forum.lissyara.su

Добавлено: **2013-10-24 19:17:51**

Доброго времени суток,

Система FreeBSD 8.3-RELEASE, samba34-3.4.17.

smb.conf

[global]
        dos charset = cp866
        unix charset = koi8-r
        display charset = koi8-r
        workgroup = INTERNAL
        realm = INTERNAL.LOCAL
        server string = FreeBSD server
        interfaces = 192.168.25.1
        security = ADS
        password server = rainbow.internal.local
        log file = /var/log/samba34/log.%m
        max log size = 50
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind use default domain = Yes

[Logs]
        path = /usr/logs
        guest ok = Yes
        browseable = No

nsswitch.conf

Код: Выделить всё

group: files winbind
group_compat: nis
hosts: files dns
networks: files
passwd: files winbind
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files

Машину в домен завёл, с керберосом проблем нет.

При попытке подключиться к самбе вываливается следующее:

Код: Выделить всё

[2013/10/24 19:02:13.863302,  0] rpc_client/cli_pipe_schannel.c:54(get_schannel_session_key_common)
  get_schannel_session_key: could not fetch trust account password for domain 'INTERNAL'
[2013/10/24 19:02:13.865300,  0] rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel)
  cli_rpc_pipe_open_schannel: failed to get schannel session key from server RAINBOW.INTERNAL.LOCAL for domain INTERNAL.
[2013/10/24 19:02:13.866094,  0] auth/auth_domain.c:193(connect_to_domain_password_server)
  connect_to_domain_password_server: unable to open the domain client session to machine RAINBOW.INTERNAL.LOCAL. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
[2013/10/24 19:02:13.871303,  0] rpc_client/cli_pipe_schannel.c:54(get_schannel_session_key_common)
  get_schannel_session_key: could not fetch trust account password for domain 'INTERNAL'
[2013/10/24 19:02:13.872578,  0] rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel)
  cli_rpc_pipe_open_schannel: failed to get schannel session key from server RAINBOW.INTERNAL.LOCAL for domain INTERNAL.
[2013/10/24 19:02:13.873376,  0] auth/auth_domain.c:193(connect_to_domain_password_server)
  connect_to_domain_password_server: unable to open the domain client session to machine RAINBOW.INTERNAL.LOCAL. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
[2013/10/24 19:02:13.878460,  0] rpc_client/cli_pipe_schannel.c:54(get_schannel_session_key_common)
  get_schannel_session_key: could not fetch trust account password for domain 'INTERNAL'
[2013/10/24 19:02:13.879643,  0] rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel)
  cli_rpc_pipe_open_schannel: failed to get schannel session key from server RAINBOW.INTERNAL.LOCAL for domain INTERNAL.
[2013/10/24 19:02:13.880564,  0] auth/auth_domain.c:193(connect_to_domain_password_server)
  connect_to_domain_password_server: unable to open the domain client session to machine RAINBOW.INTERNAL.LOCAL. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
[2013/10/24 19:02:13.881749,  0] auth/auth_domain.c:292(domain_client_validate)
  domain_client_validate: Domain password server not available.
[2013/10/24 19:02:13.898893,  0] rpc_client/cli_pipe_schannel.c:54(get_schannel_session_key_common)
  get_schannel_session_key: could not fetch trust account password for domain 'INTERNAL'
[2013/10/24 19:02:13.900155,  0] rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel)
  cli_rpc_pipe_open_schannel: failed to get schannel session key from server RAINBOW.INTERNAL.LOCAL for domain INTERNAL.
[2013/10/24 19:02:13.900835,  0] auth/auth_domain.c:193(connect_to_domain_password_server)
  connect_to_domain_password_server: unable to open the domain client session to machine RAINBOW.INTERNAL.LOCAL. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
[2013/10/24 19:02:13.906342,  0] rpc_client/cli_pipe_schannel.c:54(get_schannel_session_key_common)
  get_schannel_session_key: could not fetch trust account password for domain 'INTERNAL'
[2013/10/24 19:02:13.907666,  0] rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel)
  cli_rpc_pipe_open_schannel: failed to get schannel session key from server RAINBOW.INTERNAL.LOCAL for domain INTERNAL.
[2013/10/24 19:02:13.908360,  0] auth/auth_domain.c:193(connect_to_domain_password_server)
  connect_to_domain_password_server: unable to open the domain client session to machine RAINBOW.INTERNAL.LOCAL. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
[2013/10/24 19:02:13.913888,  0] rpc_client/cli_pipe_schannel.c:54(get_schannel_session_key_common)
  get_schannel_session_key: could not fetch trust account password for domain 'INTERNAL'
[2013/10/24 19:02:13.915189,  0] rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel)
  cli_rpc_pipe_open_schannel: failed to get schannel session key from server RAINBOW.INTERNAL.LOCAL for domain INTERNAL.
[2013/10/24 19:02:13.915899,  0] auth/auth_domain.c:193(connect_to_domain_password_server)
  connect_to_domain_password_server: unable to open the domain client session to machine RAINBOW.INTERNAL.LOCAL. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
[2013/10/24 19:02:13.917273,  0] auth/auth_domain.c:292(domain_client_validate)
  domain_client_validate: Domain password server not available.
[2013/10/24 19:02:13.963862,  0] rpc_client/cli_pipe_schannel.c:54(get_schannel_session_key_common)
  get_schannel_session_key: could not fetch trust account password for domain 'INTERNAL'
[2013/10/24 19:02:13.965150,  0] rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel)
  cli_rpc_pipe_open_schannel: failed to get schannel session key from server RAINBOW.INTERNAL.LOCAL for domain INTERNAL.
[2013/10/24 19:02:13.965835,  0] auth/auth_domain.c:193(connect_to_domain_password_server)
  connect_to_domain_password_server: unable to open the domain client session to machine RAINBOW.INTERNAL.LOCAL. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
[2013/10/24 19:02:13.971335,  0] rpc_client/cli_pipe_schannel.c:54(get_schannel_session_key_common)
  get_schannel_session_key: could not fetch trust account password for domain 'INTERNAL'
[2013/10/24 19:02:13.972637,  0] rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel)
  cli_rpc_pipe_open_schannel: failed to get schannel session key from server RAINBOW.INTERNAL.LOCAL for domain INTERNAL.
[2013/10/24 19:02:13.973363,  0] auth/auth_domain.c:193(connect_to_domain_password_server)
  connect_to_domain_password_server: unable to open the domain client session to machine RAINBOW.INTERNAL.LOCAL. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
[2013/10/24 19:02:13.978601,  0] rpc_client/cli_pipe_schannel.c:54(get_schannel_session_key_common)
  get_schannel_session_key: could not fetch trust account password for domain 'INTERNAL'
[2013/10/24 19:02:13.979709,  0] rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel)
  cli_rpc_pipe_open_schannel: failed to get schannel session key from server RAINBOW.INTERNAL.LOCAL for domain INTERNAL.
[2013/10/24 19:02:13.980627,  0] auth/auth_domain.c:193(connect_to_domain_password_server)
  connect_to_domain_password_server: unable to open the domain client session to machine RAINBOW.INTERNAL.LOCAL. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
[2013/10/24 19:02:13.981856,  0] auth/auth_domain.c:292(domain_client_validate)
  domain_client_validate: Domain password server not available.
[2013/10/24 19:02:14.000066,  0] rpc_client/cli_pipe_schannel.c:54(get_schannel_session_key_common)
  get_schannel_session_key: could not fetch trust account password for domain 'INTERNAL'
[2013/10/24 19:02:14.001708,  0] rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel)
  cli_rpc_pipe_open_schannel: failed to get schannel session key from server RAINBOW.INTERNAL.LOCAL for domain INTERNAL.
[2013/10/24 19:02:14.002577,  0] auth/auth_domain.c:193(connect_to_domain_password_server)
  connect_to_domain_password_server: unable to open the domain client session to machine RAINBOW.INTERNAL.LOCAL. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
[2013/10/24 19:02:14.008347,  0] rpc_client/cli_pipe_schannel.c:54(get_schannel_session_key_common)
  get_schannel_session_key: could not fetch trust account password for domain 'INTERNAL'
[2013/10/24 19:02:14.010697,  0] rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel)
  cli_rpc_pipe_open_schannel: failed to get schannel session key from server RAINBOW.INTERNAL.LOCAL for domain INTERNAL.
[2013/10/24 19:02:14.011753,  0] auth/auth_domain.c:193(connect_to_domain_password_server)
  connect_to_domain_password_server: unable to open the domain client session to machine RAINBOW.INTERNAL.LOCAL. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
[2013/10/24 19:02:14.017152,  0] rpc_client/cli_pipe_schannel.c:54(get_schannel_session_key_common)
  get_schannel_session_key: could not fetch trust account password for domain 'INTERNAL'
[2013/10/24 19:02:14.018472,  0] rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel)
  cli_rpc_pipe_open_schannel: failed to get schannel session key from server RAINBOW.INTERNAL.LOCAL for domain INTERNAL.
[2013/10/24 19:02:14.019358,  0] auth/auth_domain.c:193(connect_to_domain_password_server)
  connect_to_domain_password_server: unable to open the domain client session to machine RAINBOW.INTERNAL.LOCAL. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
[2013/10/24 19:02:14.021022,  0] auth/auth_domain.c:292(domain_client_validate)
  domain_client_validate: Domain password server not available.
[2013/10/24 19:02:14.046864,  0] rpc_client/cli_pipe_schannel.c:54(get_schannel_session_key_common)
  get_schannel_session_key: could not fetch trust account password for domain 'INTERNAL'
[2013/10/24 19:02:14.048240,  0] rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel)
  cli_rpc_pipe_open_schannel: failed to get schannel session key from server RAINBOW.INTERNAL.LOCAL for domain INTERNAL.
[2013/10/24 19:02:14.049128,  0] auth/auth_domain.c:193(connect_to_domain_password_server)
  connect_to_domain_password_server: unable to open the domain client session to machine RAINBOW.INTERNAL.LOCAL. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
[2013/10/24 19:02:14.055107,  0] rpc_client/cli_pipe_schannel.c:54(get_schannel_session_key_common)
  get_schannel_session_key: could not fetch trust account password for domain 'INTERNAL'
[2013/10/24 19:02:14.056693,  0] rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel)
  cli_rpc_pipe_open_schannel: failed to get schannel session key from server RAINBOW.INTERNAL.LOCAL for domain INTERNAL.
[2013/10/24 19:02:14.057575,  0] auth/auth_domain.c:193(connect_to_domain_password_server)
  connect_to_domain_password_server: unable to open the domain client session to machine RAINBOW.INTERNAL.LOCAL. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
[2013/10/24 19:02:14.063554,  0] rpc_client/cli_pipe_schannel.c:54(get_schannel_session_key_common)
  get_schannel_session_key: could not fetch trust account password for domain 'INTERNAL'
[2013/10/24 19:02:14.064771,  0] rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel)
  cli_rpc_pipe_open_schannel: failed to get schannel session key from server RAINBOW.INTERNAL.LOCAL for domain INTERNAL.
[2013/10/24 19:02:14.065749,  0] auth/auth_domain.c:193(connect_to_domain_password_server)
  connect_to_domain_password_server: unable to open the domain client session to machine RAINBOW.INTERNAL.LOCAL. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
[2013/10/24 19:02:14.067238,  0] auth/auth_domain.c:292(domain_client_validate)
  domain_client_validate: Domain password server not available.

при этом wbinfo корректно отображает пользователей и группы.

подскажите, пожалуйста, где затык.

спасибо

Добавлено: **2013-10-25 15:06:23**

В общем добился следующего:

Код: Выделить всё

[2013/10/25 15:02:17,  3] libsmb/namequery.c:1974(get_dc_list)
  get_dc_list: preferred server list: ", 192.168.25.5"
[2013/10/25 15:02:17,  3] libads/ldap.c:621(ads_connect)
  Successfully contacted LDAP server 192.168.25.5
[2013/10/25 15:02:17,  3] libsmb/namequery.c:1974(get_dc_list)
  get_dc_list: preferred server list: ", 192.168.25.5"
[2013/10/25 15:02:17,  3] libsmb/namequery.c:1974(get_dc_list)
  get_dc_list: preferred server list: ", 192.168.25.5"
[2013/10/25 15:02:17,  3] libsmb/cliconnect.c:2032(cli_start_connection)
  Connecting to host=RAINBOW.INTERNAL.LOCAL
[2013/10/25 15:02:17,  3] lib/util_sock.c:1038(open_socket_out_send)
  Connecting to 192.168.25.5 at port 445
[2013/10/25 15:02:17,  3] auth/auth.c:222(check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [INTERNAL]\[mmsa]@[RAINBOW] with the new password interface
[2013/10/25 15:02:17,  3] auth/auth.c:225(check_ntlm_password)
  check_ntlm_password:  mapped user is: [INTERNAL]\[mmsa]@[RAINBOW]
[2013/10/25 15:02:17,  3] smbd/sec_ctx.c:210(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2013/10/25 15:02:17,  3] smbd/uid.c:428(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2013/10/25 15:02:17,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2013/10/25 15:02:17,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2013/10/25 15:02:17,  3] libsmb/namequery.c:1974(get_dc_list)
  get_dc_list: preferred server list: ", 192.168.25.5"
[2013/10/25 15:02:17,  3] libads/ldap.c:621(ads_connect)
  Successfully contacted LDAP server 192.168.25.5
[2013/10/25 15:02:17,  3] libsmb/namequery.c:1974(get_dc_list)
  get_dc_list: preferred server list: ", 192.168.25.5"
[2013/10/25 15:02:17,  3] libsmb/namequery.c:1974(get_dc_list)
  get_dc_list: preferred server list: ", 192.168.25.5"
[2013/10/25 15:02:17,  3] libsmb/cliconnect.c:2032(cli_start_connection)
  Connecting to host=RAINBOW.INTERNAL.LOCAL
[2013/10/25 15:02:17,  3] lib/util_sock.c:1038(open_socket_out_send)
  Connecting to 192.168.25.5 at port 445
[2013/10/25 15:02:17,  3] rpc_client/cli_pipe.c:3873(get_schannel_session_key_common)
  get_schannel_session_key_common: rpccli_netlogon_setup_creds failed with result NT_STATUS_ACCESS_DENIED to server RAINBOW.INTERNAL.LOCAL, domain INTERNAL, machine account GW.
[2013/10/25 15:02:17,  0] rpc_client/cli_pipe.c:4079(cli_rpc_pipe_open_schannel)
  cli_rpc_pipe_open_schannel: failed to get schannel session key from server RAINBOW.INTERNAL.LOCAL for domain INTERNAL.
[2013/10/25 15:02:17,  0] auth/auth_domain.c:187(connect_to_domain_password_server)
  connect_to_domain_password_server: unable to open the domain client session to machine RAINBOW.INTERNAL.LOCAL. Error was : NT_STATUS_ACCESS_DENIED.

не пойму, почему отказано в доступе.

Код: Выделить всё

gw# wbinfo -t
checking the trust secret for domain INTERNAL via RPC calls succeeded

уже пересмотрел 5-6 статей. обновил самбу до 3.5, везде работает, а тут вот никак.

Неужели никто не сталкивался с такой проблемой ?

Добавлено: **2013-10-25 16:26:32**

А нет ли у вас каких-нибудь ограничений на коннект с рабочих станций, похоже , что у пользователя стоит ограничение на логин с определенных станций...

Добавлено: **2013-10-25 16:34:02**

Вроде нет. Но вот у меня вопрос возник, а под каким пользователем это всё происходит ?

Добавлено: **2013-10-25 17:27:02**

gumeniuc писал(а):Вроде нет. Но вот у меня вопрос возник, а под каким пользователем это всё происходит ?

В логе же

Код: Выделить всё

2013/10/25 15:02:17,  3] auth/auth.c:222(check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [INTERNAL]\[mmsa]@[RAINBOW] with the new password interface
[2013/10/25 15:02:17,  3] rpc_client/cli_pipe.c:3873(get_schannel_session_key_common)
  get_schannel_session_key_common: rpccli_netlogon_setup_creds failed with result NT_STATUS_ACCESS_DENIED to server RAINBOW.INTERNAL.LOCAL, domain INTERNAL, machine account GW.

Я обычно кроме просто сетвого интерфейса, разрешаю привязку к локалхост...

Добавлено: **2013-10-25 17:38:22**

так. ну mmsa - domain admin - т.е. он уже точно никак не ограничен.

вообще как-то зыбыл указать детали:
rainbow - домен контроллер
internal.local - домен
mmsa - доменный админ

Предоставленный кусок лога - неудачная попытка подключения к самбе с самого DC (rainbow), сессия под пользователем mmsa.
А вот под каким пользователем самба/винбинд пытается проверить данные в AD пока не пойму.

Добавлено: **2013-10-25 17:51:50**

Еще раз проверьте kinit, но в домен то вы ее ввели, можете добавить

Код: Выделить всё

nrtbios name= ...

Проверить время не забудьте...

Добавлено: **2013-10-25 17:56:16**

заново получил тикет

Код: Выделить всё

gw# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: mmsa@INTERNAL.LOCAL

  Issued           Expires          Principal
Oct 25 17:52:46  Oct 26 03:52:46  krbtgt/INTERNAL.LOCAL@INTERNAL.LOCAL

добавил

Код: Выделить всё

netbios name = GW

время

Код: Выделить всё

gw# ntpdate rainbow
25 Oct 17:59:14 ntpdate[84989]: adjust time server 192.168.25.5 offset 0.037775 sec

не помогает.

Добавлено: **2013-10-25 18:05:01**

А демоны то перегрузили...

Добавлено: **2013-10-25 18:16:40**

обижаете. конечно перегрузил.

вот подпиленный конфиг

Код: Выделить всё

log file = /var/log/samba/log.%m
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum groups = yes
winbind enum users = yes
winbind nested groups = yes
winbind refresh tickets = yes
winbind use default domain = yes
name resolve order = hosts wins bcast lmhosts
case sensitive = no
dns proxy = no
netbios name = GW
server string = GW
password server = 192.168.25.5
realm = INTERNAL.LOCAL
workgroup = INTERNAL
security = ads
dos charset = cp866
unix charset = UTF-8
max log size = 50
admin users = "DOMAIN\DomainAdmin"
printcap name = /etc/printcap
[Logs]
        path = /usr/ats_logs
        browseable = yes
        valid users = "DOMAIN\Domain Users"

Добавлено: **2013-10-25 19:24:51**

Почему

Код: Выделить всё

"DOMAIN\Domain Users"

у вас же Internal

Добавлено: **2013-10-25 19:33:26**

Там может быть просто "Domain Users" или с префиксом "Internal\Domain Users", у меня правда стоит @"Имядомена\Domain Users"

Добавлено: **2013-10-25 20:33:41**

Да, копипаст до добра не доведёт...

Поправил

Код: Выделить всё

[global]
log file = /var/log/samba/log.%m
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum groups = yes
winbind enum users = yes
winbind nested groups = yes
winbind refresh tickets = yes
winbind use default domain = yes
name resolve order = hosts wins bcast lmhosts
case sensitive = no
dns proxy = no
netbios name = GW
server string = GW
password server = 192.168.25.5
realm = INTERNAL.LOCAL
workgroup = INTERNAL
security = ads
dos charset = cp866
unix charset = UTF-8
max log size = 50
admin users = @"INTERNAL\mmsa"
[Logs]
        path = /usr/ats_logs
        browseable = yes
        valid users = @"INTERNAL\Domain Users"

перезапустил, итог тот же.

Добавлено: **2013-10-26 12:46:18**

Переделал немного конфиг. Теперь новый сюрприз:

Код: Выделить всё

[2013/10/26 12:41:06.681431,  0] auth/auth_winbind.c:101(check_winbind_security)
  check_winbind_security: ERROR!  my_private_data == NULL!
[2013/10/26 12:41:06.681940,  2] auth/auth.c:314(check_ntlm_password)
  check_ntlm_password:  Authentication for user [mmsa] -> [mmsa] FAILED with error NT_STATUS_LOGON_FAILURE

У кого работает, подскажите, пожалуйста, как версия самбы работает.

Добавлено: **2013-10-27 16:46:43**

Завтра на работу приду и посмотрю, правда там домен на w2k3...

Добавлено: **2013-10-28 17:06:29**

Предполагаю что дело в версии самбы + конфигах, а версия винды не сильно должна влиять.

Добавлено: **2013-10-30 15:15:01**

В общем всё решилось классическим методом - Reboot.
После рестарта всё заработало с конфигом, приведённым выше.
Всем спасибо за помощь.

forum.lissyara.su

Samba и доменные шары

Samba и доменные шары

Re: Samba и доменные шары

Re: Samba и доменные шары

Re: Samba и доменные шары

Re: Samba и доменные шары

Re: Samba и доменные шары

Re: Samba и доменные шары

Re: Samba и доменные шары

Re: Samba и доменные шары

Re: Samba и доменные шары

Re: Samba и доменные шары

Re: Samba и доменные шары

Re: Samba и доменные шары

Re: Samba и доменные шары

Re: Samba и доменные шары

Re: Samba и доменные шары

Re: Samba и доменные шары