Xubuntu avec utilisateur d'un domaine 2003

Bonjour,

Je bien suivi les tutos dispo sur le net et après 3 jours de galère à mélanger les paramétrages je suis enfin avec ma station Xubuntu 8.10 attaché à mon domain sous Windows Server 2003.

J'ai suivi ces liens :

- http://doc.ubuntu-fr.org/...
- http://www.commentcamarche.net/forum/affich 4857996 integrer un client linux sur un domaine windo
- http://forum.ubuntu-fr.org/viewtopic.php?id=27699
- http://forum.ubuntu-fr.org/viewtopic.php?pid=2471224

Voici me fichiers de conf. :

--- /etc/hosts -------------------------------------------------------
127.0.0.1 localhost.localdomain localhost
127.0.1.1 POSTE124
172.16.0.6 SRV02.DOMAINE.COM SRV02

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhost
----------------------------------------------------------------------------

--- /etc/krb5.conf ---------------------------------------------------
[logging]
default = FILE10000:/var/log/krb5lib.log


[libdefaults]
ticket_lifetime = 24000
default_realm = DOMAINE.COM

# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1

default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc


# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true

[realms]

DOMAINE.COM = {
kdc = srv02.domain.com
admin_server = srv02.domain.com
default_domain = DOMAINE.COM
}
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu:88
kdc = kerberos-1.mit.edu:88
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
MEDIA-LAB.MIT.EDU = {
kdc = kerberos.media.mit.edu
admin_server = kerberos.media.mit.edu
}
ZONE.MIT.EDU = {
kdc = casio.mit.edu
kdc = seiko.mit.edu
admin_server = casio.mit.edu
}
MOOF.MIT.EDU = {
kdc = three-headed-dogcow.mit.edu:88
kdc = three-headed-dogcow-1.mit.edu:88
admin_server = three-headed-dogcow.mit.edu
}
CSAIL.MIT.EDU = {
kdc = kerberos-1.csail.mit.edu
kdc = kerberos-2.csail.mit.edu
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
krb524_server = krb524.csail.mit.edu
}
IHTFP.ORG = {
kdc = kerberos.ihtfp.org
admin_server = kerberos.ihtfp.org
}
GNU.ORG = {
kdc = kerberos.gnu.org
kdc = kerberos-2.gnu.org
kdc = kerberos-3.gnu.org
admin_server = kerberos.gnu.org
}
1TS.ORG = {
kdc = kerberos.1ts.org
admin_server = kerberos.1ts.org
}
GRATUITOUS.ORG = {
kdc = kerberos.gratuitous.org
admin_server = kerberos.gratuitous.org
}
DOOMCOM.ORG = {
kdc = kerberos.doomcom.org
admin_server = kerberos.doomcom.org
}
ANDREW.CMU.EDU = {
kdc = vice28.fs.andrew.cmu.edu
kdc = vice2.fs.andrew.cmu.edu
kdc = vice11.fs.andrew.cmu.edu
kdc = vice12.fs.andrew.cmu.edu
admin_server = vice28.fs.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
CS.CMU.EDU = {
kdc = kerberos.cs.cmu.edu
kdc = kerberos-2.srv.cs.cmu.edu
admin_server = kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc = kerberos.dementia.org
kdc = kerberos2.dementia.org
admin_server = kerberos.dementia.org
}
stanford.edu = {
kdc = krb5auth1.stanford.edu
kdc = krb5auth2.stanford.edu
kdc = krb5auth3.stanford.edu
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
}

[domain_realm]
.domain.com = DOMAINE.COM
domain.com = DOMAINE.COM
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.slac.stanford.edu = SLAC.STANFORD.EDU

[login]
krb4_convert = true
krb4_get_tickets = false
----------------------------------------------------------------------------

--- /etc/resolv.conf -------------------------------------------------
# Generated by NetworkManager
nameserver 172.16.0.2
----------------------------------------------------------------------------

--- /etc/samba/smb.conf -----------------------------------------
#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which
# are not shown in this example
#
# Some options that are often worth tuning have been included as
# commented-out examples in this file.
# - When such options are commented with ";", the proposed setting
# differs from the default Samba behaviour
# - When commented with "#", the proposed setting is the default
# behaviour of Samba but the option is considered important
# enough to be mentioned here
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic
# errors.
# A well-established practice is to name the original file
# "smb.conf.master" and create the "real" config file with
# testparm -s smb.conf.master >smb.conf
# This minimizes the size of the really used smb.conf file
# which, according to the Samba Team, impacts performance
#

#======================= Global Settings =======================

[global]
security = ads
realm = DOMAIN.COM
password server = SRV02.DOMAIN.COM
workgroup = domain
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
winbind use default domain = yes
obey pam restrictions = yes
----------------------------------------------------------------------------

=> J'obtiens bien mon ticket et je vérifie via klist,
=> le net join a bien fonctionné et le "sudo net ads testjoin" retourne bien "Join is OK"
=> j'ai mes users et gourp de mon AD avec "wbinfo -u" et "wbinfo -g"

--- /etc/nsswicth.conf -----------------------------------------
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: compat winbind
group: compat winbind
shadow: compat

hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files dns

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: files
netmasks: files
bootparams: files

automount: files
aliases: files
----------------------------------------------------------------------------

=> "sudo getent passwd" me retourne bien des ligne avec mes users de mon AD

!!! Et c'est que je pense flancher.
Je veux tout bonnement avec à l'ouverture de la session Xubuntu la possibilité d'utiliser le login utilisateur d'un compte de mon AD. Et après paramétrage des PAM cela ne fonctionne pas.

--- /etc/pam.d/common-account -----------------------------------------
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-5, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
#

# here are the per-package modules (the "Primary" block)
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

account sufficient pam_winbind.so
account sufficient pam_unix.so
----------------------------------------------------------------------------

--- /etc/pam.d/common-auth -----------------------------------------
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-5, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
auth [success=1 default=ignore] pam_unix.so nullok_secure
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

auth sufficient pam_winbind.so
auth sufficient pam_unix.so nullok_secure use_first_pass
auth required pam_deny.so
----------------------------------------------------------------------------

--- /etc/pam.d/common-session -----------------------------------------
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-5, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session optional pam_ck_connector.so nox11
# end of pam-auth-update config

session required pam_mkhomedir.so umask=0022 skel=/etc/skel
----------------------------------------------------------------------------

--- /etc/pam.d/common-sudo -----------------------------------------
#%PAM-1.0

@include common-auth
@include common-account

session required pam_permit.so
session required pam_limits.so


auth sufficient pam_winbind.so
auth required pam_unix.so use_first_pass
----------------------------------------------------------------------------

=> J'ai bien un "/home/DOMAINE.COM/" avec des droits 777

!!!
Donc, lorsque je lance mon pc, à l'ouverture de session j'indique "toto" mot de passe "123" et ça ne marche pas.
Lorsque j'utilise cet utilisateur pour avec un ticket (kinit) ça marche. Et je vois bien tot dans "wbino -u".
J'ai essayé avec toto+DOMAIN, toto+DOMAINE.COM, DOMAINE+toto, DOMAIN.COM+toto en utilisteur et ça passe pas mieux.

Il n'y a que l'utilisateur "administrateur" qui ouvre une session. Mais c'est l'utilisateur créé lors de l'install de Xubuntu. C'est un compte "Linux" local avec des droits admin.
?? Et petite surprise, il me demande 2 fois le mot de passe !?

Comment test via le terminal la connection, le login, d'un compte du domaine ?
Peut on depuis le compte administrateur (local) laner un session sur le domaine AD ?
Et surtout comment bien configurer le truc pour pouvoir utiliser mes users AD sur les stations Xubuntu ?
@près quoi je commencerai à attacher les lecteur réseau, les imprimantes, ... Mais j'en suis loin.


en tout cas merci,
j'espère avoir étais précis.
@+/+

J'oublié :

Xfce 4 Desktop Environment
version 4.4.2 (Xfce 4.4)

uname -r => 2.6.27-11-generic