ALT Linux Community general discussions
 help / color / mirror / Atom feed
From: "Mad-Max-Traveller@yandex.ru" <Mad-Max-Traveller@yandex.ru>
To: ALT Linux Community general discussions <community@lists.altlinux.org>
Subject: [Comm] Ввод в домен на базе Win 2003 рабочей станции под управлением Simply Linux
Date: Thu, 19 Aug 2010 14:02:29 +0700
Message-ID: <4C6CD705.8090800@yandex.ru> (raw)

  Приветствую всех.

Задался такой задачей, но споткнулся на последнем шаге. Поэтому прошу 
вашей помощи.

Установлены следующие пакеты:

samba-swat
samba-client
krb5-kinit
libkrb5
ntpdate
pam_mount

Имя моего контроллера домена DC3. OFFICE.DOMEN.LOCAL, а его ip адрес
192.168.10.11. Он же является DNS и WINS сервером в моей сети.

ping DC3
PING DC3.office.domen.local (192.168.10.11) 56(84) bytes of data.
64 bytes from dc3.office.domen.local (192.168.10.11): icmp_seq=1 ttl=128 time=0.137 ms
64 bytes from dc3.office.domen.local (192.168.10.11): icmp_seq=2 ttl=128 time=0.147 ms

Содержмое /etc/hosts:
127.0.0.1	localhost.localdomain localhost
127.0.0.1	wslinux.office.domen.local wslinux

Время с доменом синхронизировано.

Содержимое /etc/krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = OFFICE.DOMEN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms]
OFFICE.DOMEN.LOCAL = {
kdc = 192.168.10.11
default_domain = office.domen.local
}

[domain_realm]
.office.domen.local = OFFICE.DOMEN.LOCAL
office.domen.local = OFFICE.DOMEN.LOCAL

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

Билет успешно получил:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@OFFICE.DOMEN.LOCAL

Valid starting     Expires            Service principal
08/17/10 11:11:58  08/17/10 21:12:04  krbtgt/OFFICE.DOMEN.LOCAL@OFFICE.DOMEN.LOCAL
	renew until 08/18/10 11:11:58

Содержимое /etc/nsswitch.conf:
passwd: files winbind
shadow: tcb files winbind
group: files winbind
gshadow:    files

В домен ввел:
# net ads join -U admin
admin's password:
Using short domain name -- OFFICE
Joined 'WSLINUX' to realm 'OFFICE.DOMEN.LOCAL'

Доменных пользователей вижу:
$ wbinfo -u
OFFICE\гость
OFFICE\администратор
OFFICE\user1
OFFICE\user2
…

Но не знаю как правильно настроить PAM. Плохо понимаю структуру этого файла,
а толковую документацию на русском не нашел.
В /etc/pam.d есть симлинк system-auth на system-auth-local. Если
пересоздать симлинк system-auth на system-auth-winbind то в систему
невозможно залогинится, ни доменными пользователями, ни локальными.

Содержимое /etc/pam.d/system-auth-winbind
#%PAM-1.0
auth		required	pam_tcb.so shadow fork prefix=$2a$ count=8 nullok
auth		optional	pam_mount.so
auth		sufficient	pam_winbind.so use_first_pass

account		required	pam_tcb.so shadow fork
account		sufficient	pam_succeed_if.so uid<  500 quiet
account		[default=bad success=ok user_unknown=ignore] pam_winbind.so

password	required	pam_passwdqc.so config=/etc/passwdqc.conf
password	required	pam_tcb.so use_authtok shadow fork prefix=$2a$ count=8 nullok write_to=tcb

session		required	pam_tcb.so
session		required	pam_mktemp.so
session		required	pam_limits.so
session		optional	pam_mount.so
# We use pam_mkhomedir to create home dirs for incoming domain users
# Note used umask, it will result in rwxr-x--x access rights
session		required	pam_mkhomedir.so skel=/etc/skel/ umask=0026
session		include		system-auth

Прошу вашей помощи в настройке. Заранее спасибо.



             reply	other threads:[~2010-08-19  7:02 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-08-19  7:02 Mad-Max-Traveller [this message]
2010-08-23 10:07 ` Mad-Max-Traveller
2010-08-23 12:57   ` Michael Shigorin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4C6CD705.8090800@yandex.ru \
    --to=mad-max-traveller@yandex.ru \
    --cc=community@lists.altlinux.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

ALT Linux Community general discussions

This inbox may be cloned and mirrored by anyone:

	git clone --mirror http://lore.altlinux.org/community/0 community/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 community community/ http://lore.altlinux.org/community \
		mandrake-russian@linuxteam.iplabs.ru community@lists.altlinux.org community@lists.altlinux.ru community@lists.altlinux.com
	public-inbox-index community

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://lore.altlinux.org/org.altlinux.lists.community


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git