Estou tentando configurar um servidor de arquivos com autenticação do Active Directory usando Samba e Winbind.
O controlador de domínio é o Windows 2000 SP4 (não julgue).
O servidor de arquivos é o Debian 7.7 (mais recente estável). Esta é uma instalação nova, com apenas algumas recomendadas por várias bibliotecas de guias e dependências instaladas. O Samba foi construído a partir da fonte com os seguintes parâmetros:
./configure --with-acl-support --with-ads --with-shared-modules=idmap_ad --disable-cups --disable-iprint
root@this-server:~# samba --version
Version 4.1.13
root@this-server:~# winbindd --version
Version 3.6.6
root@this-server:~# klist -V
Kerberos 5 version 1.10.1
kinit Administrator, ad net ads join -k, net ads testjoin, getent passwd, getent group, wbinfo -u, wbinfo -g, id DomainUser, chown DomainUser: DomainGroup, chgrp DomainUser: DomainGroup - todo o trabalho, sem erros.
Posso fazer login via ssh com credenciais de domínio.
smbclient -k -L any-other-host - também funciona.
Contudo...
root@this-server:~# smbclient -k -L this-server -d 3
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file "/usr/local/samba/etc/smb.conf"
Processing section "[global]"
added interface eth0 ip=192.168.1.104 bcast=192.168.1.255 netmask=255.255.255.0
Client started (version 4.1.13).
resolve_lmhosts: Attempting lmhosts lookup for name this-server<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name this-server<0x20>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name this-server<0x20>
Connecting to 192.168.1.104 at port 445
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
cli_session_setup_spnego: using target hostname not SPNEGO principal
cli_session_setup_spnego: guessed server principal=cifs/this-server@MY-DOMAIN
Doing kerberos session setup
ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_0.1] expiration Sat, 29 Nov 2014 02:29:49 MSK
SPNEGO login failed: Access denied
session setup failed: NT_STATUS_ACCESS_DENIED
(/usr/local/samba/etc/smb.conf é um link simbólico para /usr/share/samba/smb.conf)
Trecho dos logs:
[2014/11/28 16:46:58.430797, 1, pid=6006, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
Username MY-DOMAIN\Administrator is invalid on this system
[2014/11/28 16:46:58.430856, 1, pid=6006, effective(0, 0), real(0, 0)] ../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac)
Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
[2014/11/28 16:46:58.430965, 1, pid=6006, effective(0, 0), real(0, 0)] ../source3/smbd/sesssetup.c:276(reply_sesssetup_and_X_spnego)
Failed to generate session_info (user and group token) for session setup: NT_STATUS_ACCESS_DENIED
Aqui estão algumas informações de configuração, principalmente se não completamente irrelevantes:
/etc/samba/smb.conf (que também é um link simbólico para /usr/share/samba/smb.conf)
[global]
netbios name = this-server
realm = MY-DOMAIN
workgroup = MY-DOMAIN
server string = %h server
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = ads
encrypt passwords = yes
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
winbind enum groups = yes
winbind enum users = yes
idmap config * : backend = tdb
idmap config * : range = 20000-29999
idmap config MY-DOMAIN : backend = rid
idmap config MY-DOMAIN : range = 10000 - 19999
winbind trusted domains only = no
winbind use default domain = yes
client use spnego = yes
kerberos method = secrets and keytab
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
template homedir = /home/%D/%U
template shell = /bin/bash
load printers = no
printcap name = /dev/null
log level = 10
[homes]
comment = Home Directories
browseable = no
read only = yes
create mask = 0700
directory mask = 0700
valid users = %S
[demoshare]
path = /srv/samba/test
read only = no
/ etc / hosts
127.0.0.1 localhost localhost.localdomain
192.168.1.104 this-server.MY-DOMAIN this-server
192.168.1.100 domain-controller.MY-DOMAIN domain-controller
/etc/resolv.conf
nameserver 192.168.1.100
search MY-DOMAIN
/etc/nsswitch.conf
passwd: files winbind
group: files winbind
shadow: files winbind
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Todos os arquivos /etc/pam.d/* são gerados com pam-auth-update, aqui está o conteúdo de qualquer maneira:
/etc/pam.d/samba
@include common-auth
@include common-account
@include common-session-noninteractive
/etc/pam.d/common-auth
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
/etc/pam.d/common-account
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so
account requisite pam_deny.so
account required pam_permit.so
/etc/pam.d/session-noninteractive
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
session optional pam_winbind.so
/etc/pam.d/common-session
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
session optional pam_winbind.so
/etc/pam.d/common-password
password [success=2 default=ignore] pam_unix.so obscure sha512
password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass
password requisite pam_deny.so
password required pam_permit.so
/etc/krb5.conf
[libdefaults]
default_realm = MY-DOMAIN
krb4_config = /etc/krb.
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
preferred_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
[realms]
MY-DOMAIN = {
kdc = domain-controller.my-domain
admin_server = domain-controller.my-domain
default_domain = MY-DOMAIN
}
[domain_realm]
.my-domain = MY-DOMAIN
my-domain = MY-DOMAIN
Qual pode ser o problema aqui e como resolvê-lo?