Samba+ Ldap + OpenSuse 11.3, Не работает

[Electronik]

Всем доброго дня.
Настроил сабж через YAST, в итоге:
Добавить могу группу(ldapsmb -a -s -g %g), Юзера(ldapsmb -a -s -u %u) , кое как дал полные привилегии на одного из юзеров с LDAP(net rpc rights list accounts ).

При запуске

Код: Выделить всё

net rpc testjoin

Валятся ошибки

Код: Выделить всё

get_schannel_session_key: could not fetch trust account password for domain 'SUSHIVESLA.MN'
net_rpc_join_ok: failed to get schannel session key from server PDC for domain SUSHIVESLA.MN. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Join to domain 'SUSHIVESLA.MN' is not valid: NT_STATUS_CANT_ACCESS_DOMAIN_INFO

При запуске

Код: Выделить всё

net rpc join -S pdc -U Admin

Код: Выделить всё

Creation of workstation account failed
Unable to join domain SUSHIVESLA.MN.

Скрипт добавления станции

Код: Выделить всё

ldapsmb -a -s -wks 'test-wks' --debug 3
ldapsmb:parse_smbconf(2067)	 parsing [testparm]
ldapsmb:main(2067)			  adding machine-account: [test-wks]
error: what do you want to add?
choose between: user, machine or group. exiting.
_samr_create_user: Running the command `/usr/sbin/ldapsmb -a -s -wks ' gave 1
Failed to add entry for user test-wks$.
ldapsmb:ldap_smbwks_add(2067)   Creating samba account of machine [test-wks] failed.

smb.conf

Код: Выделить всё

# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
# Date: 2011-01-30
[global]
	workgroup = SUSHIVESLA.MN
	passdb backend = ldapsam:ldap://127.0.0.1
#	printing = cups
#	printcap name = cups
#	printcap cache time = 750
#	cups options = raw
	map to guest = Bad User
	logon path = \\%L\profiles\%U
	logon home = \\%L\%U\
	logon drive = P:
	usershare allow guests = Yes
	add machine script = /usr/sbin/ldapsmb -a -s -wks %m
	domain logons = Yes
	domain master = Yes
	idmap backend = ldap:ldap://127.0.0.1
	ldap admin dn = cn=Administrator,dc=sushivesla,dc=mn
	ldap group suffix = ou=Groups
	ldap idmap suffix = ou=Idmap
	ldap machine suffix = ou=Machines
	ldap passwd sync = Yes
	ldap ssl = Off
	ldap suffix = dc=sushivesla,dc=mn
	ldap timeout = 50
	ldap user suffix = ou=Users
	local master = Yes
	os level = 65
	preferred master = Yes
	security = user
	wins support = Yes
	add user script = /usr/sbin/ldapsmb -a -s -u %u
	add group script = /usr/sbin/ldapsmb -a -s -g %g
	add user to group script = /usr/sbin/ldapsmb -j -u %u -g %g
	delete group script = /usr/sbin/ldapsmb -d -s -g %g
	delete user from group script = /usr/sbin/ldapsmb -r -u %u -g %g
	delete user script = /usr/sbin/ldapsmb -d -s -u %u
	wins proxy = No
	netbios name = pdc
	server string = Samba PDC
	time server = Yes
	log file = /var/log/samba/samba.log.%m
	log level = 10
	usershare max shares = 100
	encrypt passwords = Yes
	load printers = No
	lanman auth = Yes
	name resolve order = bcast host lmhosts wins
	ntlm auth = Yes

[homes]
	comment = Home Directories
	valid users = %S, %D%w%S
	browseable = No
	read only = No
	inherit acls = Yes
	path = \\L\profiles\%U
[profiles]
	comment = Network Profiles Service
	path = %H
	read only = No
	store dos attributes = Yes
	create mask = 0600
	directory mask = 0700
[users]
	comment = All users
	path = /home
	read only = No
	inherit acls = Yes
	veto files = /aquota.user/groups/shares/
[groups]
	comment = All groups
	path = /home/groups
	read only = No
	inherit acls = Yes
# [printers]
#	comment = All Printers
#	path = /var/tmp
#	printable = Yes
#	create mask = 0600
#	browseable = No
# [print$]
#	comment = Printer Drivers
#	path = /var/lib/samba/drivers
#	write list = @ntadmin root
#	force group = ntadmin
#	create mask = 0664
#	directory mask = 0775

[netlogon]
	comment = Network Logon Service
	path = /var/lib/samba/netlogon
	write list = root

Подскажите плиз что не так.

[Хостинг HostFood.ru]

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

[vadim64]

а гугл чё нить говорит?

[Electronik]

Ничего из того что нашёл не помогло

[snorlov]

Код: Выделить всё

smbpasswd -w <административный пароль для доступа к ldap>

давал?

[Electronik]

Да.

[Electronik]

Разобрался оказывается в скрипте на добавления станции нужно было указать $
Должно быть так

Код: Выделить всё

add machine script = /usr/sbin/ldapsmb -a -s -wks %m$

[Electronik]

Кто нибудь работал с ldapsmb?
Что то он как то криво создаёт домашний каталог

[Electronik]

Код: Выделить всё

[global]
	workgroup = SUSHIVESLA.MN
	netbios name = pdc
	server string = Samba PDC
	wins support = Yes
	wins proxy = No
#passwd
	encrypt passwords = Yes
	passdb backend = ldapsam:ldap://127.0.0.1
	pam password change = yes
	passwd program = /usr/bin/passwd %U
	unix password sync = yes
	
#Log
	log file = /var/log/samba/samba.log.%m
	log level = 3
	max log size = 32768

#Name resolution
	name resolve order = bcast host lmhosts wins


#Misc
	time server = Yes
	use sendfile = yes
	veto files = /*.eml/*.nws/*.{*}/
	veto oplock files = /*.doc/*.xls/*.mdb/
	deadtime = 120

#Printers
#	printing = cups
#	printcap name = cups
#	printcap cache time = 750
#	cups options = raw
	load printers = No

# Scripts for used samba
	add machine script = /usr/sbin/ldapsmb -a -s -wks %m$
	add user script = /usr/sbin/ldapsmb -a -s -u %u
	add group script = /usr/sbin/ldapsmb -a -s -g %g
	add user to group script = /usr/sbin/ldapsmb -j -u %u -g %g
	delete group script = /usr/sbin/ldapsmb -d -s -g %g
	delete user from group script = /usr/sbin/ldapsmb -r -u %u -g %g
	delete user script = /usr/sbin/ldapsmb -d -s -u %u

#Ldap
	idmap backend = ldap:ldap://127.0.0.1
	ldap admin dn = cn=Administrator,dc=sushivesla,dc=mn
	ldap group suffix = ou=Groups
	ldap idmap suffix = ou=Idmap
	ldap machine suffix = ou=Machines
	ldap passwd sync = Yes
	ldap ssl = Off
	ldap suffix = dc=sushivesla,dc=mn
	ldap timeout = 50
	ldap user suffix = ou=Users
	ldap delete dn = Yes

#Logon options
	logon script = logon.bat
	logon path = \\%L\profiles\%U
	logon home = \\%L\homes\%U
	logon drive = Z:

#Seting up as domain controller
	domain logons = Yes
	domain master = Yes
	local master = Yes
	os level = 255
	preferred master = Yes
	security = user
	usershare max shares = 100
	lanman auth = Yes
	ntlm auth = Yes
	unix charset = UTF-8
	usershare allow guests = No
	hosts allow = 192.168.100.0/24 127.0.0.1

[homes]
	comment = Home Directories
	valid users = %S
	browseable = No
	read only = No
	inherit acls = Yes
	path = /home/homes/%u
[profiles]
	comment = Network Profiles Service
	path = /home/profiles
	read only = No
	store dos attributes = Yes
	create mask = 0600
	directory mask = 0700
[users]
	comment = All users
	path = /home/homes
	read only = No
	inherit acls = Yes

[groups]
	comment = All groups
	path = /home/groups
	read only = No
	inherit acls = Yes

# [printers]
#	comment = All Printers
#	path = /var/tmp
#	printable = Yes
#	create mask = 0600
#	browseable = No
# [print$]
#	comment = Printer Drivers
#	path = /var/lib/samba/drivers
#	write list = @ntadmin root
#	force group = ntadmin
#	create mask = 0664
#	directory mask = 0775

[netlogon]
	comment = Network Logon Service
	path = /var/lib/samba/netlogon
	write list = root

[pub]
	comment = Data Directory
	path = /home/pub
	write list = @smbdomain
	read only = No
	create mask = 0777
	directory mask = 0777

не хочет менять пароль

Код: Выделить всё

net rpc user  password vasia  -U Admin%By1Nu2Mi3 -d 3
[2011/04/04 15:21:05,  3] param/loadparm.c:9158(lp_load_ex)
  lp_load_ex: refreshing parameters
[2011/04/04 15:21:05,  3] param/loadparm.c:4929(init_globals)
  Initialising global parameters
[2011/04/04 15:21:05,  2] param/loadparm.c:4788(max_open_files)
  rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
[2011/04/04 15:21:05.009152,  3] ../lib/util/params.c:550(pm_process)
  params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
[2011/04/04 15:21:05.009182,  3] param/loadparm.c:7842(do_section)
  Processing section "[global]"
[2011/04/04 15:21:05.010375,  2] lib/interface.c:340(add_interface)
  added interface eth0 ip=fe80::21a:4dff:fe9a:c235%eth0 bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
[2011/04/04 15:21:05.010484,  2] lib/interface.c:340(add_interface)
  added interface eth0 ip=192.168.100.252 bcast=192.168.100.255 netmask=255.255.255.0
lp_load_ex: refreshing parameters
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
added interface eth0 ip=fe80::21a:4dff:fe9a:c235%eth0 bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=192.168.100.252 bcast=192.168.100.255 netmask=255.255.255.0
Enter new password for vasia:
Connecting to ::1 at port 445
Doing spnego session setup (blob length=58)
got OID=1.3.6.1.4.1.311.2.2.10
got principal=NONE
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
Failed to set password for 'vasia' with error: A bad password was supplied.
return code = -1

[Electronik]

И так, проблемы только при смене пароля как с мастдая так и с линуксовой консоли.
Но если убрать параметры:

Код: Выделить всё

 pam password change = yes
   passwd program = /usr/bin/passwd %U
   unix password sync = yes

То пасс начинает нормально менять.

P.S.:Перенесите тему в сети плизз