mysix Apprentice
Joined: 26 Mar 2010 Posts: 183
|
Posted: Mon May 31, 2010 11:50 pm Post subject: [SAMBA]problème de getent |
|
|
Bonjour,
Je suis pas sur gentoo, mais je sais qu'ici on répond relativement vite et bien c'est pour cela que j'écris ici.
Si vous pouvez m'aider à résoudre mon problème serait sympa.
Malgré ma distribution (CentOS) les paramètrages pour samba, kerberos et winbind sont les même.
Voilà mon problème :
Je dois créer un serveur de fichier Samba et l'intégrer à un serveur Windows. L'authentification des utilisateurs se font à l'aide d'active directory.
Cependant, j'ai réussi à l'intégrer au domaine, et l'authentification des utilisateurs avec kerberos marche puisque je peux recevoir des tickets.
Alors a présent, en principe, avec la commande : getent je devrais pouvoir voir les utilisateurs et les groupes aussi bien quant local que sur le domaine. Cependant, il ne les récupère pas.
Mais avec wbinfo -u et wbinfo -g ca fonctionne.
J'ai créer une unitée organisationnel qui contient les utilisateurs u1 à u12
Les utilisateurs sont dans des groupes : admin, vente, achat, direction
Vous aurez une idée ?
Je vous montre quelques configurations et commandes ci-dessous:
getent passwd
Code: | root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
avahi:x:70:70:Avahi daemon:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
avahi-autoipd:x:100:102:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
|
getent group
Code: | root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
tty:x:5:
disk:x:6:root
lp:x:7:daemon,lp
mem:x:8:
kmem:x:9:
wheel:x:10:root
mail:x:12:mail
news:x:13:news
uucp:x:14:uucp
man:x:15:
games:x:20:
gopher:x:30:
dip:x:40:
ftp:x:50:
lock:x:54:
nobody:x:99:
users:x:100:
audio:x:63:
nscd:x:28:
utmp:x:22:
utempter:x:35:
floppy:x:19:
vcsa:x:69:
rpc:x:32:
mailnull:x:47:
smmsp:x:51:
apache:x:48:
pcap:x:77:
slocate:x:21:
ecryptfs:x:101:
dbus:x:81:
avahi:x:70:
rpcuser:x:29:
nfsnobody:x:65534:
sshd:x:74:
haldaemon:x:68:
avahi-autoipd:x:102:
ntp:x:38:
BUILTIN/administrators:*:16777216:administrateur
BUILTIN/users:*:16777217:
|
klist
Code: | Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrateur@CB.ORG
Valid starting Expires Service principal
06/01/10 01:27:56 06/01/10 11:28:05 krbtgt/CB.ORG@CB.ORG
renew until 06/02/10 01:27:56
Kerberos 4 ticket cache: /tmp/tkt0
|
wbinfo -u
Code: | administrateur
invité
support_388945a0
krbtgt
u5
u1
u2
u3
u6
u7
u8
u9
u10
u11
u12
u4
kerberos$
|
wbinfo -g
Code: | BUILTIN/administrators
BUILTIN/users
ordinateurs du domaine
contrôleurs de domaine
administrateurs du schéma
administrateurs de l'entreprise
admins du domaine
utilisa. du domaine
invités du domaine
propriétaires créateurs de la stratégie de groupe
dnsupdateproxy
admin
achat
direction
vente
|
wbinfo -t
Code: | checking the trust secret via RPC calls succeeded
|
wbinfo -a Administrateur%Qwe12345
Code: | plaintext password authentication succeeded
challenge/response password authentication succeeded
|
/etc/nsswitch
Code: | #
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# nisplus or nis+ Use NIS+ (NIS version 3)
# nis or yp Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: files winbind
shadow: files winbind
group: files winbind
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus
|
smb.conf
Code: |
workgroup = cb
password server = DC.CB.ORG
realm = CB.ORG
security = ads
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = /
template homedir = /home/%D/%U
template shell = /bin/bash
winbind use default domain = yes
winbind offline logon = yes
encrypt passwords = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
domain master = no
local master = no
preferred master = no
os level = 0
server string = Samba Server Version %v
netbios name = sambaserver
[homes]
comment = Repertoire personnel
browseable = no
writable = yes
; valid users = %S
valid users = CB\%S
read only = no
create mask = 0700
directory mask = 0700
path = /home/%D/%U
[admin]
comment = Partage Admin
browsable = no
writable = yes
readonly = no
valid users = CB/@admin
create mask = 0700
directory mask = 0700
path = /home/admin
[public]
comment = Public Stuff
path = /home/
public = yes
writable = yes
printable = no
write list = +staff
|
krb.conf
Code: | CB.ORG
CB.ORG kerberos.cb.org:88
CB.ORG kerberos.cb.org:749 admin server
CB kerberos.cb.org:88
CB DC.CB.ORG
CB kerberos.cb.org:749 admin server
|
krb5.conf
Code: |
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = CB.ORG
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com:88
admin_server = kerberos.example.com:749
default_domain = example.com
}
CB.ORG = {
kdc = kerberos.cb.org:88
kdc = DC.CB.ORG
kdc = DC.CB.ORG
admin_server = kerberos.cb.org:749
kdc = DC.CB.ORG
}
CB = {
kdc = kerberos.cb.org:88
kdc = DC.CB.ORG
admin_server = kerberos.cb.org:749
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
cb.org = CB.ORG
.cb.org = CB.ORG
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
|
/etc/pam.d/system-auth
Code: | #%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_winbind.so cached_login use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password sufficient pam_winbind.so cached_login use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
|
/etc/pam.d/login
Code: | #%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
|
Je vous remercie d'avance pour votre aide. |
|