Доброе время суток ! (сильно не злитесь на меня за тупые и глупые вопросы я тока начал изучать фри)
настроил фря в точности по статье
http://www.lissyara.su/articles/freebsd ... +ad+nt_acl
только установлена samba34
В домен машина вошла
AdminBsd# net ads join -U disel
Enter disel's password:
Using short domain name -- YCM3970
Joined 'ADMINBSD' to realm 'ycm3970.local'
wbinfo -u
wbinfo -g
отображаються и пользователи и группы
но под учеткой АД не хочет логиниться нив какую
ввожу учетную записьи жму интер выводит
AdminBsd: in openpam_dispatch(): pam_nologin.so: no pam_sm_authenticate()
просит пароль ввожу
но сразу просит опять логин ввести
и еще он не хочет синхранизировать время
AdminBsd# net time set -S 192.168.1.33
Wed Mar 28 10:45:15 MSK 2012
/bin/date 201203281045.15 failed. Error was (No error: 0)
Вот конфиги :
/etc/ntp.conf
Код: Выделить всё
server ycm3970.local
driftfile /var/db/ntp.drift
logfile /var/log/ntp.log
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
/etc/rc.conf
Код: Выделить всё
hostname="AdminBsd.ycm3970.local"
keymap="ru.koi8-r.kbd"
scrnmap=koi8-r2cp866
font8x16=cp866b-8x16
font8x14=cp866-8x14
font8x8=cp866-8x8
ifconfig_ale0=" inet 192.168.1.3 netmask 255.255.255.0"
defaultrouter="192.168.1.2"
sshd_enable="YES"
moused_enable="YES"
ntpd_enable="YES"
samba_enable="YES"
nmbd_enable="YES"
smbd_enable="YES"
winbindd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"
hald_enable="YES"
linux_enable="YES"
ntpdate_enable="YES"
ntpdate_flags="192.168.1.33"
#ntpdate_flags="-b europe.pool.ntp.org europe.pool.ntp.org europe.pool.ntp.org"
ntpd_enable="YES"
ntpd_flags="-c /etc/ntp.conf -l /var/log/ntpd.log -p /var/run/ntpd.pid"
AdminBsd#
/etc/krb5.conf
Код: Выделить всё
[logging]
default = FILE:/var/log/kerberos/krb5libs.log
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = YCM3970.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
kdc_req_checksum_type = 2
checksum_type = 2
ccache_type = 1
forwardable = true
proxiable = true
[realms]
YCM3970.LOCAL = {
kdc = 192.168.1.33:88
admin_server = 192.168.1.33:749
default_domain = ycm3970.local
}
[domain_realm]
.ycm3970.local = YCM3970.LOCAL
[pam]
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
[login]
krb4_convert = false
krb4_get_tickets = false
/etc/pam.d/sshd
Код: Выделить всё
# auth
#auth required pam_nologin.so no_warm
auth sufficient /usr/local/lib/pam_winbind.so
auth sufficient pam_opie.so no_warm no_fake_prompts
auth requisite pam_opieaccess.so no_warm allow_local
auth required pam_unix.so no_warm try_first_pass
# account
account sufficient /usr/local/lib/pam_winbind.so
account required pam_unix.so
account required pam_nologin.so
# session
session required pam_permit.so
/usr/local/etc/smb.conf
Код: Выделить всё
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# For a step to step guide on installing, configuring and using samba,
# read the Samba-HOWTO-Collection. This may be obtained from:
# http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
#
# Many working examples of smb.conf files can be found in the
# Samba-Guide which is generated daily and can be downloaded from:
# http://www.samba.org/samba/docs/Samba-Guide.pdf
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not made any basic syntactic errors.
#
#======================= Global Settings =====================================
[global]
# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
workgroup = YCM3970
# server string is the equivalent of the NT Description field
server string = Samba Server
# Security mode. Defines in which mode Samba will operate. Possible
# values are share, user, server, domain and ads. Most people will want
# user level security. See the Samba-HOWTO-Collection for details.
security = ADS
auth methods = winbind
map to guest = Bad User
client NTLMv2 auth = Yes
client signing = Yes
# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
; hosts allow = 192.168.1. 192.168.2. 127.
# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
load printers = no
# you may wish to override the location of the printcap file
printcap name = /etc/printcap
# on SystemV system setting printcap name to lpstat should allow
# you to automatically obtain a printer list from the SystemV spool
# system
printcap name = lpstat
# It should not be necessary to specify the print system type unless
# it is non-standard. Currently supported print systems include:
# bsd, cups, sysv, plp, lprng, aix, hpux, qnx
# printing = cups
# printer admin = root
disable spoolss = YES
# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
guest account = nobody
# this tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba34/log.%m
# Put a capping on the size of the log files (in Kb).
max log size = 50
# Use password server option only with security = server
# The argument list may include:
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
password server = 192.168.1.33
password server = control.ycm3970.local
# Use the realm option only with security = ads
# Specifies the Active Directory realm the host is part of
realm = ycm3970.local
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
; passdb backend = tdbsam
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting.
# Note: Consider carefully the location in the configuration file of
# this line. The included file is read at that point.
; include = /usr/local/etc/smb.conf.%m
# Most people will find that this option gives better performance.
# See the chapter 'Samba performance issues' in the Samba HOWTO Collection
# and the manual pages for details.
# You may want to add the following on a Linux system:
; socket options = TCP_NODELAY
#SO_RCVBUF=8192 SO_SNDBUF=8192
# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
; interfaces = 192.168.12.2/24 192.168.13.2/24
# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
; local master = no
# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
; os level = 10
# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
; domain master = yes
# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
; preferred master = yes
# Enable this if you want Samba to be a domain logon server for
# Windows95 workstations.
; domain logons = yes
# if you enable domain logons then you may want a per-machine or
# per user logon script
# run a specific logon batch file per workstation (machine)
; logon script = %m.bat
# run a specific logon batch file per username
; logon script = %U.bat
# Where to store roving profiles (only for Win95 and WinNT)
# %L substitutes for this servers netbios name, %U is username
# You must uncomment the [Profiles] share below
; logon path = \\%L\Profiles\%U
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
; wins support = yes
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
; wins server = w.x.y.z
# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one WINS Server on the network. The default is NO.
; wins proxy = yes
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The default is NO.
dns proxy = no
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind use default domain = Yes
# Charset settings
; display charset = koi8-r
; unix charset = koi8-r
; dos charset = cp866
# Use extended attributes to store file modes
; store dos attributes = yes
; map hidden = no
; map system = no
; map archive = no
# Use inherited ACLs for directories
; nt acl support = yes
; inherit acls = yes
# map acl inherit = yes
case sensitive = No
# These scripts are used on a domain controller or stand-alone
# machine to add or delete corresponding unix accounts
; add user script = /usr/sbin/useradd %u
; add group script = /usr/sbin/groupadd %g
; add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u
; delete user script = /usr/sbin/userdel %u
; delete user from group script = /usr/sbin/deluser %u %g
; delete group script = /usr/sbin/groupdel %g
#============================ Share Definitions ==============================
[homes]
comment = Home Directories
browseable = no
writable = yes
# Un-comment the following and create the netlogon directory for Domain Logons
; [netlogon]
; comment = Network Logon Service
; path = /usr/local/samba/lib/netlogon
; guest ok = yes
; writable = no
; share modes = no
# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
;[Profiles]
; path = /usr/local/samba/profiles
; browseable = no
; guest ok = yes
# debug level = 3
# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
[printers]
comment = All Printers
path = /var/spool/samba34
browseable = no
# Set public = yes to allow user 'guest account' to print
guest ok = no
writable = no
printable = yes
use client driver = yes
public = yes
# This one is useful for people to share files
;[tmp]
; comment = Temporary file space
; path = /tmp
; read only = no
# create mask = 0666
# create mode = 666
# directory mode = 666
# directory mask = 0777
guest ok = Yes
# A publicly accessible directory, but read only, except for people in
# the "staff" group
;[public]
; comment = Public Stuff
; path = /home/samba
; public = yes
; writable = yes
; printable = no
; write list = @staff
# Other examples.
#
# A private printer, usable only by fred. Spool data will be placed in fred's
# home directory. Note that fred must have write access to the spool directory,
# wherever it is.
;[fredsprn]
; comment = Fred's Printer
; valid users = fred
; path = /homes/fred
; printer = freds_printer
; public = no
; writable = no
; printable = yes
# A private directory, usable only by fred. Note that fred requires write
# access to the directory.
;[fredsdir]
; comment = Fred's Service
; path = /usr/somewhere/private
; valid users = fred
; public = no
; writable = yes
; printable = no
# a service which has a different directory for each machine that connects
# this allows you to tailor configurations to incoming machines. You could
# also use the %U option to tailor it by user name.
# The %m gets replaced with the machine name that is connecting.
;[pchome]
; comment = PC Directories
; path = /usr/pc/%m
; public = no
; writable = yes
# A publicly accessible directory, read/write to all users. Note that all files
# created in the directory by users will be owned by the default user, so
# any user with access can delete any other user's files. Obviously this
# directory must be writable by the default user. Another user could of course
# be specified, in which case all files would be owned by that user instead.
;[public]
; path = /usr/somewhere/else/public
; public = yes
; only guest = yes
; writable = yes
; printable = no
# The following two entries demonstrate how to share a directory so that two
# users can place files there that will be owned by the specific users. In this
# setup, the directory should be writable by both users and should have the
# sticky bit set on it to prevent abuse. Obviously this could be extended to
# as many users as required.
;[myshare]
; comment = Mary's and Fred's stuff
; path = /usr/somewhere/shared
; valid users = mary fred
; public = no
; writable = yes
; printable = no
; create mask = 0765
[films]
comment = Films, films, films
path = /var/shares/films
read list = "@KK\Domain Users"
write list = "@KK\Domain Admins"
read only = No
create mode = 666
directory mode = 666
create mask = 0666
directory mask = 0777
