Demande #34692
Mis à jour par Gilles Grandgérard il y a plus d'un an
Sur ADDC:
pb droits lxc ?
<pre>
Oct 7 11:51:19 addc ntpd[72]: local_clock: ntp_loopfilter.c line 818: ntp_adjtime: Operation not permitted
</pre>
<pre>
Oct 5 21:00:26 addc kernel: [6581343.849802] audit: type=1400 audit(1664996426.885:200): apparmor="DENIED" operation="connect" profile="/usr/sbin/slapd" name="/run/samba/winbindd/pipe" pid=3102408 comm="slapd" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
</pre>
Sur le membre :
<pre>
Jun 23 11:25:35 scribe kernel: [ 1304.356458] audit: type=1400 audit(1624440335.852:71): apparmor="DENIED" operation="connect" profile="/usr/sbin/slapd" name="/run/samba/winbindd/pipe" pid=36073 comm="slapd" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
Jun 23 11:25:39 scribe kernel: [ 1307.667503] audit: type=1400 audit(1624440339.161:72): apparmor="DENIED" operation="connect" profile="/usr/sbin/mysqld" name="/run/samba/winbindd/pipe" pid=36151 comm="mysqld" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
</pre>
<pre>
2022-10-07T16:00:56.197893+02:00 scribe.0740931k.etab smbd_audit: chdir_current_service: vfs_ChDir(/home/adhomes/borban) failed: Permission non accordée. Current token: uid=13658, gid=10515, 5 groups: 13658 10515 2000 2001 2002
</pre>
voir le thread https://lists.samba.org/archive/samba/2021-January/234208.html
a voir pb idmap 2000 : 13658 10515 sont dans le range AD, 2000 2001 2002 ne le sont pas !
<pre>
[2022/10/03 12:37:15.142830, 0] ../../source3/libsmb/trusts_util.c:379(trust_pw_change)
2022/10/03 12:37:15 : trust_pw_change(0740931K): Verifying passwords remotely netlogon_creds_cli:CLI[SCRIBE/SCRIBE$]/SRV[ADDC/0740931K].
[2022/10/03 12:37:15.145941, 0] ../../source3/libsmb/trusts_util.c:451(trust_pw_change)
2022/10/03 12:37:15 : trust_pw_change(0740931K): Verified old password remotely using netlogon_creds_cli:CLI[SCRIBE/SCRIBE$]/SRV[ADDC/0740931K]
[2022/10/03 12:37:15.145993, 0] ../../source3/libsmb/trusts_util.c:491(trust_pw_change)
2022/10/03 12:37:15 : trust_pw_change(0740931K): Changed password locally
[2022/10/03 12:37:15.190458, 0] ../../source3/libsmb/trusts_util.c:544(trust_pw_change)
2022/10/03 12:37:15 : trust_pw_change(0740931K): Changed password remotely using netlogon_creds_cli:CLI[SCRIBE/SCRIBE$]/SRV[ADDC/0740931K]
[2022/10/03 12:37:15.192270, 0] ../../source3/libsmb/trusts_util.c:563(trust_pw_change)
2022/10/03 12:37:15 : trust_pw_change(0740931K): Finished password change.
[2022/10/03 12:37:15.194459, 0] ../../source3/libsmb/trusts_util.c:615(trust_pw_change)
2022/10/03 12:37:15 : trust_pw_change(0740931K): Verified new password remotely using netlogon_creds_cli:CLI[SCRIBE/SCRIBE$]/SRV[ADDC/0740931K]
[2022/10/03 14:33:34.816734, 0] ../../source3/libads/kerberos_util.c:73(ads_kinit_password)
kerberos_kinit_password SCRIBE$@0740931K.ETAB failed: Preauthentication failed
</pre>
Bizarre, le changement de mot de passe du compte machine (SCRIBE$) ne s'est pas bien passé ! (est-ce du à la présence de ntml_auth dans le smb.conf ?)