Не вводится компьютер в домен

[Dark Smoke]

Не как не могу ввести компьютер в домен

При присоеденении к домену "remi" произошла следующая ошибка:
Сетевой пароль указан не верно.

Код: Выделить всё

# tail /var/log/messages
May 24 12:00:00 PDC newsyslog[35121]: logfile turned over due to size>100K
May 24 12:02:32 PDC smbd[35148]: [2012/05/24 12:02:32.877134,  0] rpc_server/srv_netlog_nt.c:669(_netr_ServerAuthenticate3)
May 24 12:02:33 PDC smbd[35148]:   _netr_ServerAuthenticate: no challenge sent to client MANAGER5
May 24 12:02:34 PDC smbd[35149]: [2012/05/24 12:02:34.262432,  0] ../libcli/auth/smbencrypt.c:589(decode_pw_buffer)
May 24 12:02:34 PDC smbd[35149]:   decode_pw_buffer: incorrect password length (477368547).
May 24 12:02:34 PDC smbd[35149]: [2012/05/24 12:02:34.262494,  0] ../libcli/auth/smbencrypt.c:590(decode_pw_buffer)
May 24 12:02:34 PDC smbd[35149]:   decode_pw_buffer: check that 'encrypt passwords = yes'
May 24 12:02:34 PDC smbd[35149]: [2012/05/24 12:02:34.687787,  0] passdb/pdb_interface.c:431(smb_delete_user)
May 24 12:02:34 PDC smbd[35149]:   smb_delete_user: Running the command `/usr/local/sbin/ldapdeleteuser 'manager5$'' gave 

FreeBSD 8.3

[Хостинг HostFood.ru]

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

[Alvares]

Код: Выделить всё

check that 'encrypt passwords = yes'

не оно?

[Dark Smoke]

что с этим делать?

[skeletor]

Добавить в конфиг samb'ы

[Dark Smoke]

check that 'encrypt passwords = yes'

не помогло

[Dark Smoke]

Конфиг самбы

Код: Выделить всё

[global]
        dos charset = cp866
        unix charset = cp1251
        display charset = cp1251
        workgroup = REMI
        server string = PDC
        passdb backend = ldapsam:ldap://localhost/
        log file = /var/log/samba/log.%m
        max log size = 500
        min receivefile size = 16384
        acl compatibility = win2k
        time server = Yes
        socket options = SO_RCVBUF=131072 SO_SNDBUF=131072 TCP_NODELAY
        load printers = No
        add user script = /usr/local/sbin/ldapadduser '%u' users
        rename user script = /usr/local/sbin/ldaprenameuser '%uold' '%unew'
        delete user script = /usr/local/sbin/ldapdeleteuser '%u'
        add group script = /usr/local/sbin/ldapaddgroup '%g'
        delete group script = /usr/local/sbin/ldapdeletegroup '%g'
        add user to group script = /usr/local/sbin/ldapaddusertogroup '%u' '%g'
        delete user from group script = /usr/local/sbin/ldapdeleteuserfromgroup '%u' '%g'
        set primary group script = /usr/local/sbin/ldapsetprimarygroup '%u' '%g'
        add machine script = /usr/local/sbin/ldapaddmachine '%u' computers
        logon script = %G.cmd
        logon path =
        logon drive = Z:
        logon home = \\pdc\home
        domain logons = Yes
        os level = 255
        preferred master = Yes
        domain master = Yes
        dns proxy = No
        wins support = Yes
        ldap admin dn = "cn=root,dc=remi,dc=local"
        ldap group suffix = ou=groups
        ldap machine suffix = ou=computers
        ldap suffix = dc=remi,dc=local
        ldap ssl = no
        ldap user suffix = ou=users
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind separator = @
        winbind use default domain = Yes
        admin users = admin
        force user = root
        force group = wheel
        create mask = 0640
        force create mode = 0640
        directory mask = 0750
        force directory mode = 0750
        hosts allow = 192.168.100., 127.
        aio read size = 16384
        aio write size = 16384
        aio write behind = true
        use sendfile = Yes

[home]
        comment = Home Directories
        path = /home/samba/homes/%U
        read only = No
        create mask = 0600
        directory mask = 0700
        browseable = No

[netlogon]
        comment = Network Logon Service
        path = /usr/local/etc/samba/netlogon
        guest ok = Yes
        browseable = No
        share modes = No

[profiles]
        path = /home/samba/profiles/%u
        read only = No
        create mask = 0600
        directory mask = 0700
        browseable = No
        locking = No

[IPC$]
        path = /tmp
        hosts allow = 192.168.100.0/24, 127.0.0.1
        hosts deny = 0.0.0.0/0

[public]
        comment = Public share
        path = /share/public
        read only = No

[install]
        comment = install share
        path = /share/install
        read only = No
        create mask = 0664
        directory mask = 0777

[skeletor]

А где вы его добавили в конфиг?

[Dark Smoke]

Всмісле где добавил в домен? Как посмотрть?

[skeletor]

Строку

Код: Выделить всё

encrypt passwords = yes

добавить в любое место в секции [global]

[Dark Smoke]

Что интересно, encrypt passwords = yes есть в конфиге. А выкладывал я результат testparm. Просто в конфиги комментарии, а так все ровно и красиво. Это что разные вещи? И мне надо именно конфиг показать?

[Dark Smoke]

Мне кажется что єто начлось после того как я сделал сопоставления групп юникс с виндовыми

[Dark Smoke]

Дайте еще идеи.. Почему такое может быть?

[ChihPih]

Мне кажется что єто начлось после того как я сделал сопоставления групп юникс с виндовыми

Отменить и снова попробовать ввести машину в домен.

[Dark Smoke]

Как отменить? в том то и проблема что не знаю как отменить

[ChihPih]

А как делали сопоставление?

[Dark Smoke]

[f0s@mail] /home/> net groupmap add ntgroup="Domain Admins" \
? unixgroup=admins rid=512 type=domain
Successfully added group admins to the mapping db as a domain group
[f0s@mail] /home/> net groupmap add ntgroup="Domain Users" \
? unixgroup=users rid=513 type=domain
Successfully added group people to the mapping db as a domain group
[f0s@mail] /home/> net groupmap add ntgroup="Domain Computers" \
? unixgroup=computers rid=515 type=domain
Successfully added group computers to the mapping db as a domain group

Наверное так

Код: Выделить всё

# net groupmap list
Domain Users (S-1-5-21-2647654954-3451990772-171047408-513) -> users
Domain Computers (S-1-5-21-2647654954-3451990772-171047408-515) -> computers
Users (S-1-5-32-545) -> 10003
Administrators (S-1-5-32-544) -> admins2
admins2 (S-1-5-21-2647654954-3451990772-171047408-1006) -> admins2
admins3 (S-1-5-21-2647654954-3451990772-171047408-1007) -> admins3
users1 (S-1-5-21-2647654954-3451990772-171047408-1003) -> users1
users2 (S-1-5-21-2647654954-3451990772-171047408-1009) -> users2
users3 (S-1-5-21-2647654954-3451990772-171047408-1010) -> users3
users4 (S-1-5-21-2647654954-3451990772-171047408-1011) -> users4
admins4 (S-1-5-21-2647654954-3451990772-171047408-1008) -> admins4
Domain Admins (S-1-5-21-2647654954-3451990772-171047408-512) -> megadmins
admins1 (S-1-5-21-2647654954-3451990772-171047408-1034) -> admins1

# id admin
uid=10000(admin) gid=10012(admins) groups=10012(admins),10000(megadmins)

id director
uid=10024(director) gid=10011(admins1) groups=10011(admins1),10000(megadmins)

[ChihPih]

Ну так набрать команду net groupmap, чтоб посмотреть список возможных подкоманд. В этом списке есть подкоманда delete.

Код: Выделить всё

net groupmap delete {ntgroup=<string>|sid=<SID>}

[Dark Smoke]

удалю, а как правильно сопоставить, или вобще без сопоставления жить?

[ChihPih]

Без сопоставления не желательно. Судя по командам вроде правильно. Только у ва групп админов чет дофига...
Пользователю давали права (на включение машин в домен и др.):

Код: Выделить всё

net rpc rights grant "Domain Admins" SeMachineAccountPrivilege -U admin
net rpc rights grant "Domain Admins" SeTakeOwnershipPrivilege -U admin
net rpc rights grant "Domain Admins" SeBackupPrivilege -U admin
net rpc rights grant "Domain Admins" SeRestorePrivilege -U admin
net rpc rights grant "Domain Admins" SeRemoteShutdownPrivilege -U admin
net rpc rights grant "Domain Admins" SePrintOperatorPrivilege -U admin
net rpc rights grant "Domain Admins" SeAddUsersPrivilege -U admin
net rpc rights grant "Domain Admins" SeDiskOperatorPrivilege -U admin

[ChihPih]

Поправка: права не пользователю, а группе админов.

[Dark Smoke]

Не, всеравно при попытке ввести машину в домен пишет, сетевой пароль указан не верно.

Дайте еще векторы куда смотреть. Надо машины вводить в домен, а все стоит ((

[Dark Smoke]

Код: Выделить всё

# cat /usr/local/etc/smb.conf
[global]
    workgroup = remi
    server string = PDC
    netbios name = PDC
    security = user
    hosts allow = 192.168.100. 127.

    load printers = no
    log file = /var/log/samba/log.%m
    max log size = 500
    acl compatibility = win2k

encrypt passwords = yes
    admin users = admin
    passdb backend = ldapsam:ldap://localhost/

socket options=SO_RCVBUF=131072 SO_SNDBUF=131072 TCP_NODELAY
min receivefile size=16384
use sendfile=true
aio read size = 16384
aio write size = 16384
aio write behind = true

ldap suffix = dc=remi,dc=local
ldap user suffix = ou=users
ldap group suffix = ou=groups
ldap machine suffix = ou=computers
ldap admin dn = "cn=root,dc=remi,dc=local"
ldap delete dn = no
ldap ssl = off
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind separator = @
winbind use default domain = yes

local master = yes
os level = 255
domain master = yes
preferred master = yes
domain logons = yes

logon script = %G.cmd

logon path =

logon home = \\pdc\home
logon drive = Z:

wins support = yes
dns proxy = no

display charset = cp1251
unix charset = cp1251
dos charset = cp866

time server = yes

add machine script = /usr/local/sbin/ldapaddmachine '%u' computers
add user script = /usr/local/sbin/ldapadduser '%u' users
add group script = /usr/local/sbin/ldapaddgroup '%g'
add user to group script = /usr/local/sbin/ldapaddusertogroup '%u' '%g'
delete user script = /usr/local/sbin/ldapdeleteuser '%u'
delete group script = /usr/local/sbin/ldapdeletegroup '%g'
delete user from group script = /usr/local/sbin/ldapdeleteuserfromgroup '%u' '%g'
set primary group script = /usr/local/sbin/ldapsetprimarygroup '%u' '%g'
rename user script = /usr/local/sbin/ldaprenameuser '%uold' '%unew'

force create mode  = 0640
   force directory mode = 0750
   create mask = 0640
   directory mask = 0750
   force user = root
   force group = wheel

[home]
   comment = Home Directories
   path = /home/samba/homes/%U
   read only = no
   public = no
   writable = yes
   create mask = 0600
   browseable = no
   directory mask = 0700

[netlogon]
   comment = Network Logon Service
   path = /usr/local/etc/samba/netlogon
   guest ok = yes
   writable = no
   share modes = no
   browseable = no

[profiles]
    create mask = 0600
    directory mask = 0700
    path = /home/samba/profiles/%u
    writeable = yes
    browseable = no
    locking = no

[IPC$]
path = /tmp
hosts allow = 192.168.100.0/24 127.0.0.1
hosts deny = 0.0.0.0/0

[public]
   comment = Public share
   path = /share/public
   browseable = yes
   public = no
   writable = yes
   force create mode  = 0640
   force directory mode = 0750
   create mask = 0640
   directory mask = 0750
   force user = root
   force group = wheel

А вот тест, и в нем нет encrypt passwords = yes

Код: Выделить всё

# testparm
[global]
        dos charset = cp866
        unix charset = cp1251
        display charset = cp1251
        workgroup = REMI
        server string = PDC
        passdb backend = ldapsam:ldap://localhost/
        log file = /var/log/samba/log.%m
        max log size = 500
        min receivefile size = 16384
        acl compatibility = win2k
        time server = Yes
        socket options = SO_RCVBUF=131072 SO_SNDBUF=131072 TCP_NODELAY
        load printers = No
        add user script = /usr/local/sbin/ldapadduser '%u' users
        rename user script = /usr/local/sbin/ldaprenameuser '%uold' '%unew'
        delete user script = /usr/local/sbin/ldapdeleteuser '%u'
        add group script = /usr/local/sbin/ldapaddgroup '%g'
        delete group script = /usr/local/sbin/ldapdeletegroup '%g'
        add user to group script = /usr/local/sbin/ldapaddusertogroup '%u' '%g'
        delete user from group script = /usr/local/sbin/ldapdeleteuserfromgroup '%u' '%g'
        set primary group script = /usr/local/sbin/ldapsetprimarygroup '%u' '%g'
        add machine script = /usr/local/sbin/ldapaddmachine '%u' computers
        logon script = %G.cmd
        logon path =
        logon drive = Z:
        logon home = \\pdc\home
        domain logons = Yes
        os level = 255
        preferred master = Yes
        domain master = Yes
        dns proxy = No
        wins support = Yes
        ldap admin dn = "cn=root,dc=remi,dc=local"
        ldap group suffix = ou=groups
        ldap machine suffix = ou=computers
        ldap suffix = dc=remi,dc=local
        ldap ssl = no
        ldap user suffix = ou=users
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind separator = @
        winbind use default domain = Yes
        admin users = admin
        force user = root
        force group = wheel
        create mask = 0640
        force create mode = 0640
        directory mask = 0750
        force directory mode = 0750
        hosts allow = 192.168.100., 127.
        aio read size = 16384
        aio write size = 16384
        aio write behind = true
        use sendfile = Yes

[home]
        comment = Home Directories
        path = /home/samba/homes/%U
        read only = No
        create mask = 0600
        directory mask = 0700
        browseable = No

[netlogon]
        comment = Network Logon Service
        path = /usr/local/etc/samba/netlogon
        guest ok = Yes
        browseable = No
        share modes = No

[profiles]
        path = /home/samba/profiles/%u
        read only = No
        create mask = 0600
        directory mask = 0700
        browseable = No
        locking = No

[IPC$]
        path = /tmp
        hosts allow = 192.168.100.0/24, 127.0.0.1
        hosts deny = 0.0.0.0/0

[public]
        comment = Public share
        path = /share/public
        read only = No

[Dark Smoke]

еще лог дам

Код: Выделить всё

May 29 12:16:07 PDC smbd[33906]: nss_ldap: could not search LDAP server - Server is unavailable
May 29 12:16:07 PDC smbd[34993]: [2012/05/29 12:16:07.214022,  0] passdb/passdb.c:2242(pdb_increment_bad_password_count)
May 29 12:16:07 PDC smbd[34993]:   pdb_increment_bad_password_count: pdb_get_account_policy failed.
May 29 12:16:07 PDC smbd[34993]: [2012/05/29 12:16:07.880392,  0] lib/util_sock.c:474(read_fd_with_timeout)
May 29 12:16:07 PDC smbd[34993]: [2012/05/29 12:16:07.880711,  0] lib/util_sock.c:1441(get_peer_addr_internal)
May 29 12:16:07 PDC smbd[34993]:   getpeername failed. Error was Socket is not connected
May 29 12:16:07 PDC smbd[34993]:   read_fd_with_timeout: client 0.0.0.0 read error = Socket is not connected.
May 29 12:16:08 PDC smbd[35017]: [2012/05/29 12:16:08.192658,  0] passdb/passdb.c:2242(pdb_increment_bad_password_count)
May 29 12:16:08 PDC smbd[35017]:   pdb_increment_bad_password_count: pdb_get_account_policy failed.
May 29 12:16:18 PDC smbd[35017]: [2012/05/29 12:16:18.241975,  0] ../libcli/auth/smbencrypt.c:589(decode_pw_buffer)
May 29 12:16:18 PDC smbd[35017]:   decode_pw_buffer: incorrect password length (1948359996).
May 29 12:16:18 PDC smbd[35017]: [2012/05/29 12:16:18.242032,  0] ../libcli/auth/smbencrypt.c:590(decode_pw_buffer)
May 29 12:16:18 PDC smbd[35017]:   decode_pw_buffer: check that 'encrypt passwords = yes'
May 29 12:16:18 PDC smbd[35017]: [2012/05/29 12:16:18.308633,  0] passdb/pdb_interface.c:431(smb_delete_user)
May 29 12:16:18 PDC smbd[35017]:   smb_delete_user: Running the command `/usr/local/sbin/ldapdeleteuser 'user$'' gave 1
May 29 12:16:33 PDC smbd[35017]: [2012/05/29 12:16:33.966031,  0] lib/util_sock.c:474(read_fd_with_timeout)
May 29 12:16:33 PDC smbd[35017]: [2012/05/29 12:16:33.966339,  0] lib/util_sock.c:1441(get_peer_addr_internal)
May 29 12:16:33 PDC smbd[35017]:   getpeername failed. Error was Socket is not connected
May 29 12:16:33 PDC smbd[35017]:   read_fd_with_timeout: client 0.0.0.0 read error = Socket is not connected.

[snorlov]

1. покажите nsswitch.conf
2. У вас системная консоль действительно в cp1251, а не в koi-8r?
3. сам то pdc введен в домен
4. дополнительные права добавили "Domain Admins", ну и строчку

Код: Выделить всё

enable privileges=yes

У вас нет взаимодействия между самим ldap'ом и ldapscripts...

[Dark Smoke]

Код: Выделить всё

cat /etc/nsswitch.conf
group: files ldap
hosts: files dns
networks: files
passwd: files ldap
shadow: files ldap
shells: files

cat ttys | grep cons25
#      For virtual consoles, the correct type is typically cons25.
ttyv0   "/usr/libexec/getty Pc"         cons25r on  secure
ttyv1   "/usr/libexec/getty Pc"         cons25r on  secure
ttyv2   "/usr/libexec/getty Pc"         cons25r on  secure
ttyv3   "/usr/libexec/getty Pc"         cons25r on  secure
ttyv4   "/usr/libexec/getty Pc"         cons25r on  secure
ttyv5   "/usr/libexec/getty Pc"         cons25r on  secure
ttyv6   "/usr/libexec/getty Pc"         cons25r on  secure
ttyv7   "/usr/libexec/getty Pc"         cons25r on  secure

Сам PDC виден. Машины которые я раньше заводил, работают, логинятся.

дополнительные права ставил

net rpc rights grant "Domain Admins" SeMachineAccountPrivilege -U admin
net rpc rights grant "Domain Admins" SeTakeOwnershipPrivilege -U admin
net rpc rights grant "Domain Admins" SeBackupPrivilege -U admin
net rpc rights grant "Domain Admins" SeRestorePrivilege -U admin
net rpc rights grant "Domain Admins" SeRemoteShutdownPrivilege -U admin
net rpc rights grant "Domain Admins" SePrintOperatorPrivilege -U admin
net rpc rights grant "Domain Admins" SeAddUsersPrivilege -U admin
net rpc rights grant "Domain Admins" SeDiskOperatorPrivilege -U admin

добавил

enable privileges=yes

не помогло

лог после перезапуска лдапа и самбы

Код: Выделить всё

# tail /var/log/messages
May 29 15:04:03 PDC smbd[36772]:   get_md4pw: Workstation MANAGER2$: no account in domain
May 29 15:04:03 PDC smbd[36772]: [2012/05/29 15:04:03.648655,  0] rpc_server/srv_netlog_nt.c:692(_netr_ServerAuthenticate3)
May 29 15:04:03 PDC smbd[36772]:   _netr_ServerAuthenticate3: failed to get machine password for account MANAGER2$: NT_STATUS_ACCESS_DENIED
May 29 15:05:29 PDC slapd[36797]: nss_ldap: could not search LDAP server - Server is unavailable
May 29 15:05:29 PDC slapd[36797]: nss_ldap: could not search LDAP server - Server is unavailable
May 29 15:05:33 PDC smbd[36257]: nss_ldap: could not search LDAP server - Server is unavailable
May 29 15:05:34 PDC winbindd[33494]: nss_ldap: could not search LDAP server - Server is unavailable
May 29 15:06:11 PDC smbd[35978]: nss_ldap: could not search LDAP server - Server is unavailable
May 29 15:06:14 PDC smbd[36530]: nss_ldap: could not search LDAP server - Server is unavailable
May 29 15:06:22 PDC smbd[35016]: nss_ldap: could not search LDAP server - Server is unavailable