Доброго времени, коллеги!
Пытаюсь завести линуксовую тачку в домен Windows. Машина с Debian 8, Samba 4. Домен на Win Server 2008R2. В домен подключил успешно, но wbinfo -u | -g и аналогично getnet passwd | groups не видят доменных пользователей и группы.
В доках и мануалах на просторах гугла подобной ситуации не нашел.
Конфиги:
smb.conf:
[global]
workgroup = REGIONS
realm = REGIONS.LAN
dns proxy = no
interfaces = eth0
log file = /var/log/samba/log.%m
max log size = 10000
syslog = 0
panic action = /usr/share/samba/panic-action %d
server role = standalone server
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad password
usershare allow guests = no
unix charset = utf8
dos charset = cp1251
security = ADS
auth methods = winbind
encrypt passwords = yes
client use spnego = yes
client ntlmv2 auth = yes
restrict anonymous = 2
socket options = TCP_NODELAY
# Отключаем любые попытки тачки стать контроллером домена
domain master = no
local master = no
preferred master = no
os level = 0
# Отключаем поддержку принтеров
load printers = no
show add printer wizard = no
printcap name = /dev/null
disable spoolss = yes
# Включаем интеграцию с Winbind
domain logons = yes
idmap uid = 10000 - 40000
idmap gid = 10000 - 40000
winbind refresh tickets = yes
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
winbind cache time = 40
template shell = /bin/false
winbind refresh tickets = yes
[share]
comment = Shared folder
path = /srv/samba/share
read only = no
browseable = yes
guest ok = no
create mask = 0777
directory mask = 0777
writable = yes
[users]
comment = Users folder
path = /srv/samba/users
read only = no
browseable = yes
guest ok = no
create mask = 0777
directory mask = 0777
writable = yes
krb5.conf:
[libdefaults]
default_realm = REGIONS.LAN
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
REGIONS.LAN = {
kdc = dc01
admin_server = dc01
default_REGIONS = REGIONS.LAN
}
[REGIONS_realm]
.regions.tax.nalog.ru = REGIONS.LAN
regions.tax.nalog.ru = REGIONS.LAN
[login]
krb4_convert = false
krb4_get_tickets = false
Результат команды testparm:
# testparm
Load smb config files from /etc/samba/smb.conf
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
Processing section "[share]"
Processing section "[users]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
И собственно
# wbinfo -t
checking the trust secret for domain REGIONS via RPC calls succeeded
Таким образом машина в домен вошла, авторизация через kerberos успешно проходит, samba с доменом установила доверенные отношения.
Подскажите, куда копать?
NB: К домен контроллеру доступа нет. На его стороне логи посмотреть не могу.
Простой
Простой
