ALT Linux 4.0 Server PDC + LDAP. Проблема подключения.

[Static]

Стоит Alt linux 4 server c поднятым PDC
smb.conf

Код: Выделить всё

# # Primary Domain Controller smb.conf
# # Global parameters

[global]
        os level = 255
        log level = 2
        netbios name = PDC
        workgroup = NET
        server string = Primary Domain Controller
        security = user
        hosts allow = 127.0.0. 10.50. 172.50. 192.168.
        load printers = no
        log file = /var/log/samba/log.%m
        max log size = 500
        realm = NET.DOMAIN.RU
        passdb backend = ldapsam:ldap://10.50.50.1
        encrypt passwords = yes
        interfaces = int0
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        bind interfaces only = yes
        domain master = yes
        local master = yes
        preferred master = yes
        domain logons = yes
        logon path =
        logon script = scripts\%m.cmd
        name resolve order = wins bcast host
        wins support = yes
        password server = *
        dns proxy = yes
        display charset = LOCALE
        unix charset = UTF8
        dos charset = cp866
        template homedir = /volumes/data/.home/%U
        root preexec = /srv/bin/mkhomedir.sh "%H" "%u" "%g"
       
        map to guest = Bad User
        unix extensions = no

        lanman auth = No
        ntlm auth = Yes
        client NTLMv2 auth = No
        client lanman auth = No
        client plaintext auth = No

        time server = yes

        ldapsam:trusted=yes
        ldapsam:editposix=yes

        ldap suffix = dc=net,dc=domain,dc=ru
        ldap user suffix = ou=users
        ldap group suffix = ou=groups
        ldap machine suffix = ou=computers
        ldap admin dn = uid=sys_smb,ou=special,ou=users,dc=net,dc=domain,dc=ru
        ldap delete dn = yes
        ldap ssl = off

        idmap uid = 10000-30000
        idmap gid = 10000-30000

        winbind cache time = 30
        winbind use default domain = no
        winbind enum users = yes
        winbind enum groups = yes

        store dos attributes = yes
        map hidden = no
        map system = no
        map archive = no

        nt acl support = yes
        inherit acls = yes
        map acl inherit = yes
        dos filemode = yes

/etc/nsswitch.conf

Код: Выделить всё

passwd:     files nisplus nis ldap
shadow:     tcb files nisplus nis ldap
group:      files nisplus nis ldap
hosts:      files nisplus nis dns

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

bootparams: nisplus [NOTFOUND=return] files

netgroup:   nisplus

publickey:  nisplus

automount:  files nisplus
aliases:    files nisplus

/etc/nss-ldap.conf

Код: Выделить всё

base dc=net,dc=domain,dc=ru
uri ldap://10.50.50.1/
binddn uid=sys_nss,ou=special,ou=users,dc=net,dc=domain,dc=ru
bindpw secret
rootbinddn cn=diradmin,dc=net,dc=domain,dc=ru
timelimit 5
bind_timelimit 30
bind_policy soft
pam_password exop
nss_base_passwd         ou=users,dc=net,dc=domain,dc=ru?sub
nss_base_passwd         ou=computers,dc=net,dc=domain,dc=ru?sub
nss_base_shadow         ou=users,dc=dc=net,dc=domain,dc=ru?sub
nss_base_group          ou=groups,dc=dc=net,dc=domain,dc=ru?sub
nss_base_hosts          ou=computers,dc=net,dc=domain,dc=ru?sub
ssl off

LDAP стоит на другой машине
slapd.conf

Код: Выделить всё

# [ GLOBAL SETTINGS ]
# Default schemas
include     /etc/openldap/schema/core.schema
include     /etc/openldap/schema/cosine.schema
include     /etc/openldap/schema/inetorgperson.schema
include     /etc/openldap/schema/openldap.schema
include     /etc/openldap/schema/nis.schema
include     /etc/openldap/schema/misc.schema
include     /etc/openldap/schema/trust.schema

# GoSa
include         /etc/openldap/schema/gosa/samba3.schema
include         /etc/openldap/schema/gosa/gosystem.schema
include         /etc/openldap/schema/gosa/gofon.schema
include         /etc/openldap/schema/gosa/goto.schema
include         /etc/openldap/schema/gosa/goto-mime.schema
include         /etc/openldap/schema/gosa/gosa+samba3.schema
include         /etc/openldap/schema/gosa/gofax.schema
include         /etc/openldap/schema/gosa/goserver.schema
include         /etc/openldap/schema/gosa/fai.schema
include         /etc/openldap/schema/gosa/dnszone.schema
include         /etc/openldap/schema/gosa/rfc2739.schema
include         /etc/openldap/schema/gosa/kolab2.schema
include         /etc/openldap/schema/gosa/nagios.schema
include         /etc/openldap/schema/gosa/phpgwaccount.schema
include         /etc/openldap/schema/gosa/pureftpd.schema
include         /etc/openldap/schema/gosa/phpscheduleit.schema
include         /etc/openldap/schema/gosa/pptp.schema
include         /etc/openldap/schema/gosa/dhcp.schema
include         /etc/openldap/schema/kerberos.schema
allow bind_v2
concurrency 20
gentlehup on
sizelimit -1
loglevel none

pidfile         /var/run/slapd.pid
argsfile        /var/run/slapd.args
replica-pidfile     /var/run/slurpd.pid
replica-argsfile    /var/run/slurpd.args

rootDSE /etc/openldap/rootdse.ldif

TLSCertificateFile /etc/openldap/ssl/ds.domain.ru.crt
TLSCertificateKeyFile /etc/openldap/ssl/ds.domain.ru.key
TLSVerifyClient never


#
# [ GLOBAL ACCESS CONTROL ]
#
# See slapd.access(5) for details

# The root DIT should be accessible to all clients
access to dn.exact=""
    by * read

# Allow read access to schemas
access to dn.subtree="cn=Subschema"
    by * read

access to attrs=userPassword
    by self write
    by anonymous auth
    by * none

#
# [ BACKEND OPTIONS ]
#
# Load dynamic backend modules:
modulepath  /usr/lib/openldap
moduleload  back_bdb.la
moduleload  back_monitor.la
moduleload  back_null.la

#
# [ DATABASE OPTIONS ]
#

# net.domain.ru db definition
include /etc/openldap/slapd-net_domain_ru-db.conf

# domain.ru db definition
include /etc/openldap/slapd-domain_ru-db.conf

#
# [END OF SLAPD.CONF]

slapd-net_domain_ru-db.conf

Код: Выделить всё

database bdb
subordinate advertise
suffix "dc=net,dc=domain,dc=ru"
rootdn "cn=diradmin,dc=domain,dc=ru"
lastmod on
directory /var/lib/ldap/bases/net.domain.ru

# subordinate and superior DB should have same indexes
include /etc/openldap/slapd-db-indexes.conf

# [BACKEND ACCESS CONTROL LIST]

access to *
    by * write

# The root DIT should be accessible to all clients
access to dn.exact=""
    by * read

# Allow read access to schemas
access to dn.subtree="cn=Subschema"
    by * read
access to dn.regex="^([^,]*,)?ou=[^,]+,(dc=[^,]+(,dc=[^,]+)*)$"
    attrs=sambaLMPassword,sambaNTPassword,userPassword,sambaPasswordHistory
    by self write
    by dn.exact,expand="uid=admin,ou=users,$2" write
    by group.expand="cn=Domain Controllers,ou=groups,$2" write
    by group.expand="cn=Replicator,ou=groups,$2" write
    by anonymous auth
    by * none

# ACL allowing samba domain controllers to add user accounts
    access to dn.regex="^([^,]+,)?ou=users,(dc=[^,]+(,dc=[^,]+)*)$"
    attrs=entry,children,posixAccount,sambaSamAccount
    by dn.exact,expand="uid=admin,ou=users,$2" write
    by group.expand="cn=Domain Controllers,ou=groups,$2" write
    by group.expand="cn=Replicator,ou=groups,$2" write
    by users read
    by anonymous read

# allow users to modify their own "address book" entries:
access to dn.regex="([^,]+,)?ou=users,(dc=[^,]+(,dc=[^,]+)*)$"
    attrs=inetOrgPerson,mail
    by self write
    by dn.exact,expand="uid=admin,ou=users,$2" write
    by group.expand="cn=Domain Controllers,ou=groups,$2" write
    by group.expand="cn=Replicator,ou=groups,$2" write
    by users read
    by anonymous read

# Allow samba domain controllers to create groups and group mappings
access to dn.regex="^([^,]+,)?ou=groups,(dc=[^,]+(,dc=[^,]+)*)$"
    attrs=entry,children,posixGroup,sambaGroupMapping
    by dn.exact,expand="uid=admin,ou=users,$2" write
    by group.expand="cn=Domain Controllers,ou=groups,$2" write
    by group.expand="cn=Replicator,ou=groups,$2" write
    by users read
    by anonymous read
# Allow samba domain controllers to create machine accounts
access to dn.regex="^([^,]+,)?ou=computers,(dc=[^,]+(,dc=[^,]+)*)$"
    attrs=entry,children,posixAccount,inetOrgperson,sambaSamAccount
    by dn.exact,expand="uid=admin,ou=users,$2" write
    by group.expand="cn=Domain Controllers,ou=groups,$2" write
    by group.expand="cn=Replicator,ou=groups,$2" write
    by users read
    by anonymous read

# Allow samba to create idmap entries
access to dn.regex="^([^,]+,)?ou=idmap,(dc=[^,]+(,dc=[^,]+)*)$"
    attrs=entry,children,sambaIdmapEntry
    by dn.exact,expand="uid=admin,ou=users,$2" write
    by group.expand="cn=Domain Controllers,ou=groups,$2" write
    by group.expand="cn=Replicator,ou=groups,$2" write
    by users read
    by anonymous read

# Allow users in the domain to add entries to the "global address book":
access to dn.regex="^([^,],)?ou=Contacts,(dc=[^,]+(,dc=[^,]+)*)$"
    attrs=children,entry,inetOrgPerson
    by dn.sub,expand="ou=users,$2" write
    by group.expand="cn=Replicator,ou=groups,$2" write
    by users read
    by anonymous read

slapd-domain_ru-db.conf

Код: Выделить всё

database bdb
suffix "dc=domain,dc=ru"
rootdn "cn=diradmin,dc=domain,dc=ru"
rootpw {SSHA}zPDqKtzJlXBJlvGI1qfzTG25l6PvYc8t
lastmod on
directory /var/lib/ldap/bases/domain.ru

overlay glue

# subordinate and superior DB should have same indexes
include /etc/openldap/slapd-db-indexes.conf

# [BACKEND ACCESS CONTROL LIST]
access to attrs=userPassword
        by self write
        by anonymous auth
        by * none

Все это работало нормально, до тех пор пока я не решил сделать связку PDC+BDC. Сражу скажу что до этого сервер настраивал не я и соответсвенно пароли на ldap админа и самбу я не знал. Поменял пароль smbpasswd -w secret на PDC и все перестало работать. В логах пишет:

log.smbd

[2010/04/29 16:09:12, 2] lib/smbldap.c:smbldap_connect_system(982)
failed to bind to server ldap://10.50.50.1 with dn="uid=sys_smb,ou=special,ou=users,dc=net,dc=domain,dc=ru" Error: Invalid credentials

Прочитал кучу доков, сделал одинаковый пароль на LDAP и SAMBA и все равно не могу запустить..... Наведите, может я что-то упустил.....Вернее LDAP запускается и работает, через GoSa могу зайти, а вот при запуске самбы, демон nmbd запускается, а smbd нет.

[Хостинг HostFood.ru]

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

[Dimasty]

А в ldap.secret тоже новый пароль?

[snorlov]

log.smbd
[2010/04/29 16:09:12, 2] lib/smbldap.c:smbldap_connect_system(982)
failed to bind to server ldap://10.50.50.1 with dn="uid=sys_smb,ou=special,ou=users,dc=net,dc=domain,dc=ru" Error: Invalid credentials
Прочитал кучу доков, сделал одинаковый пароль на LDAP и SAMBA и все равно не могу запустить..... Наведите, может я что-то упустил.....Вернее LDAP запускается и работает, через GoSa могу зайти, а вот при запуске самбы, демон nmbd запускается, а smbd нет.

Можно выгрузить dn="uid=sys_smb,ou=special,ou=users,dc=net,dc=domain,dc=ru" в *.ldif файл, сгенерировать пароль и вставить его в соответсвующее место полученного файла и снова загрузить в базу Ldap. Но сначало скачайте виндовую утилиту LdapAdmin и попытайтесь коннектиться к вашему Ldap серверу и с учеткой dn="uid=sys_smb,ou=special,ou=users,dc=net,dc=domain,dc=ru" и с учеткой "cn=diradmin,dc=net,dc=domain,dc=ru".
Покажите ldap.conf...