Смоленск 1.6 Samba+sssd+ad шара

Roman9220

New member
Сообщения
6
#1
Всем доброго! Настроил у себя шару с разграничением доступа к ресурсам, все стабильно работало до обновления Update 12, после обновления не монтируется. Недельные поиски решения в интернете не помогли, если кто может помочь помогите пожалуйста.

Конфиги сервера:
[global]
server string = Astra linux
usershare allow guests = Yes
map to guest = Bad User
obey pam restrictions = Yes
pam password change = Yes
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
passwd program = /usr/bin/passwd %u
server role = standalone server
unix password sync = Yes
#disable netbios = no
#netbios name = fs
invalid users = root asu
log level = 1 vfs:1
full_audit:refix = %u|%I|%S
full_audit:success = connect,mkdir, rmdir, unlink, write
full_audit:failure = connect,mkdir, rmdir, unlink, write
full_audit:facility = local5
full_audit:riority = notice
vfs objects = full_audit
server min protocol = NT1
server max protocol = SMB3
unix extensions = no

workgroup = ROSGVARD
realm = ROSGVARD.RU
security = ADS
encrypt passwords = true
dns proxy = no
socket options = TCP_NODELAY
domain master = no
local master = no
preferred master = no
os level = 0
domain logons = no
load printers = no
show add printer wizard = no
printcap name = /dev/null
disable spoolss = yes
idmap config * : range = 3000-99999
idmap config * : backend = tdb
idmap config ROSGVARD.RU : range = 100000-99999999
idmap config ROSGVARD.RU : backend = rid
winbind nss info = rfc2307

winbind enum groups = yes
winbind enum users = yes
winbind use default domain = no
winbind refresh tickets = yes
winbind offline logon = yes
winbind cache time = 1440
password server vso-dc-01
winbind refresh tickets = true
unix charset = UTF8
dos charset = CP866

#[homes]
# comment = Home Directories
# browseable = No
# create mask = 0700
# directory mask = 0700
# valid users = %S

#[printers]
# comment = All Printers
# path = /var/spool/samba
# browseable = No
# printable = Yes
# create mask = 0700

#[print$]
# comment = Printer Drivers
# path = /var/lib/samba/printers
kerberos method = dedicated keytab
dedicated keytab file = /etc/krb5.keytab

[test]
path = /home/fs/fs-06
read only = no
hide unreadable = yes
hide unwriteable files = no
create mask = 0740
force create mode = 0740
directory mask = 0750
force directory mode = 0750
browseable = yes
writable = yes
hosts allow = 10.3.167.
inherit acls = yes
inherit permissions = yes
inherit owner = yes

[sssd]
domains = rosgvard.ru
config_file_version = 2
services = nss, pam, ifp
[ifp]
allowed_uids = 0, 33, 114, 999
[pam]
pam_pwd_expiration_warning = 7


[domain/rosgvard.ru]
ad_gpo_map_interactive = +fly-dm
ad_update_samba_machine_account_password = True
krb5_renew_interval = 600s
krb5_renewable_lifetime = 7d
krb5_ccname_template = FILE:%d/krb5cc_%U
ad_gpo_access_control = disabled
ad_domain = rosgvard.ru
krb5_realm = ROSGVARD.RU
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/ROSGVARD/%u
access_provider = ad

[libdefaults]
default_realm = ROSGVARD.RU
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true
dns_lookup_realm = false
dns_lookup_kdc = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}

[realms]
ROSGVARD.RU = {
admin_server = VSO-DC-01.ROSGVARD.RU
default_domain = ROSGVARD.RU
}

[domain_realm]
.rosgvard.ru = ROSGVARD.RU
rosgvard.ru = ROSGVARD.RU
[login]
krb4_convert = false
krb4_get_tickets = false

Конфиги клиента
#astra-ad-sssd
[global]
workgroup = ROSGVARD
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
pam password change = Yes
#password server =
log file = /var/log/samba/%m.log
realm = ROSGVARD.RU
security = ADS
server string = Astra linux
idmap config * : backend = tdb

#[homes]
# comment = Home Directories
# browseable = No
# create mask = 0700
# directory mask = 0700
# valid users = %S

#[printers]
# comment = All Printers
# path = /var/spool/samba
# browseable = No
# printable = Yes
# create mask = 0700

#[print$]
# comment = Printer Drivers
# path = /var/lib/samba/printers

[sssd]
domains = rosgvard.ru
config_file_version = 2
services = nss, pam, ifp
[ifp]
allowed_uids = 0, 33, 114, 999
[pam]
pam_pwd_expiration_warning = 7

[domain/rosgvard.ru]
ad_gpo_map_interactive = +fly-dm
ad_update_samba_machine_account_password = True
krb5_renew_interval = 600s
krb5_renewable_lifetime = 7d
krb5_ccname_template = FILE:%d/krb5cc_%U
ad_gpo_access_control = disabled
ad_domain = rosgvard.ru
krb5_realm = ROSGVARD.RU
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/ROSGVARD/%u
access_provider = ad

[libdefaults]
default_realm = ROSGVARD.RU
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true
dns_lookup_realm = false
dns_lookup_kdc = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}

[realms]
ROSGVARD.RU = {
admin_server = VSO-DC-01.ROSGVARD.RU
default_domain = ROSGVARD.RU
}

[domain_realm]
.rosgvard.ru = ROSGVARD.RU
rosgvard.ru = ROSGVARD.RU
[login]
krb4_convert = false
krb4_get_tickets = false


<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
See pam_mount.conf(5) for a description.
-->

<pam_mount>
<volume
uid="10000-20002000000"
fstype="cifs"
server="6912-fs-01.rosgvard.ru"
path="test"
mountpoint="/home/ROSGVARD/%(DOMAIN_USER)/Desktops/Desktop1/Obmen"
options="sec=krb5i,cruid=%(USERUID),uid=%(USERUID),user=%(DOMAIN_USER),gid=%(USERGID),domain=rosgvard,cifsacl,file_mode=0750,dir_mode=0750"
/> <and> <not> <user>asu</user> </not> </and>


<!--
<luserconf name=".pam_mount.conf.xml" />
-->

<!-- Note that commenting out mntoptions will give you the defaults.
You will need to explicitly initialize it with the empty string
to reset the defaults to nothing. -->
<mntoptions
allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other,file_mode=0750,dir_mode=0750"
/>
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />

<logout wait="5000" hup="1" term="1" kill="1" />


<!-- pam_mount parameters: Volume-related -->

<mkmountpoint enable="1" remove="true" />

</pam_mount>

[158716.150367] CIFS: Attempting to mount \\6912-fs-01.rosgvard.ru\test
[158716.202926] CIFS: Status code returned 0xc000005e
STATUS_NO_LOGON_SERVERS
[158716.202942] CIFS: VFS: \\6912-fs-01.rosgvard.ru Send error in
SessSetup = -5
[158716.202960] CIFS: VFS: cifs_mount failed w/return code = -5

Я на 90% уверен что проблема в аутентификации kerberos, но я не могу понять что не так. Если нужна дополнительная информация готов предоставить. Заранее всем спасибо и надеюсь на вашу помощь