Debian8 + samba шара с доменной авторизацией

[Andruha]

На 7 версии и ранее все работает нормально. После N на 8-ю, либо установке с нуля не получается настроить файловую шару с доступом через winbind. Расшаренный ресурс виден, но зайти в него не дает, выскакивает окно в запросом пароля, причем пароль никакой не принимает. Че там накрутили с этой самбой4?

/etc/krb5.conf

Код Выделить Развернуть


[libdefaults]
    default_realm = DOMAIN.TST
    kdc_timesync = 1
    clockskew = 500
    ccache_type = 4
    forwardable = true
    proxiable = true
    v4_instance_resolve = false
    v4_name_convert = {
        host = {
            rcmd = host
            ftp = ftp
        }
        plain = {
            something = something-else
        }
    }
    fcc-mit-ticketflags = true

[realms]
    DOMAIN.TST = {
        kdc = adc
        admin_server = adc
        default_domain = DOMAIN.TST
    }

[domain_realm]
        .domain.tst = DOMAIN.TST
        domain.tst = DOMAIN.TST

[login]
    krb4_convert = false
    krb4_get_tickets = false


/etc/samba/smb.conf

Код Выделить Развернуть


[global]
acl compatibility = auto
obey pam restrictions = Yes
log file = /var/log/samba/log.%m
log level = 1
socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192 IPTOS_THROUGHPUT

encrypt passwords = true

auth methods = winbind
name resolve order = lmhosts hosts bcast
case sensitive = no
dns proxy = no
netbios name = server
server string = server
realm = DOMAIN.TST
client use spnego = yes
client signing = yes
local master = no
domain master = no
preferred master = no
workgroup = DOMAIN.TST
debug level = 2
security = ads
template homedir = /home/samba/%U
template shell = /bin/false
unix charset = UTF-8
dos charset = 866
max log size = 50
os level = 0
follow symlinks = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum groups = yes
winbind enum users = yes

winbind refresh tickets = yes
winbind cache time =300
idmap cache time = 300

load printers = no
show add printer wizard = no
printcap name = /dev/null
disable spoolss = yes
hide unreadable = yes

[public]
path = /mnt/store
comment = Public directory
browseable = yes
readonly = no
writable = yes
guest ok = No
create mask = 0777
valid users = @"DOMAIN\Domain users"
read list = @"DOMAIN\Domain users"
write list = @"DOMAIN\Domain users"
inherit acls = yes
inherit owner = yes
inherit permissions = yes
map acl inherit = yes


[sandaksatru]

Ммм.. сорри, влом анализировать  . Просто выложу свой, может поможет чем:

Открыть содержимое (спойлер)

cat /etc/samba/smb.conf

Код (text) Выделить Развернуть


[global]
workgroup = ИМЯ_ДОМЕНА
realm = ИМЯ_ДОМЕНА.СУФФИКС
security = ADS
encrypt passwords = true
dns proxy = no
socket options = TCP_NODELAY
domain master = no
local master = no
preferred master = no
os level = 0
domain logons = no
idmap config * : range = 10000-20000
idmap config * : backend = tdb
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
template shell = /bin/bash
winbind refresh tickets = yes
winbind offline logon = yes
winbind cache time = 300
password server = имя_сервера

#### Debugging/Accounting ####

   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d


####### Authentication #######

   server role = standalone server
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user

########## Domains ###########

   usershare allow guests = yes

#======================= Share Definitions =======================

[homes]
   comment = Home Directories
   browseable = no
   read only = yes
   create mask = 0700
   directory mask = 0700
   valid users = %S

[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = no
   read only = yes
   create mask = 0700

[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no


cat /etc/krb5.conf

Код (text) Выделить Развернуть


[libdefaults]
        default_realm = ИМЯ_ДОМЕНА.СУФФИКС
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                }
                plain = {
                        something = something-else
                }
        }
        fcc-mit-ticketflags = true

[realms]
        имя_домена.суфикс = {
                kdc = имя_pdc.ИМЯ_ДОМЕНА.СУФФИКС
                admin_server = имя_pdc
                default_domain = ИМЯ_ДОМЕНА.СУФФИКС
        }

[domain_realm]
        .имя_домена.суффикс = ИМЯ_ДОМЕНА.СУФФИКС
        имя_домена.суффикс = ИМЯ_ДОМЕНА.СУФФИКС
[login]
        krb4_convert = false
        krb4_get_tickets = false


for pam in $(ls /etc/pam.d/common-*); do echo "$pam":; cat $pam; echo; done

Код (text) Выделить Развернуть


/etc/pam.d/common-account:
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system.  The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.
#

# here are the per-package modules (the "Primary" block)
account [success=2 new_authtok_reqd=done default=ignore]        pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore]        pam_winbind.so
# here's the fallback if no module succeeds
account requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
account required                        pam_krb5.so minimum_uid=1000
# end of pam-auth-update config

/etc/pam.d/common-auth:
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
auth    [success=3 default=ignore]      pam_krb5.so minimum_uid=1000
auth    [success=2 default=ignore]      pam_unix.so nullok_secure try_first_pass
auth    [success=1 default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth    optional                        pam_cap.so
# end of pam-auth-update config

/etc/pam.d/common-password:
#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords.  The default is pam_unix.

# Explanation of pam_unix options:
#
# The "sha512" option enables salted SHA512 passwords.  Without this option,
# the default is Unix crypt.  Prior releases used the option "md5".
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs.
#
# See the pam_unix manpage for other options.

# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
password        [success=3 default=ignore]      pam_krb5.so minimum_uid=1000
password        [success=2 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512
password        [success=1 default=ignore]      pam_winbind.so use_authtok try_first_pass
# here's the fallback if no module succeeds
password        requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password        required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
password        optional        pam_gnome_keyring.so
# end of pam-auth-update config

/etc/pam.d/common-session:
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
session [default=1]                     pam_permit.so
# here's the fallback if no module succeeds
session requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
session optional                        pam_krb5.so minimum_uid=1000
session required        pam_unix.so
session optional                        pam_winbind.so
session optional        pam_systemd.so
session optional                        pam_ck_connector.so nox11
# end of pam-auth-update config
session  optional  pam_mkhomedir.so skel=/etc/skel/ umask=0077

/etc/pam.d/common-session-noninteractive:
#
# /etc/pam.d/common-session-noninteractive - session-related modules
# common to all non-interactive services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of all non-interactive sessions.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
session [default=1]                     pam_permit.so
# here's the fallback if no module succeeds
session requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
session optional                        pam_krb5.so minimum_uid=1000
session required        pam_unix.so
session optional                        pam_winbind.so
# end of pam-auth-update config


[свернуть]

Только у меня вечный sid, самба версии 2:4.1.17+dfsg-4, конфиг почти дефолтный и работает вроде без проблем.

[endru]

jessie samba+winbind+krb5 - работает без проблем.
проблема явно в конфигах
проверяем

[Andruha]

Только у меня вечный sid

что значит вечный sid?

[sandaksatru]

что значит вечный sid?

Это значит:
cat /etc/apt/sources.list

Код Выделить Развернуть

deb http://mirror.yandex.ru/debian/ sid main non-free contrib