14 17:28:46, 0] libads/authdata.c:decode_pac_data(797)
decode_pac_data: failed to parse PAC
[2006/12/14 17:28:46, 1] smbd/sesssetup.c:reply_spnego_kerberos(310)
Username DOMAIN_NAME+COMPUTER_NAME$ is invalid on this system
[2006/12/14 17:28:46, 2] smbd/sesssetup.c:setup_new_vc_session(799)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2006/12/14 17:28:46, 0] libads/authdata.c:decode_pac_data(797)
decode_pac_data: failed to parse PACsmb.conf не менялся (security=ads)
net ads join проходит нормально
wbinfo -t, wbinfo -u работает нормально
А вот зайти на как раньше с win машин не могу. $ls /usr/local/lib/nss_winbind.so*
/usr/local/lib/nss_winbind.so -> nss_winbind.so.1
/usr/local/lib/nss_winbind.so.1 $ cat /etc/nsswitch.conf
group: compat
group_compat: nis
hosts: files dns
networks: files
passwd: compat
passwd_compat: nis
shells: files Пытался прописывать winbind в nsswitch.conf - не помогает. Может неправильно вписывал - а как надо? Что ещё показать?
- Samba-3.0.23c, Kerberos и W2K Srv AD, Дмитрий, 20:59 , 19-Янв-07 (11)
- Samba-3.0.23c, Kerberos и W2K Srv AD, VVD, 23:44 , 19-Янв-07 (12)
$ grep -Ev '^#|^;|^[ ]*$' /usr/local/etc/smb.conf
[global]
workgroup = DOMAIN
netbios name = GW
message command = /bin/sh -c '/root/bin/winpopup.sh %s %f %m' &
time server = True
server string = GateWay
security = ads
auth methods = winbind
hosts allow = 10.0.0.0/24 127.0.0.1
load printers = no
log file = /var/log/samba/log.%m
max log size = 50
log level = 2
password server = 10.0.0.3
encrypt passwords = yes
nt acl support = Yes
name resolve order = wins host bcast lmhosts
guest ok = No
realm = DOMAIN.LOCAL
socket options = TCP_NODELAY
interfaces = 10.0.0.1 127.0.0.1
bind interfaces only = yes
local master = no
os level = 0
domain master = no
preferred master = no
domain logons = no
wins support = no
wins server = 10.0.0.3
dns proxy = no
display charset = koi8-r
unix charset = koi8-r
dos charset = cp866
#делал по разному: и "+" и "\" и вообще убирал параметр
winbind separator = \
winbind use default domain = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
[pub]
path = /pub
browseable = no
writable = yes
guest ok = no
public = no
printable = no
valid users = DOMAIN\user1 DOMAIN\user2 DOMAIN\user3 DOMAIN\COMPUTER$ user1 user2 user3 COMPUTER$
force user = existing_local_user$ cat /etc/krb5.conf
[libdefaults]
default_realm = DOMAIN.LOCAL
[realms]
DOMAIN.LOCAL = {
kdc = server.domain.local
admin_server = server.domain.local
}
#server.domain.local - win2k domain controller Что лучше оставить в winbind separator и в valid users?
- Samba-3.0.23c, Kerberos и W2K Srv AD, awsswa, 14:46 , 23-Янв-07 (13)
- Samba-3.0.23c, Kerberos и W2K Srv AD, VVD, 17:49 , 23-Янв-07 (14)
>>Что лучше оставить в winbind separator и в valid users?
> winbind separator - можно вообще из конфига выбросить, по умолчанию там
>правильный "\" # man smb.conf
/winbind separator winbind separator (G)
This parameter allows an admin to define the character used when
listing a username of the form of DOMAIN \fIuser. This parameter is
only applicable when using the pam_winbind.so and nss_winbind.so
modules for UNIX services. Please note that setting this parameter to + causes problems with
group membership at least on glibc systems, as the character + is
used as a special character for NIS in /etc/group. Default: winbind separator = '' Example: winbind separator = +
- Samba-3.0.23c, Kerberos и W2K Srv AD, VVD, 18:25 , 23-Янв-07 (15)
winbind separator убрал
valid users = @DOMAIN\user1 @DOMAIN\user2 @DOMAIN\user3 @DOMAIN\COMPUTER$ user1 user2 user3 COMPUTER$Ничего не изменилось - тежи ошибки в логах. :-(
- Samba-3.0.23c, Kerberos и W2K Srv AD, glitch, 12:49 , 09-Фев-07 (16)
- Samba-3.0.23c, Kerberos и W2K Srv AD, glitch, 18:58 , 09-Фев-07 (17)
|
Версия для распечатки
Samba-3.0.23c, Kerberos и W2K Srv AD, 
