Portál AbcLinuxu, 12. května 2025 09:23

Dotaz: Problem se spustenim winbind

24.7.2007 23:36 OgO
Problem se spustenim winbind
Přečteno: 2791×
Odpovědět | Admin
Ahoj, snazim se rozchodit winbind, kvuli autentizaci uzivatelu squidu vuci AD.

Pouzivam sambu verze 3.0.25b-SerNet-RedHat

Konfiguracni soubor smb.conf:

[global]
netbios name = fw-office
realm = DOMENA.CZ
workgroup = SKUPINA
security = ADS
password server = 10.0.0.1
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
idmap uid = 10000-20000
winbind enum users = yes
winbind uid = 10000-20000
winbind enum groups = yes
winbind gid = 10000-20000
winbind cache time = 15
winbind separator = +
winbind use default domain = yes
encrypt passwords = yes
log level = 3 passdb:5 auth:10 winbind:5
Kdyz se, ale pokusim winbind spustit dostanu akorat toto: 

[2007/07/24 22:18:14, 1] nsswitch/winbindd.c:main(990)
  winbindd version 3.0.25b-SerNet-RedHat started.
  Copyright Andrew Tridgell and the Samba Team 1992-2007
[2007/07/24 22:18:14, 3] param/loadparm.c:lp_add_ipc(2701)
  adding IPC service
[2007/07/24 22:18:14, 2] lib/interface.c:add_interface(81)
  added interface ip=ver.ej.na.ip bcast=ver.ej.na.ip nmask=255.255.255.248
[2007/07/24 22:18:14, 2] lib/interface.c:add_interface(81)
  added interface ip=10.0.0.1 bcast=10.0.0.255 nmask=255.255.255.0
[2007/07/24 22:18:14, 2] lib/interface.c:add_interface(81)
  added interface ip=ver.ej.na.ip bcast=ver.ej.na.ip nmask=255.255.255.248
[2007/07/24 22:18:14, 2] lib/interface.c:add_interface(81)
  added interface ip=10.0.0.1 bcast=10.0.0.255 nmask=255.255.255.0
[2007/07/24 22:18:14, 2] lib/tallocmsg.c:register_msg_pool_usage(105)
  Registered MSG_REQ_POOL_USAGE
[2007/07/24 22:18:14, 2] lib/dmallocmsg.c:register_dmalloc_msgs(75)
  Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
[2007/07/24 22:18:14, 0] nsswitch/winbindd_cache.c:initialize_winbindd_cache(2222)
  initialize_winbindd_cache: clearing cache and re-creating with version number 1
[2007/07/24 22:18:14, 0] nsswitch/winbindd_util.c:init_domain_list(519)
  Could not fetch our SID - did we join?
[2007/07/24 22:18:14, 0] nsswitch/winbindd.c:main(1091)
  unable to initalize domain list
Problem muze byt i v tom ze se mi nedari pripojit pocitac do domeny: 

[root@fw-office]# net ads join -U Administrator
Administrator's password:
[2007/07/24 23:30:42, 0] utils/net_ads.c:ads_startup_int(286)
  ads_connect: No logon servers
Failed to join domain: No logon servers
Server s windows je pritom normalne dostupny.

Diky za radu.
Nástroje: Začni sledovat (0) ?Zašle upozornění na váš email při vložení nového komentáře.

Odpovědi

25.7.2007 07:57 bitguard
Rozbalit Rozbalit vše Re: Problem se spustenim winbind
Odpovědět | | Sbalit | Link | Blokovat | Admin
demoni smbd, nmbd ti bezia? Chyba bude pravdepodobne v zle nastavenom smb.conf. Pozri ci mas spravne nastavene krb5.conf (checkni realm) a nsswitch.conf. Zaroven mi chyba v smb.conf idmap uid a idmap gid.

V kazdom pripade musis najprv pripojit pc k domene cez prikaz net. Pokial sa ti toto nepodari, nema zmysel dalej skusat rozchodit autentifikaciu cez squid.
25.7.2007 08:23 OgO
Rozbalit Rozbalit vše Re: Problem se spustenim winbind
Smbd i nmbd bezi.

Konfiguracni soubor pro sambu jsem prevzal ze systemu, kde uz autentizace funguje.

Kerberos bude nastaveny spravne, protoze autentizace pomoci kinit normalne funguje.

Krb5.conf vapada takhle: 

[libdefaults]
        default_realm = DOMENA.CZ
        ticket_lifetime = 36000
        clockskew = 300
        dns_lookup_realm = false
        dns_lookup_kdc = false

[realms]
        BAUMATIC.MA = {
        kdc = 10.0.0.1:88
        admin_server = 10.0.0.1
        default_domain = DOMENA.CZ
        }

[domain_realm]
        .domena.cz = 10.0.0.1
        domena.cz = 10.0.0.1

#[kdc]
#        profile = /etc/krb5kdc/kdc.conf

[logging]
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmin.log
        default = FILE:/var/log/krb5lib.log
Nsswitch jsem prevzal z pocitace, kde uz autentizace funguje: 

passwd:      compat
shadow:      compat
group:       compat

# passwd:    db files nis
# shadow:    db files nis
# group:     db files nis

hosts:       files dns
networks:    files dns

services:    db files
protocols:   db files
rpc:         db files
ethers:      db files
netmasks:    files
netgroup:    files
bootparams:  files

automount:   files
aliases:     files
Kdyz se pokusim pripojit do domeny vrati se mi tato chyba: 

[root@fw-office]# net join -w DOMENA.CZ -S 10.0.0.1 -U Administrator
Connection failed: NT_STATUS_CONNECTION_REFUSED
Password:
Could not connect to server 10.0.0.1
Connection failed: NT_STATUS_CONNECTION_REFUSED
Diky za odpoved.
25.7.2007 08:48 bitguard
Rozbalit Rozbalit vše Re: Problem se spustenim winbind
Skus dat do nsswitch.conf toto:

passwd: files winbind shadow: files winbind group: files winbind
25.7.2007 08:51 bitguard
Rozbalit Rozbalit vše Re: Problem se spustenim winbind
tak este raz:

passwd: files winbind
shadow: files winbind
group: files winbind
25.7.2007 09:11 OgO
Rozbalit Rozbalit vše Re: Problem se spustenim winbind
Odpovědět | | Sbalit | Link | Blokovat | Admin
Tak problem byl v necem jinem .... ve firewallu.

Po povoleni portu 445 a 139 zacal winbind fungovat.

Bohuzel mi stale nefunguje automaticke overeni autentizace uzivatele.

Kdyz v prohlizeci na stavim proxy server a pokusim se jit na nejaky web uvidim v logu toto: /var/log/squid/cache.log 

[2007/07/25 09:02:55, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0xa208b207
[2007/07/25 09:02:55, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(739)
  Got user=[Administrator] domain=[DOMENA_CZ] workstation=[SERVER] len1=24 len2=24
[2007/07/25 09:02:55, 3] utils/ntlm_auth.c:winbind_pw_check(515)
  Login for user [DOMENA_CZ]\[Administrator]@[SERVER] failed due to [No logon servers]
log.winbindd: 

[2007/07/25 09:06:03, 5] nsswitch/winbindd_cm.c:msg_failed_to_go_online(95)
  msg_fail_to_go_online: received for domain DOMENA.CZ.
[2007/07/25 09:06:07, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(1683)
  [ 6366]: pam auth crap domain: [DOMENA_CZ] user: Administrator
log.wb-DOMENA.CZ: 

[2007/07/25 09:08:58, 4] nsswitch/winbindd_dual.c:fork_domain_child(1054)
  child daemon request 13
[2007/07/25 09:08:58, 3] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1749)
  [ 6742]: pam auth crap domain: DOMENA_CZ user: Administrator
[2007/07/25 09:08:58, 3] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1798)
  could not open handle to NETLOGON pipe (error: NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)
[2007/07/25 09:08:58, 2] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1925)
  NTLM CRAP authentication for user [DOMENA_CZ]\[Administrator] returned NT_STATUS_NO_LOGON_SERVERS (PAM: 9)
[2007/07/25 09:09:02, 5] nsswitch/winbindd_cm.c:msg_failed_to_go_online(95)
  msg_fail_to_go_online: received for domain DOMENA.CZ.
A na web se nedostanu.

Dik za odpovedi.
20.1.2008 12:47 jura
Rozbalit Rozbalit vše Re: Problem se spustenim winbind
Odpovědět | | Sbalit | Link | Blokovat | Admin
Problem je v tom, ze se zmenily konfiguracni volby winbindd-u s verzi samba-3.0.25. Pouziva se spis termin "idmap" a umi mapivad SID-y na UID-y/GID-y pro vice domen. Proto je nezbytne uvest seznam domen, i kdyz se konfiguruje pro jedinou domenu. Priklad:
   idmap domains = SMBSETUP MOUREK

   idmap config SMBSETUP:backend = rid
   idmap config SMBSETUP:base_rid  = 1000
   idmap config SMBSETUP:range = 10000 - 29999

   idmap config MOUREK:backend = rid
   idmap config MOUREK:base_rid  = 1000
   idmap config MOUREK:range = 30000 - 49999
...pokud se neuvede aspon jedna domena v nastaveni: "idmap domains = MOJEDOMENA", tak nektere verze winbindd-u dokonce crashi na "NULL pointer dereference". V uvedenem prikladu nasleduje popis backendu pro jednotlive domeny.
jura

Založit nové vláknoNahoru

Tiskni Sdílej: Linkuj Jaggni to Vybrali.sme.sk Google Del.icio.us Facebook

ISSN 1214-1267, (c) 1999-2007 Stickfish s.r.o.