信頼できるActive Directoryを使用してLinuxにログインする際に問題があります。
マシンは私たちがプロジェクトを担当するActive Directoryに接続されていますが、マシンを使用するほとんどのユーザーは組織のADにいます。
私たちのプロジェクトADにホストされているユーザーアカウントを使用してログインできますが、会社ADのユーザーを使用してログインすることはできません。
smb構成ファイル
# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
[global]
workgroup = PROJECTDOMAIN
passdb backend = tdbsam
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
usershare allow guests = No
security = ADS
idmap gid = 10000-20000
idmap uid = 10000-20000
realm = MYPROJECT.MYCOMPANY.COM
template homedir = /home/%D/%U
winbind refresh tickets = yes
template shell = /bin/bash
usershare max shares = 100
winbind offline logon = yes
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[profiles]
comment = Network Profiles Service
path = %H
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
[users]
comment = All users
path = /home
read only = No
inherit acls = Yes
veto files = /aquota.user/groups/shares/
[groups]
comment = All groups
path = /home/groups
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775
krb5.conf
[libdefaults]
default_realm = MYPROJECT.MYCOMPANY.COM
clockskew = 300
# default_realm = EXAMPLE.COM
[realms]
SAG.GOT.CAPGEMINI.COM = {
kdc = ad02.myproject.mycompany.com
default_domain = myproject.mycompany.com
admin_server = ad02.myproject.mycompany.com
}
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
.myproject.mycompany.com = MYPROJECT.MYCOMPANY.COM
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimum_uid = 1
external = sshd
use_shmem = sshd
validate = false
}
これをしようとすると(corpはAD会社のドメインです)
> wbinfo -a corp\\username
次のメッセージが表示されます。
plaintext password authectication failed
Could not authenticate user corp\\username whit plaintext password
challenge/response password authentication failed
error code was NT code 0xc0000413 (0xc0000413)
error message was: NT code 0xc0000413
Could not authenticate user corp\username with challenge/response
しかし、次のようにすることができます。
キーネット[Eメール保護]