У меня сложилась такая ситуация:Есть домен Samba+Ldap (TESTY), нужно ввести в него сервер-файлопомойку на samba(SHARE). Оба сервера Debain Lenny Samba3.2.5 , оба являются виртуальными окружениями Xen, если это важно.
Виндовые машины (WinXP) входят в домен без проблем, как в родной, но я не могу завести не одну nix-машину.

Выглядит следующим образом


share:~# net rpc join -S PDC -D TESTY -U admin
Enter admin's password:
Joined domain TESTY.
share:~#


то есть говорит что все ок.
Но в логах на PDC


[2009/11/27 16:37:33, 0] rpc_server/srv_netlog_nt.c:get_md4pw(306)
get_md4pw: Workstation SHARE$: no account in domain
[2009/11/27 16:37:33, 0] rpc_server/srv_netlog_nt.c:_netr_ServerAuthenticate2(502)
_netr_ServerAuthenticate2: failed to get machine password for account SHARE$: NT_STATUS_ACCESS_DENIED
[2009/11/27 16:37:33, 0] rpc_server/srv_netlog_nt.c:get_md4pw(306)
get_md4pw: Workstation SHARE$: no account in domain
[2009/11/27 16:37:33, 0] rpc_server/srv_netlog_nt.c:_netr_ServerAuthenticate2(502)
_netr_ServerAuthenticate2: failed to get machine password for account SHARE$: NT_STATUS_ACCESS_DENIED


Естественно, пользователей домена не видит и не авторизует.

smb.conf на PDC

[global]
dos charset = cp866
unix charset = UTF8
display charset = UTF8
workgroup = TESTY
realm = TESTY.LOCAL
interfaces = eth0, lo
bind interfaces only = Yes
passdb backend = ldapsam:ldap://pdc.testy.local:389
passwd program = /usr/sbin/smbldap-passwd "%u"
passwd chat = *new*password* %n\n *new*password* %n\n *successfully*
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 1000
smb ports = 139
acl compatibility = win2k
name resolve order = bcast hosts
time server = Yes
socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
load printers = No
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
logon script = logon.bat
logon path = \\%L\profiles\%U
logon drive = H:
logon home = \\%L\home\%u
domain logons = Yes
os level = 255
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = cn=admin,dc=testy,dc=local
ldap delete dn = Yes
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Users
ldap suffix = dc=testy,dc=local
ldap ssl = no
ldap user suffix = ou=Users
idmap backend = ldap:ldap://pdc.testy.local
idmap uid = 10000-20000
idmap gid = 10000-20000
admin users = admin
hosts allow = 10.125.3., 127.
map acl inherit = Yes

[home]
comment = Home Directories
path = /var/lib/samba/usershares/
read only = No

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
read only = No
guest ok = Yes
browseable = No
locking = No

[profiles]
comment = Profile Share
path = /var/lib/samba/profiles
read only = No
create mask = 0600
directory mask = 0700
guest ok = Yes
profile acls = Yes
browseable = No


slapd.conf на PDC

include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema

pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args

loglevel none

modulepath /usr/lib/ldap
moduleload back_hdb

sizelimit 500
tool-threads 1

backend hdb
database hdb

suffix "dc=testy,dc=local"
rootdn "cn=admin,dc=testy,dc=local"
rootpw {SSHA}bXENLjYunB+IOrpGDjJ2Bo1+Uv1WkTvG

directory "/var/lib/ldap"

dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500

index objectClass eq
index cn eq,subinitial
index sn eq,subinitial
index uid eq,subinitial
index displayName eq,subinitial
index uidNumber eq
index gidNumber eq
index memberUID eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq

lastmod on
checkpoint 512 30

access to dn.base=""
by self write
by * auth
access to attrs=userPassword
by self write
by * auth
access to attrs=shadowLastChange
by self write
by * read
access to attrs=sambaLMPassword,sambaNTPassword
by dn="dc=admin,dc=testy,dc=local" write
by * auth
access to *
by * read
by anonymous auth

smb.conf на Share

[global]
workgroup = TESTY
netbios name = SHARE
server string = FileServer
interfaces = eth0, lo
security = DOMAIN
auth methods = winbind, ntdomain
password server = 10.125.3.230
pam password change = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
load printers = No
dns proxy = No
wins server = 10.125.3.230
panic action = /usr/share/samba/panic-action %d
username = @"Domain users"

[users]
comment = Личные Папки
path = /mnt/users
read only = No
profile acls = Yes


Помогите пожалуйста, уже неделю немогу решить эту проблему, даже не ясно куда копать.

Конфиг самбы на файлопомойке не полный, не увидел nsswitch.conf
Посмотрите у меня тут (http://ithouse.spb.ru/?p=13)

Спасибо за ответ. Я имел ввиду немного другое, чтоб аутентификация проходила относительно Samba-домена.
Но Ваш ответ натолкнул меня на верные мысли

новый smb.conf на share

[global]
dos charset = CP866
unix charset = UTF8
display charset = UTF8
workgroup = TESTY
netbios name = SHARE
server string = FileServer
interfaces = eth0, lo
security = DOMAIN
password server = 10.125.3.230
pam password change = Yes
username map = /etc/samba/smbusers
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
smb ports = 139
name resolve order = wins bcast hosts
load printers = No
dns proxy = No
wins server = 10.125.3.230
panic action = /usr/share/samba/panic-action %d
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = +

[users]
comment = Личные Папки
path = /mnt/users
read only = No
profile acls = Yes


теперь вроде все ок. Проблема решена

Проблема решена »
Ну так ставьте отметку "Решено".