信頼できるActive Directoryを使用してLinuxにログインする

信頼できるActive Directoryを使用してLinuxにログインする

信頼できるActive Directoryを使用してLinuxにログインする際に問題があります。

マシンは私たちがプロジェクトを担当するActive Directoryに接続されていますが、マシンを使用するほとんどのユーザーは組織のADにいます。

私たちのプロジェクトADにホストされているユーザーアカウントを使用してログインできますが、会社ADのユーザーを使用してログインすることはできません。

smb構成ファイル

# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
[global]
    workgroup = PROJECTDOMAIN
    passdb backend = tdbsam
    printing = cups
    printcap name = cups
    printcap cache time = 750
    cups options = raw
    map to guest = Bad User
    include = /etc/samba/dhcp.conf
    logon path = \\%L\profiles\.msprofile
    logon home = \\%L\%U\.9xprofile
    logon drive = P:
    usershare allow guests = No
    security = ADS
    idmap gid = 10000-20000
    idmap uid = 10000-20000
    realm = MYPROJECT.MYCOMPANY.COM
    template homedir = /home/%D/%U
    winbind refresh tickets = yes
    template shell = /bin/bash
    usershare max shares = 100
    winbind offline logon = yes
[homes]
    comment = Home Directories
    valid users = %S, %D%w%S
    browseable = No
    read only = No
    inherit acls = Yes
[profiles]
    comment = Network Profiles Service
    path = %H
    read only = No
    store dos attributes = Yes
    create mask = 0600
    directory mask = 0700
[users]
    comment = All users
    path = /home
    read only = No
    inherit acls = Yes
    veto files = /aquota.user/groups/shares/
[groups]
    comment = All groups
    path = /home/groups
    read only = No
    inherit acls = Yes
[printers]
    comment = All Printers
    path = /var/tmp
    printable = Yes
    create mask = 0600
    browseable = No
[print$]
    comment = Printer Drivers
    path = /var/lib/samba/drivers
    write list = @ntadmin root
    force group = ntadmin
    create mask = 0664
    directory mask = 0775

krb5.conf

[libdefaults]
    default_realm = MYPROJECT.MYCOMPANY.COM
    clockskew = 300
#   default_realm = EXAMPLE.COM 

[realms]
SAG.GOT.CAPGEMINI.COM = {
    kdc = ad02.myproject.mycompany.com
    default_domain = myproject.mycompany.com
    admin_server = ad02.myproject.mycompany.com
}
#   EXAMPLE.COM = {
#                kdc = kerberos.example.com
#       admin_server = kerberos.example.com
#   }

[logging]
    kdc = FILE:/var/log/krb5/krb5kdc.log
    admin_server = FILE:/var/log/krb5/kadmind.log
    default = SYSLOG:NOTICE:DAEMON
[domain_realm]
    .myproject.mycompany.com = MYPROJECT.MYCOMPANY.COM
[appdefaults]
pam = {
    ticket_lifetime = 1d
    renew_lifetime = 1d
    forwardable = true
    proxiable = false
    minimum_uid = 1
    external = sshd
    use_shmem = sshd
    validate = false
}

これをしようとすると(corpはAD会社のドメインです)

> wbinfo -a corp\\username

次のメッセージが表示されます。

plaintext password authectication failed
Could not authenticate user corp\\username whit plaintext password
challenge/response password authentication failed
error code was NT code 0xc0000413 (0xc0000413)
error message was: NT code 0xc0000413
Could not authenticate user corp\username with challenge/response

しかし、次のようにすることができます。

キーネット[Eメール保護]

関連情報