ALT Linux Bugzilla
– Attachment 12936 Details for
Bug 45830
Не применяется групповая политика "Блокировки учетной записи"
New bug
|
Search
|
[?]
|
Help
Register
|
Log In
[x]
|
Forgot Password
Login:
[x]
|
EN
|
RU
сбор domain-diag
domain-diag.log (text/plain), 22.33 KB, created by
Владимир
on 2023-04-11 17:42:21 MSK
(
hide
)
Description:
сбор domain-diag
Filename:
MIME Type:
Creator:
Владимир
Created:
2023-04-11 17:42:21 MSK
Size:
22.33 KB
patch
obsolete
>===============================================================================(B >| Samba environment diagnostic tool |(B >------------------------------------------------------------------------------- >Version: 0.2.2 >Date: ÐÑ 11 Ð°Ð¿Ñ 2023 17:23:33 MSK >------------------------------------------------------------------------------- >System information >Kernel: 5.10.166-std-def-alt1 >Branch: p10 >===============================================================================(B > >===============================================================================(B >| check_hostnamectl |(B >------------------------------------------------------------------------------- > >$ hostnamectl(B > Static hostname: host-6 > Icon name: computer-vm > Chassis: vm > Machine ID: b2fd91ec8ef48e7e0295f08263ef781e > Boot ID: f6081cff332048af85db788e35f6d30d > Virtualization: kvm >Operating System: ALT Workstation 10.1 (Autolycus) > CPE OS Name: cpe:/o:alt:workstation:10.1 > Kernel: Linux 5.10.166-std-def-alt1 > Architecture: x86-64 > Hardware Vendor: QEMU > Hardware Model: Standard PC _i440FX + PIIX, 1996_ > >------------------------------------------------------------------------------- >Check hostname persistance: [DONE(B] >===============================================================================(B > >===============================================================================(B >| test_hostname |(B >------------------------------------------------------------------------------- > >host-6 > >------------------------------------------------------------------------------- >Test hostname is FQDN (not short): [WARN(B] >===============================================================================(B > >===============================================================================(B >| check_system_auth |(B >------------------------------------------------------------------------------- > >$ /usr/sbin/control system-auth(B >sss > >$ readlink -f /etc/pam.d/system-auth(B >/etc/pam.d/system-auth-sss > >$ cat /etc/pam.d/system-auth(B >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >#%PAM-1.0 > >auth [success=4 perm_denied=ignore default=die] pam_localuser.so >auth [success=1 default=bad] pam_succeed_if.so uid >= 500 quiet >auth [default=1] pam_permit.so >auth substack system-auth-sss-only >auth [default=1] pam_permit.so >auth substack system-auth-local-only >auth substack system-auth-common > >account [success=4 perm_denied=ignore default=die] pam_localuser.so >account [success=1 default=bad] pam_succeed_if.so uid >= 500 quiet >account [default=1] pam_permit.so >account substack system-auth-sss-only >account [default=1] pam_permit.so >account substack system-auth-local-only >account substack system-auth-common > >password [success=4 perm_denied=ignore default=die] pam_localuser.so >password [success=1 default=bad] pam_succeed_if.so uid >= 500 quiet >password [default=1] pam_permit.so >password substack system-auth-sss-only >password [default=1] pam_permit.so >password substack system-auth-local-only >password substack system-auth-common > >session [success=4 perm_denied=ignore default=die] pam_localuser.so >session [success=1 default=bad] pam_succeed_if.so uid >= 500 quiet >session [default=1] pam_permit.so >session substack system-auth-sss-only >session [default=1] pam_permit.so >session substack system-auth-local-only >session substack system-auth-common >session [success=1 default=ignore] pam_succeed_if.so service = systemd-user quiet >session optional pam_mount.so disable_interactive >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > >------------------------------------------------------------------------------- >System authentication method: [DONE(B] >===============================================================================(B > >===============================================================================(B >| test_domain_system_auth |(B >------------------------------------------------------------------------------- > >$ /usr/sbin/control system-auth(B >sss > >$ test sss != local(B > >------------------------------------------------------------------------------- >Domain system authentication enabled: [DONE(B] >===============================================================================(B > >===============================================================================(B >| check_system_policy |(B >------------------------------------------------------------------------------- > >$ /usr/sbin/control system-policy(B >gpupdate > >$ readlink -f /etc/pam.d/system-policy(B >/etc/pam.d/system-policy-gpupdate > >$ cat /etc/pam.d/system-policy(B >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >#%PAM-1.0 >session [success=2 perm_denied=ignore default=die] pam_localuser.so >session substack gpupdate-remote-policy >session [default=1] pam_permit.so >session [default=6] pam_permit.so >session [success=1 default=ignore] pam_succeed_if.so user ingroup users quiet >session [default=4] pam_permit.so >session [success=1 default=ignore] pam_succeed_if.so uid >= 500 quiet >session [default=2] pam_permit.so >-session required pam_oddjob_gpupdate.so >session optional pam_env.so user_readenv=1 conffile=/etc/gpupdate/environment user_envfile=.gpupdate_environment >session required pam_permit.so >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > >------------------------------------------------------------------------------- >System policy method: [DONE(B] >===============================================================================(B > >===============================================================================(B >| test_gpupdate_system_policy |(B >------------------------------------------------------------------------------- > >$ /usr/sbin/control system-policy(B >gpupdate > >$ test gpupdate == gpupdate(B > >------------------------------------------------------------------------------- >System group policy enabled: [DONE(B] >===============================================================================(B > >===============================================================================(B >| check_krb5_conf_exists |(B >------------------------------------------------------------------------------- > >$ ls -l /etc/krb5.conf(B >-rw-r--r-- 1 root root 541 Ð°Ð¿Ñ 5 22:02 /etc/krb5.conf > >$ cat /etc/krb5.conf(B >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >includedir /etc/krb5.conf.d/ > >[logging] ># default = FILE:/var/log/krb5libs.log ># kdc = FILE:/var/log/krb5kdc.log ># admin_server = FILE:/var/log/kadmind.log > >[libdefaults] >default_realm = TEHGID.HIT > dns_lookup_kdc = true > dns_lookup_realm = false > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = true > rdns = false ># default_realm = EXAMPLE.COM > default_ccache_name = KEYRING:persistent:%{uid} > >[realms] ># EXAMPLE.COM = { ># default_domain = example.com ># } > >[domain_realm] ># .example.com = EXAMPLE.COM ># example.com = EXAMPLE.COM >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > >------------------------------------------------------------------------------- >Check Kerberos configuration exists: [DONE(B] >===============================================================================(B > >===============================================================================(B >| check_krb5_conf_ccache |(B >------------------------------------------------------------------------------- > >$ /usr/sbin/control krb5-conf-ccache(B >keyring > >------------------------------------------------------------------------------- >Kerberos credential cache status: [DONE(B] >===============================================================================(B > >===============================================================================(B >| test_keyring_krb5_conf_ccache |(B >------------------------------------------------------------------------------- > >$ /usr/sbin/control krb5-conf-ccache(B >keyring > >$ test -n keyring -a keyring == keyring(B > >------------------------------------------------------------------------------- >Using keyring as kerberos credential cache: [DONE(B] >===============================================================================(B > >===============================================================================(B >| check_krb5_conf_kdc_lookup |(B >------------------------------------------------------------------------------- > >/etc/krb5.conf: dns_lookup_kdc is enabled > >------------------------------------------------------------------------------- >Check DNS lookup kerberos KDC status: [DONE(B] >===============================================================================(B > >===============================================================================(B >| check_krb5_keytab_exists |(B >------------------------------------------------------------------------------- > >$ ls -l /etc/krb5.keytab(B >-rw-r----- 1 root _keytab 2370 Ñев 28 15:55 /etc/krb5.keytab > >------------------------------------------------------------------------------- >Check machine crendetial cache is exists: [DONE(B] >===============================================================================(B > >===============================================================================(B >| check_keytab_credential_list |(B >------------------------------------------------------------------------------- > ># klist -ke(B >Keytab name: FILE:/etc/krb5.keytab >KVNO Principal >---- -------------------------------------------------------------------------- > 2 restrictedkrbhost/host-6.tehgid.hit@TEHGID.HIT (aes256-cts-hmac-sha1-96) > 2 restrictedkrbhost/HOST-6@TEHGID.HIT (aes256-cts-hmac-sha1-96) > 2 restrictedkrbhost/host-6.tehgid.hit@TEHGID.HIT (aes128-cts-hmac-sha1-96) > 2 restrictedkrbhost/HOST-6@TEHGID.HIT (aes128-cts-hmac-sha1-96) > 2 restrictedkrbhost/host-6.tehgid.hit@TEHGID.HIT (DEPRECATED:arcfour-hmac) > 2 restrictedkrbhost/HOST-6@TEHGID.HIT (DEPRECATED:arcfour-hmac) > 2 host/host-6.tehgid.hit@TEHGID.HIT (aes256-cts-hmac-sha1-96) > 2 host/HOST-6@TEHGID.HIT (aes256-cts-hmac-sha1-96) > 2 host/host-6.tehgid.hit@TEHGID.HIT (aes128-cts-hmac-sha1-96) > 2 host/HOST-6@TEHGID.HIT (aes128-cts-hmac-sha1-96) > 2 host/host-6.tehgid.hit@TEHGID.HIT (DEPRECATED:arcfour-hmac) > 2 host/HOST-6@TEHGID.HIT (DEPRECATED:arcfour-hmac) > 2 HOST-6$@TEHGID.HIT (aes256-cts-hmac-sha1-96) > 2 HOST-6$@TEHGID.HIT (aes128-cts-hmac-sha1-96) > 2 HOST-6$@TEHGID.HIT (DEPRECATED:arcfour-hmac) > >------------------------------------------------------------------------------- >Check machine credentials list in keytab: [DONE(B] >===============================================================================(B > >===============================================================================(B >| check_resolv_conf |(B >------------------------------------------------------------------------------- > >$ ls -l /etc/resolv.conf(B >-rw-r--r-- 1 root root 147 Ð°Ð¿Ñ 11 16:59 /etc/resolv.conf > >$ cat /etc/resolv.conf(B >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ># Generated by resolvconf ># Do not edit manually, use ># /etc/net/ifaces/<interface>/resolv.conf instead. >search tehgid.hit >nameserver 192.168.11.32~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > >------------------------------------------------------------------------------- >Check nameserver resolver configuration: [DONE(B] >===============================================================================(B > >===============================================================================(B >| compare_resolv_conf_with_default_realm |(B >------------------------------------------------------------------------------- > >SEARCH_DOMAIN = 'search tehgid.hit' >KRB5_DEFAULT_REALM = 'TEHGID.HIT' > >------------------------------------------------------------------------------- >Compare krb5 realm and first search domain: [WARN(B] >===============================================================================(B > >===============================================================================(B >| check_smb_conf |(B >------------------------------------------------------------------------------- > >$ ls -l /etc/samba/smb.conf(B >-rw-r--r-- 1 root root 3867 Ñев 28 15:55 /etc/samba/smb.conf > >$ grep -v -e '^\s*[#;]' -e '^\s*$' /etc/samba/smb.conf(B >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >[global] > security = ads > realm = TEHGID.HIT > workgroup = TEHGID > netbios name = HOST-6 > template shell = /bin/bash > kerberos method = system keytab > wins support = no > winbind use default domain = yes > winbind enum users = no > winbind enum groups = no > template homedir = /home/TEHGID.HIT/%U > idmap config * : range = 200000-2000200000 > idmap config * : backend = sss > machine password timeout = 0 >[homes] > comment = Home Directories > browseable = no > writable = yes >[printers] > comment = All Printers > path = /var/spool/samba > browseable = no > guest ok = no > writable = no > printable = yes >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > >$ testparm -l -s(B >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >Load smb config files from /etc/samba/smb.conf >Loaded services file OK. >Weak crypto is allowed >Server role: ROLE_DOMAIN_MEMBER > ># Global parameters >[global] > kerberos method = system keytab > machine password timeout = 0 > realm = TEHGID.HIT > security = ADS > template homedir = /home/TEHGID.HIT/%U > template shell = /bin/bash > winbind use default domain = Yes > workgroup = TEHGID > idmap config * : range = 200000-2000200000 > idmap config * : backend = sss > > >[homes] > browseable = No > comment = Home Directories > read only = No > > >[printers] > browseable = No > comment = All Printers > path = /var/spool/samba > printable = Yes >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > >------------------------------------------------------------------------------- >Check Samba configuration: [DONE(B] >===============================================================================(B > >===============================================================================(B >| compare_smb_realm_with_krb5_default_realm |(B >------------------------------------------------------------------------------- > >SMB_REALM = 'TEHGID.HIT' >KRB5_DEFAULT_REALM = 'TEHGID.HIT' > >------------------------------------------------------------------------------- >Compare samba and krb5 realms: [DONE(B] >===============================================================================(B > >===============================================================================(B >| test_smb_realm |(B >------------------------------------------------------------------------------- > >DOMAIN_REALM = 'TEHGID.HIT' >DOMAIN_DOMAIN = 'tehgid.hit' > >------------------------------------------------------------------------------- >Check Samba domain realm: [DONE(B] >===============================================================================(B > >===============================================================================(B >| test_domainname |(B >------------------------------------------------------------------------------- > >HOSTNAME_DOMAIN = '' > >------------------------------------------------------------------------------- >Check hostname FQDN domainname: [WARN(B] >===============================================================================(B > >===============================================================================(B >| check_time_synchronization |(B >------------------------------------------------------------------------------- > >$ timedatectl(B > Local time: ÐÑ 2023-04-11 17:23:35 MSK > Universal time: ÐÑ 2023-04-11 14:23:35 UTC > RTC time: ÐÑ 2023-04-11 14:23:35 > Time zone: Europe/Moscow (MSK, +0300) >System clock synchronized: no > NTP service: active > RTC in local TZ: no > >------------------------------------------------------------------------------- >Check time synchronization: [DONE(B] >===============================================================================(B > >===============================================================================(B >| test_time_synchronization |(B >------------------------------------------------------------------------------- > >$ test $(timedatectl show -p NTPSynchronized --value) == "yes"(B > >------------------------------------------------------------------------------- >Time synchronization enabled: [WARN(B] >===============================================================================(B > >===============================================================================(B >| check_nameservers |(B >------------------------------------------------------------------------------- > >$ ping -c 2 -i2 192.168.11.32(B >PING 192.168.11.32 (192.168.11.32) 56(84) bytes of data. >64 bytes from 192.168.11.32: icmp_seq=1 ttl=128 time=0.495 ms >64 bytes from 192.168.11.32: icmp_seq=2 ttl=128 time=0.458 ms > >--- 192.168.11.32 ping statistics --- >2 packets transmitted, 2 received, 0% packet loss, time 2062ms >rtt min/avg/max/mdev = 0.458/0.476/0.495/0.018 ms > >$ host tehgid.hit 192.168.11.32(B >Using domain server: >Name: 192.168.11.32 >Address: 192.168.11.32#53 >Aliases: > >tehgid.hit has address 192.168.11.32 > >$ ping -c 2 -i2 192.168.11.32(B >PING 192.168.11.32 (192.168.11.32) 56(84) bytes of data. >64 bytes from 192.168.11.32: icmp_seq=1 ttl=128 time=0.401 ms >64 bytes from 192.168.11.32: icmp_seq=2 ttl=128 time=0.427 ms > >--- 192.168.11.32 ping statistics --- >2 packets transmitted, 2 received, 0% packet loss, time 2039ms >rtt min/avg/max/mdev = 0.401/0.414/0.427/0.013 ms > >$ host tehgid.hit 192.168.11.32(B >Using domain server: >Name: 192.168.11.32 >Address: 192.168.11.32#53 >Aliases: > >tehgid.hit has address 192.168.11.32 > >$ ping -c 2 -i2 192.168.11.32(B >PING 192.168.11.32 (192.168.11.32) 56(84) bytes of data. >64 bytes from 192.168.11.32: icmp_seq=1 ttl=128 time=0.415 ms >64 bytes from 192.168.11.32: icmp_seq=2 ttl=128 time=0.398 ms > >--- 192.168.11.32 ping statistics --- >2 packets transmitted, 2 received, 0% packet loss, time 2061ms >rtt min/avg/max/mdev = 0.398/0.406/0.415/0.008 ms > >$ host tehgid.hit 192.168.11.32(B >Using domain server: >Name: 192.168.11.32 >Address: 192.168.11.32#53 >Aliases: > >tehgid.hit has address 192.168.11.32 > >------------------------------------------------------------------------------- >Check nameservers availability: [DONE(B] >===============================================================================(B > >===============================================================================(B >| check_domain_controllers |(B >------------------------------------------------------------------------------- > >$ host -t srv _ldap._tcp.tehgid.hit | cut -d ' ' -f 8(B >win-gidoso9qiu9.tehgid.hit. > >$ host win-gidoso9qiu9.tehgid.hit. | sed 's/^.* //g'(B >192.168.11.32 > >$ kinit -k HOST-6$\@TEHGID.HIT(B > >$ ldapsearch -o nettimeout=30 -Y GSSAPI -N -h win-gidoso9qiu9.tehgid.hit. -b dc=tehgid,dc=hit "(&(ObjectClass=computer)(objectCategory=Computer)(name=win-gidoso9qiu9))" | grep 'operating\|name:' | cut -d ' ' -f 2 | tr '\n' ' '(B >SASL/GSSAPI authentication started >SASL username: HOST-6$@TEHGID.HIT >SASL SSF: 56 >SASL data security layer installed. >WIN-GIDOSO9QIU9 Windows 6.3 > >$ kdestroy -A(B > >------------------------------------------------------------------------------- >Check domain controllers list: [DONE(B] >===============================================================================(B > >===============================================================================(B >| check_kerberos_and_ldap_srv_records |(B >------------------------------------------------------------------------------- > >$ host -t srv _kerberos._udp.tehgid.hit(B >_kerberos._udp.tehgid.hit has SRV record 0 100 88 win-gidoso9qiu9.tehgid.hit. > >$ host -t srv _ldap._tcp.tehgid.hit(B >_ldap._tcp.tehgid.hit has SRV record 0 100 389 win-gidoso9qiu9.tehgid.hit. > >------------------------------------------------------------------------------- >Check Kerberos and LDAP SRV-records: [DONE(B] >===============================================================================(B > >===============================================================================(B >| compare_netbios_name |(B >------------------------------------------------------------------------------- > >SMB_NETBIOS_NAME = 'HOST-6' >HOSTNAME_SHORT = 'host-6' > >------------------------------------------------------------------------------- >Compare NetBIOS name and hostname: [DONE(B] >===============================================================================(B > >===============================================================================(B >| check_common_packages |(B >------------------------------------------------------------------------------- > >$ rpm -q alterator-auth(B >alterator-auth-0.44.1-alt1.x86_64 > >$ rpm -q libnss-role(B >libnss-role-0.5.6-alt1.x86_64 > >$ rpm -q libkrb5(B >libkrb5-1.19.4-alt1.x86_64 > >$ rpm -q libsmbclient(B >libsmbclient-4.16.9-alt1.x86_64 > >------------------------------------------------------------------------------- >Check common packages: [DONE(B] >===============================================================================(B > >===============================================================================(B >| check_group_policy_packages |(B >------------------------------------------------------------------------------- > >$ rpm -q local-policy(B >local-policy-0.6.0-alt1.noarch > >$ rpm -q gpupdate(B >gpupdate-0.9.12.3-alt1.noarch > >------------------------------------------------------------------------------- >Check group policy packages: [DONE(B] >===============================================================================(B > >===============================================================================(B >| check_sssd_ad_packages |(B >------------------------------------------------------------------------------- > >$ rpm -q task-auth-ad-sssd(B >task-auth-ad-sssd-0.44.1-alt1.x86_64 > >------------------------------------------------------------------------------- >Check SSSD AD packages: [DONE(B] >===============================================================================(B > >===============================================================================(B >| check_sssd_winbind_packages |(B >------------------------------------------------------------------------------- > >$ rpm -q task-auth-ad-winbind(B >Ð¿Ð°ÐºÐµÑ task-auth-ad-winbind не ÑÑÑановлен > >------------------------------------------------------------------------------- >Check SSSD Winbind packages: [WARN(B] >===============================================================================(B >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=12936">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 45830
: 12936 |
12937
