Servidor Fileserver em debian 12 com integração ao AD

PKingKong
(usa Fedora)

Enviado em 02/12/2024 - 09:54h

Boa tarde pessoal!
Estou precisando da ajuda de vocês!!

Estou fazendo um servidor em Debian 12 com autenticação via AD. Usei o samba, winbind e sssd
O problema é que quando eu tento fazer o login no servidor fica dando senha incorreta. Segue as configurações feitas:

Samba:
[global]
workgroup = ELETRODATA
realm = ELETRODATA.LOCAL
security = ADS
# encrypt passwords = yes

log file = /var/log/samba/%m.log
log level = 5
max log size = 1000

winbind use default domain = yes
#winbind offline logon = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
winbind nss info = rfc2307

idmap config * : backend = tdb
idmap config * : range = 10000-20000
idmap config ELETRODATA : backend = rid
idmap config ELETRODATA : range = 200001-30000

template shell = /bin/bash
template homedir = /home/%D/%U

kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab

[shared]
path = /srv/samba/shared
browsable = yes
writable = yes
valid users = @"ELETRODATA\Usuário do domínio"
force create mode = 0775
force directory mode = 0775

E as configurações do nsswitch
passwd: compat winbind
group: compat winbind
shadow: compat winbind
gshadow: files systemd

hosts: files dns
networks: files

protocols: db files
services: db files sss
ethers: db files
rpc: db files

netgroup: nis sss
automount: sss

Configuração do krb5.conf:
[libdefaults]
default_realm = ELETRODATA.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false

[realms]
ELETRODATA.LOCAL = {
kdc = 192.168.0.13
admin_server = 192.168.0.13
default_domain = eletrodata.local
}

[domain_realm]
.eletrodata.local = ELETRODATA.LOCAL
eletrodata.local = ELETRODATA.LOCAL

Configuração do sssd:
[sssd]
config_file_version = 2
services = nss, pam
domains = eletrodata.local

[domain/eletrodata.local]
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
ldap_id_mapping = True
fallback_homedir = /home/%d/%u
mkhomedir = True
default_shell = /bin/bash

# Configuração do Kerberos
krb5_realm = ELETRODATA.LOCAL
krb5_server = 192.168.0.13
krb5_kdcip = 192.168.0.13
krb5_ccname_template = FILE:/tmp/krb5cc_%U

cache_credentials = True

Essas foram as minhas configurações.

Os status dos serviços:
Winbind:
root@srvarquivos-rj:~# systemctl status winbind
● winbind.service - Samba Winbind Daemon
Loaded: loaded (/lib/systemd/system/winbind.service; enabled; preset: enabled)
Active: active (running) since Mon 2024-12-02 09:32:04 -03; 21min ago
Docs: man:winbindd(8)
man:samba(7)
man:smb.conf(5)
Process: 1122 ExecCondition=/usr/share/samba/is-configured winbind (code=exited, status=0/SUCCESS)
Main PID: 1126 (winbindd)
Status: "winbindd: ready to serve connections..."
Tasks: 4 (limit: 11878)
Memory: 8.3M
CPU: 930ms
CGroup: /system.slice/winbind.service
├─1126 /usr/sbin/winbindd --foreground --no-process-group
├─1128 "winbindd: domain child [SRVARQUIVOS-RJ]"
├─1130 "winbindd: domain child [ELETRODATA]"
└─1157 "winbindd: idmap child"

dez 02 09:32:04 srvarquivos-rj systemd[1]: Starting winbind.service - Samba Winbind Daemon...
dez 02 09:32:04 srvarquivos-rj winbindd[1126]: [2024/12/02 09:32:04.188023, 0] ../../source3/winbindd/winbindd.c:1440(main)
dez 02 09:32:04 srvarquivos-rj winbindd[1126]: winbindd version 4.17.12-Debian started.
dez 02 09:32:04 srvarquivos-rj winbindd[1126]: Copyright Andrew Tridgell and the Samba Team 1992-2022
dez 02 09:32:04 srvarquivos-rj winbindd[1126]: [2024/12/02 09:32:04.191175, 0] ../../source3/winbindd/winbindd_cache.c:3117(initialize_winbindd_cache)
dez 02 09:32:04 srvarquivos-rj winbindd[1126]: initialize_winbindd_cache: clearing cache and re-creating with version number 2
dez 02 09:32:04 srvarquivos-rj systemd[1]: Started winbind.service - Samba Winbind Daemon.

sssd:
root@srvarquivos-rj:~# systemctl status sssd.service
● sssd.service - System Security Services Daemon
Loaded: loaded (/lib/systemd/system/sssd.service; enabled; preset: enabled)
Active: active (running) since Mon 2024-12-02 09:19:29 -03; 33min ago
Main PID: 722 (sssd)
Tasks: 5 (limit: 11878)
Memory: 74.7M
CPU: 583ms
CGroup: /system.slice/sssd.service
├─722 /usr/sbin/sssd -i --logger=files
├─806 /usr/libexec/sssd/sssd_be --domain eletrodata.local --uid 0 --gid 0 --logger=files
├─817 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
├─818 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
└─819 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --logger=files

dez 02 09:19:29 srvarquivos-rj systemd[1]: Starting sssd.service - System Security Services Daemon...
dez 02 09:19:29 srvarquivos-rj sssd[722]: Starting up
dez 02 09:19:29 srvarquivos-rj sssd_be[806]: Starting up
dez 02 09:19:29 srvarquivos-rj sssd_nss[817]: Starting up
dez 02 09:19:29 srvarquivos-rj sssd_pam[818]: Starting up
dez 02 09:19:29 srvarquivos-rj sssd_pac[819]: Starting up
dez 02 09:19:29 srvarquivos-rj systemd[1]: Started sssd.service - System Security Services Daemon.

E esse é do samba que mostra o erro na autenticação.
root@srvarquivos-rj:~# systemctl status smbd
● smbd.service - Samba SMB Daemon
Loaded: loaded (/lib/systemd/system/smbd.service; enabled; preset: enabled)
Active: active (running) since Mon 2024-12-02 09:32:04 -03; 13min ago
Docs: man:smbd(8)
man:samba(7)
man:smb.conf(5)
Process: 1129 ExecCondition=/usr/share/samba/is-configured smb (code=exited, status=0/SUCCESS)
Process: 1142 ExecStartPre=/usr/share/samba/update-apparmor-samba-profile (code=exited, status=0/SUCCESS)
Main PID: 1152 (smbd)
Status: "smbd: ready to serve connections..."
Tasks: 3 (limit: 11878)
Memory: 8.1M
CPU: 1.691s
CGroup: /system.slice/smbd.service
├─1152 /usr/sbin/smbd --foreground --no-process-group
├─1155 /usr/sbin/smbd --foreground --no-process-group
└─1156 /usr/sbin/smbd --foreground --no-process-group

dez 02 09:44:24 srvarquivos-rj smbd[1304]: [2024/12/02 09:44:24.131124, 0] ../../source3/auth/auth_util.c:1933(check_account)
dez 02 09:44:24 srvarquivos-rj smbd[1304]: check_account: Failed to find local account with UID 10004 for SID S-1-5-21-1603482814-4138463377-1435307895-3794 (dom_user[ELETRODATA\matheus.cardoso])
dez 02 09:44:24 srvarquivos-rj smbd[1305]: [2024/12/02 09:44:24.183227, 0] ../../source3/auth/auth_util.c:1933(check_account)
dez 02 09:44:24 srvarquivos-rj smbd[1305]: check_account: Failed to find local account with UID 10004 for SID S-1-5-21-1603482814-4138463377-1435307895-3794 (dom_user[ELETRODATA\matheus.cardoso])
dez 02 09:44:24 srvarquivos-rj smbd[1306]: [2024/12/02 09:44:24.232189, 0] ../../source3/auth/auth_util.c:1933(check_account)
dez 02 09:44:24 srvarquivos-rj smbd[1306]: check_account: Failed to find local account with UID 10004 for SID S-1-5-21-1603482814-4138463377-1435307895-3794 (dom_user[ELETRODATA\matheus.cardoso])
dez 02 09:44:24 srvarquivos-rj smbd[1307]: [2024/12/02 09:44:24.279977, 0] ../../source3/auth/auth_util.c:1933(check_account)
dez 02 09:44:24 srvarquivos-rj smbd[1307]: check_account: Failed to find local account with UID 10004 for SID S-1-5-21-1603482814-4138463377-1435307895-3794 (dom_user[ELETRODATA\matheus.cardoso])
dez 02 09:44:45 srvarquivos-rj smbd[1308]: [2024/12/02 09:44:45.083225, 0] ../../source3/param/loadparm.c:3461(process_usershare_file)
dez 02 09:44:45 srvarquivos-rj smbd[1308]: process_usershare_file: stat of /var/lib/samba/usershares/eletrodata-rj failed. Permissão negada

Me ajudem kkk...