99pate
08.05.08, 10:13
Hi alle,
Folgendes habe ich vor: Ich will unsere Linux PC an eine bestehende Windows 2000 Domäne einbinden. Alle Benutzer sollen sich, wie unter Windows an die Linux Rechner anmelden können.
Habe schon viele Howtos ausprobiert und scheitere an der Authentifizierung.
Meine konfigs und logs .>
__________________ /etc/krb5.conf ___________
[libdefaults]
default_realm = PISTA.LOCAL
clockskew = 300
dns_lookup_kdc = false
dns_lookup_realm = false
[realms]
VISTA.LOCAL = {
kdc = VM2K1.PISTA.LOCAL
admin_server = VM2K1.PISTA.LOCAL
kpasswd_server = VM2K1.PISTA.LOCAL
default_domain = PISTA.LOCAL
}
[domain_realm]
.kerberos.server = VM2K1.PISTA.LOCAL
.pista.local = PISTA.LOCAL
pista.local = PISTA.LOCAL
[logging]
default = SYSLOG:NOTICE:DAEMON
kdc = FILE:/var/log/kdc.log
kadmin = FILE:/var/log/kadmin.log
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = true
}
________________________________
___________smb.conf____________
[global]
workgroup = PISTA
netbios name = debian3
realm = PISTA.LOCAL
preferred master = no
server string = debian3
security = ADS
password server = *
encrypt passwords = yes
template shell = /bin/bash
idmap uid = 100-250000
idmap gid = 100-250000
winbind use default domain = Yes
winbind separator = .
log level = 3
log file = /var/log/samba/%m
max log size = 50
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = Yes
__________________________
___/etc/pam.d/common-account"____
account sufficient pam_winbind.so
account required pam_unix.so
________________________________
______/etc/pam.d/common-auth______
auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure use_first_pass
___________________________________
______/etc/pam.d/common-session"_______
session required pam_unix.so
session requied pam_mkhomedir.so skel=/etc/skel umask=0022
_______________________________________
_______/etc/nsswitch.conf_____________
passwd: winbind compat
group: winbind compat
shadow: winbind compat
hosts: files dns winbind
networks: files dns
protocols: db files
services: db files
ethers: db files
rpc: db files
#netgroup: nis
___________________________
____ auth.log____________
May 8 10:53:14 debian3 sshd[3134]: PAM pam_parse: expecting return value; [...requie
d]
May 8 10:53:14 debian3 sshd[3134]: PAM pam_parse: expecting return value; [...requie
d]
May 8 10:53:23 debian3 pam_winbind[3134]: user 'mro' granted access
May 8 10:53:23 debian3 pam_winbind[3134]: user 'mro' OK
May 8 10:53:23 debian3 pam_winbind[3134]: user 'mro' granted access
May 8 10:53:23 debian3 sshd[3134]: Accepted password for mro from 128.2.2.138
port 36125 ssh2
May 8 10:53:23 debian3 sshd[3136]: (pam_unix) session opened for user mro by (
uid=0)
May 8 10:53:23 debian3 sshd[3136]: error: PAM: pam_open_session(): Permission denied
May 8 10:56:25 debian3 pam_winbind[2683]: user 'mro' granted access May 8 10:56:25 debian3 gdm[2683]: (pam_unix) could not identify user (from getpwnam(
mro)) May 8 10:56:25 debian3 gdm[2683]: Zugangsverwaltung fÃŒr mrozinski konnte nicht gese
tzt werden
_______________________________________
_______syslog___________________________
May 8 10:53:14 debian3 winbindd[3101]: [2008/05/08 10:53:14, 0] rpc_client/cli_pipe.c:cli_rpc_pipe_open_ntlmssp_internal(2356 )
May 8 10:53:14 debian3 winbindd[3101]: cli_rpc_pipe_open_ntlmssp_internal: cli_rpc_pipe_bind failed with error NT_STATUS_INVALID_PARAMETER
May 8 10:56:25 debian3 gdm[2683]: PAM pam_parse: expecting return value; [...requied]
May 8 10:56:25 debian3 gdm[2683]: PAM pam_parse: expecting return value; [...requied]
________________________________________
wbinfo -u und g geht sowie kinit username und net ads join
der Computer wind auch in der AD angezeigt.
net ads info
LDAP server: 1xx.2.2.238
LDAP server name: vm2k1.pista.local
Realm: PISTA.LOCAL
klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: mro@PISTA.LOCAL
Issued Expires Principal
May 8 11:05:18 May 8 21:05:03 krbtgt/PISTA.LOCAL@PISTA.LOCAL
Bind Path: dc=PISTA,dc=LOCAL
LDAP port: 389
Server time: Do, 08 Mai 2008 11:06:02 CEST
KDC server: 128.2.2.238
Server time offset: 14
Umgebung: win2k DC, 4x Linux Debian Clients
Home Verzeichnisse werden bei neuen Unsern erstellt
was nicht geht ist die lokale und die Remote Anmeldung an
den Linux Rechner (debian3)
Folgendes habe ich vor: Ich will unsere Linux PC an eine bestehende Windows 2000 Domäne einbinden. Alle Benutzer sollen sich, wie unter Windows an die Linux Rechner anmelden können.
Habe schon viele Howtos ausprobiert und scheitere an der Authentifizierung.
Meine konfigs und logs .>
__________________ /etc/krb5.conf ___________
[libdefaults]
default_realm = PISTA.LOCAL
clockskew = 300
dns_lookup_kdc = false
dns_lookup_realm = false
[realms]
VISTA.LOCAL = {
kdc = VM2K1.PISTA.LOCAL
admin_server = VM2K1.PISTA.LOCAL
kpasswd_server = VM2K1.PISTA.LOCAL
default_domain = PISTA.LOCAL
}
[domain_realm]
.kerberos.server = VM2K1.PISTA.LOCAL
.pista.local = PISTA.LOCAL
pista.local = PISTA.LOCAL
[logging]
default = SYSLOG:NOTICE:DAEMON
kdc = FILE:/var/log/kdc.log
kadmin = FILE:/var/log/kadmin.log
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = true
}
________________________________
___________smb.conf____________
[global]
workgroup = PISTA
netbios name = debian3
realm = PISTA.LOCAL
preferred master = no
server string = debian3
security = ADS
password server = *
encrypt passwords = yes
template shell = /bin/bash
idmap uid = 100-250000
idmap gid = 100-250000
winbind use default domain = Yes
winbind separator = .
log level = 3
log file = /var/log/samba/%m
max log size = 50
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = Yes
__________________________
___/etc/pam.d/common-account"____
account sufficient pam_winbind.so
account required pam_unix.so
________________________________
______/etc/pam.d/common-auth______
auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure use_first_pass
___________________________________
______/etc/pam.d/common-session"_______
session required pam_unix.so
session requied pam_mkhomedir.so skel=/etc/skel umask=0022
_______________________________________
_______/etc/nsswitch.conf_____________
passwd: winbind compat
group: winbind compat
shadow: winbind compat
hosts: files dns winbind
networks: files dns
protocols: db files
services: db files
ethers: db files
rpc: db files
#netgroup: nis
___________________________
____ auth.log____________
May 8 10:53:14 debian3 sshd[3134]: PAM pam_parse: expecting return value; [...requie
d]
May 8 10:53:14 debian3 sshd[3134]: PAM pam_parse: expecting return value; [...requie
d]
May 8 10:53:23 debian3 pam_winbind[3134]: user 'mro' granted access
May 8 10:53:23 debian3 pam_winbind[3134]: user 'mro' OK
May 8 10:53:23 debian3 pam_winbind[3134]: user 'mro' granted access
May 8 10:53:23 debian3 sshd[3134]: Accepted password for mro from 128.2.2.138
port 36125 ssh2
May 8 10:53:23 debian3 sshd[3136]: (pam_unix) session opened for user mro by (
uid=0)
May 8 10:53:23 debian3 sshd[3136]: error: PAM: pam_open_session(): Permission denied
May 8 10:56:25 debian3 pam_winbind[2683]: user 'mro' granted access May 8 10:56:25 debian3 gdm[2683]: (pam_unix) could not identify user (from getpwnam(
mro)) May 8 10:56:25 debian3 gdm[2683]: Zugangsverwaltung fÃŒr mrozinski konnte nicht gese
tzt werden
_______________________________________
_______syslog___________________________
May 8 10:53:14 debian3 winbindd[3101]: [2008/05/08 10:53:14, 0] rpc_client/cli_pipe.c:cli_rpc_pipe_open_ntlmssp_internal(2356 )
May 8 10:53:14 debian3 winbindd[3101]: cli_rpc_pipe_open_ntlmssp_internal: cli_rpc_pipe_bind failed with error NT_STATUS_INVALID_PARAMETER
May 8 10:56:25 debian3 gdm[2683]: PAM pam_parse: expecting return value; [...requied]
May 8 10:56:25 debian3 gdm[2683]: PAM pam_parse: expecting return value; [...requied]
________________________________________
wbinfo -u und g geht sowie kinit username und net ads join
der Computer wind auch in der AD angezeigt.
net ads info
LDAP server: 1xx.2.2.238
LDAP server name: vm2k1.pista.local
Realm: PISTA.LOCAL
klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: mro@PISTA.LOCAL
Issued Expires Principal
May 8 11:05:18 May 8 21:05:03 krbtgt/PISTA.LOCAL@PISTA.LOCAL
Bind Path: dc=PISTA,dc=LOCAL
LDAP port: 389
Server time: Do, 08 Mai 2008 11:06:02 CEST
KDC server: 128.2.2.238
Server time offset: 14
Umgebung: win2k DC, 4x Linux Debian Clients
Home Verzeichnisse werden bei neuen Unsern erstellt
was nicht geht ist die lokale und die Remote Anmeldung an
den Linux Rechner (debian3)