У меня есть samba4 сервер:
[global]
workgroup = MYWG
realm = MYWG.ORG
netbios name = MYWGADM
server role = active directory domain controller
dns forwarder = 8.8.8.8
idmap_ldb:use rfc2307 = yes
log level = 3
template shell = /bin/bash
template homedir = /home/%D/%U
[netlogon]
path = /var/lib/samba/sysvol/mywg.org/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[home]
path = /data/share/home/
read only = No
И клиент человечности 14.04 соединил с доменом:
[global]
workgroup = MYWG
realm = MYWG.ORG
netbios name = pcl01
security = ADS
encrypt passwords = yes
idmap config MYWG:backend = ad
idmap config MYWG:schema_mode = rfc2307
idmap config MYWG:range = 10000-39999
idmap config *:backend = tdb
idmap config *:range = 40000-49999
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
kerberos method = system keytab
template homedir = /home/MYWG.ORG/%U
template shell = /bin/bash
log level = 3
wbinfo -u shows:
administrator
usrtest
krbtgt
guest
wbinfo -g shows:
allowed rodc password replication group
enterprise read-only domain controllers
denied rodc password replication group
read-only domain controllers
group policy creator owners
ras and ias servers
domain controllers
enterprise admins
domain computers
cert publishers
dnsupdateproxy
domain admins
domain guests
schema admins
domain users
dnsadmins
net ads info shows:
LDAP server: 10.0.0.1
LDAP server name: mydc.mywg.org
Realm: MYWG.ORG
Bind Path: dc=MYWG,dc=ORG
LDAP port: 389
Server time: mar., 29 mars 2016 17:22:19 CEST
KDC server: 10.0.0.1
Server time offset: 20
wbinfo -a usrtest%mypassword shows:
plaintext password authentication succeeded
challenge/response password authentication succeeded
Если я пытаюсь аутентифицировать пользователей домена (например: usrtest) через консольный экран входа в систему, я получаю это сообщение об ошибке (и пользователь не входит в систему):
Mar 29 17:16:48 pcl01 login[1971]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty2 ruser= rhost= user=usrtest
Mar 29 17:16:48 pcl01 login[1971]: pam_winbind(login:auth): getting password (0x00000388)
Mar 29 17:16:48 pcl01 login[1971]: pam_winbind(login:auth): pam_get_item returned a password
Mar 29 17:16:48 pcl01 login[1971]: pam_winbind(login:auth): user 'usrtest' granted access
Mar 29 17:16:48 pcl01 login[1971]: Authentication service cannot retrieve authentication info
Вот мой/etc/pam.d/login файл:
auth optional pam_faildelay.so delay=3000000
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
auth requisite pam_nologin.so
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_env.so readenv=1
session required pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
auth optional pam_group.so
session required pam_limits.so
session optional pam_lastlog.so
session optional pam_motd.so motd=/run/motd.dynamic noupdate
session optional pam_motd.so
session optional pam_mail.so standard
@include common-account
@include common-session
@include common-password
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
и мой/etc/pam.d/common-auth файл (сгенерированный pam-auth-update):
auth [success=3 default=ignore] pam_unix.so nullok_secure
auth [success=2 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth [success=1 default=ignore] pam_sss.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
файл общей учетной записи:
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so
account requisite pam_deny.so
account required pam_permit.so
account sufficient pam_localuser.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
файл общей сессии:
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_mkhomedir.so umask=0077 skel=/etc/skel
session required pam_unix.so
session sufficient pam_winbind.so
session optional pam_sss.so
session optional pam_systemd.so
session optional pam_ck_connector.so nox11
И общий файл паролей:
password requisite pam_pwquality.so retry=3
password [success=3 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password [success=2 default=ignore] pam_winbind.so use_authtok try_first_pass
password sufficient pam_sss.so use_authtok
password requisite pam_deny.so
password required pam_permit.so
password optional pam_gnome_keyring.so
Я не могу объяснить сообщение об ошибке (в auth.log) и не знаю то, что я могу проверить больше, так... любая справка действительно ценилась бы.
Удачи.