From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <Mad-Max-Traveller@yandex.ru>
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on sa.int.altlinux.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00, DNS_FROM_OPENWHOIS, 
	SPF_PASS autolearn=no version=3.2.5
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail;
	t=1282201257; bh=AHU7n6iKjFIPD8CN/Dvu7KAXQUN2IZ9K1blGccvhwvg=;
	h=Message-ID:Date:From:Reply-To:MIME-Version:To:Subject:
	Content-Type:Content-Transfer-Encoding;
	b=Zyij72rRqTDOTCCDX34GQfOcPVAfR7hpLYNYYptTI1Se7VQ0sAKl/x22A/I9L+LDo
	CvIQ4ifLb/74OK/KQBQA/5xQbCFfiiAvJNRJDWTwBlWKDgYVsDGTOGba9PkIZaN/Vz
	cg+moCH6fNmNjaQ19N8QnJGPXA9vpzIhwvQ3WiKI=
Message-ID: <4C6CD705.8090800@yandex.ru>
Date: Thu, 19 Aug 2010 14:02:29 +0700
From: "Mad-Max-Traveller@yandex.ru" <Mad-Max-Traveller@yandex.ru>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru;
	rv:1.9.2.8) Gecko/20100802 Lightning/1.0b2 Thunderbird/3.1.2
MIME-Version: 1.0
To: ALT Linux Community general discussions <community@lists.altlinux.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Yandex-TimeMark: 1282201257
X-Yandex-Spam: 1
X-Yandex-Front: smtp18.mail.yandex.net
Subject: [Comm] =?utf-8?b?0JLQstC+0LQg0LIg0LTQvtC80LXQvSDQvdCwINCx0LDQt9C1?=
 =?utf-8?b?IFdpbiAyMDAzINGA0LDQsdC+0YfQtdC5INGB0YLQsNC90YbQuNC4INC/0L4=?=
 =?utf-8?b?0LQg0YPQv9GA0LDQstC70LXQvdC40LXQvCBTaW1wbHkgTGludXg=?=
X-BeenThere: community@lists.altlinux.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Mad-Max-Traveller@yandex.ru, ALT Linux Community general discussions
	<community@lists.altlinux.org>
List-Id: ALT Linux Community general discussions <community.lists.altlinux.org>
List-Unsubscribe: <https://lists.altlinux.org/mailman/options/community>,
	<mailto:community-request@lists.altlinux.org?subject=unsubscribe>
List-Archive: <http://lists.altlinux.org/pipermail/community>
List-Post: <mailto:community@lists.altlinux.org>
List-Help: <mailto:community-request@lists.altlinux.org?subject=help>
List-Subscribe: <https://lists.altlinux.org/mailman/listinfo/community>,
	<mailto:community-request@lists.altlinux.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Aug 2010 07:01:09 -0000
Archived-At: <http://lore.altlinux.org/community/4C6CD705.8090800@yandex.ru/>
List-Archive: <http://lore.altlinux.org/community/>
List-Post: <mailto:mandrake-russian@linuxteam.iplabs.ru>

  Приветствую всех.

Задался такой задачей, но споткнулся на последнем шаге. Поэтому прошу 
вашей помощи.

Установлены следующие пакеты:

samba-swat
samba-client
krb5-kinit
libkrb5
ntpdate
pam_mount

Имя моего контроллера домена DC3. OFFICE.DOMEN.LOCAL, а его ip адрес
192.168.10.11. Он же является DNS и WINS сервером в моей сети.

ping DC3
PING DC3.office.domen.local (192.168.10.11) 56(84) bytes of data.
64 bytes from dc3.office.domen.local (192.168.10.11): icmp_seq=1 ttl=128 time=0.137 ms
64 bytes from dc3.office.domen.local (192.168.10.11): icmp_seq=2 ttl=128 time=0.147 ms

Содержмое /etc/hosts:
127.0.0.1	localhost.localdomain localhost
127.0.0.1	wslinux.office.domen.local wslinux

Время с доменом синхронизировано.

Содержимое /etc/krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = OFFICE.DOMEN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms]
OFFICE.DOMEN.LOCAL = {
kdc = 192.168.10.11
default_domain = office.domen.local
}

[domain_realm]
.office.domen.local = OFFICE.DOMEN.LOCAL
office.domen.local = OFFICE.DOMEN.LOCAL

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

Билет успешно получил:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@OFFICE.DOMEN.LOCAL

Valid starting     Expires            Service principal
08/17/10 11:11:58  08/17/10 21:12:04  krbtgt/OFFICE.DOMEN.LOCAL@OFFICE.DOMEN.LOCAL
	renew until 08/18/10 11:11:58

Содержимое /etc/nsswitch.conf:
passwd: files winbind
shadow: tcb files winbind
group: files winbind
gshadow:    files

В домен ввел:
# net ads join -U admin
admin's password:
Using short domain name -- OFFICE
Joined 'WSLINUX' to realm 'OFFICE.DOMEN.LOCAL'

Доменных пользователей вижу:
$ wbinfo -u
OFFICE\гость
OFFICE\администратор
OFFICE\user1
OFFICE\user2
…

Но не знаю как правильно настроить PAM. Плохо понимаю структуру этого файла,
а толковую документацию на русском не нашел.
В /etc/pam.d есть симлинк system-auth на system-auth-local. Если
пересоздать симлинк system-auth на system-auth-winbind то в систему
невозможно залогинится, ни доменными пользователями, ни локальными.

Содержимое /etc/pam.d/system-auth-winbind
#%PAM-1.0
auth		required	pam_tcb.so shadow fork prefix=$2a$ count=8 nullok
auth		optional	pam_mount.so
auth		sufficient	pam_winbind.so use_first_pass

account		required	pam_tcb.so shadow fork
account		sufficient	pam_succeed_if.so uid<  500 quiet
account		[default=bad success=ok user_unknown=ignore] pam_winbind.so

password	required	pam_passwdqc.so config=/etc/passwdqc.conf
password	required	pam_tcb.so use_authtok shadow fork prefix=$2a$ count=8 nullok write_to=tcb

session		required	pam_tcb.so
session		required	pam_mktemp.so
session		required	pam_limits.so
session		optional	pam_mount.so
# We use pam_mkhomedir to create home dirs for incoming domain users
# Note used umask, it will result in rwxr-x--x access rights
session		required	pam_mkhomedir.so skel=/etc/skel/ umask=0026
session		include		system-auth

Прошу вашей помощи в настройке. Заранее спасибо.