===============================================================================(B | Samba environment diagnostic tool |(B ------------------------------------------------------------------------------- Version: 0.2.2 Date: Вт 11 апр 2023 17:23:33 MSK ------------------------------------------------------------------------------- System information Kernel: 5.10.166-std-def-alt1 Branch: p10 ===============================================================================(B ===============================================================================(B | check_hostnamectl |(B ------------------------------------------------------------------------------- $ hostnamectl(B Static hostname: host-6 Icon name: computer-vm Chassis: vm Machine ID: b2fd91ec8ef48e7e0295f08263ef781e Boot ID: f6081cff332048af85db788e35f6d30d Virtualization: kvm Operating System: ALT Workstation 10.1 (Autolycus) CPE OS Name: cpe:/o:alt:workstation:10.1 Kernel: Linux 5.10.166-std-def-alt1 Architecture: x86-64 Hardware Vendor: QEMU Hardware Model: Standard PC _i440FX + PIIX, 1996_ ------------------------------------------------------------------------------- Check hostname persistance: [DONE(B] ===============================================================================(B ===============================================================================(B | test_hostname |(B ------------------------------------------------------------------------------- host-6 ------------------------------------------------------------------------------- Test hostname is FQDN (not short): [WARN(B] ===============================================================================(B ===============================================================================(B | check_system_auth |(B ------------------------------------------------------------------------------- $ /usr/sbin/control system-auth(B sss $ readlink -f /etc/pam.d/system-auth(B /etc/pam.d/system-auth-sss $ cat /etc/pam.d/system-auth(B ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #%PAM-1.0 auth [success=4 perm_denied=ignore default=die] pam_localuser.so auth [success=1 default=bad] pam_succeed_if.so uid >= 500 quiet auth [default=1] pam_permit.so auth substack system-auth-sss-only auth [default=1] pam_permit.so auth substack system-auth-local-only auth substack system-auth-common account [success=4 perm_denied=ignore default=die] pam_localuser.so account [success=1 default=bad] pam_succeed_if.so uid >= 500 quiet account [default=1] pam_permit.so account substack system-auth-sss-only account [default=1] pam_permit.so account substack system-auth-local-only account substack system-auth-common password [success=4 perm_denied=ignore default=die] pam_localuser.so password [success=1 default=bad] pam_succeed_if.so uid >= 500 quiet password [default=1] pam_permit.so password substack system-auth-sss-only password [default=1] pam_permit.so password substack system-auth-local-only password substack system-auth-common session [success=4 perm_denied=ignore default=die] pam_localuser.so session [success=1 default=bad] pam_succeed_if.so uid >= 500 quiet session [default=1] pam_permit.so session substack system-auth-sss-only session [default=1] pam_permit.so session substack system-auth-local-only session substack system-auth-common session [success=1 default=ignore] pam_succeed_if.so service = systemd-user quiet session optional pam_mount.so disable_interactive ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ------------------------------------------------------------------------------- System authentication method: [DONE(B] ===============================================================================(B ===============================================================================(B | test_domain_system_auth |(B ------------------------------------------------------------------------------- $ /usr/sbin/control system-auth(B sss $ test sss != local(B ------------------------------------------------------------------------------- Domain system authentication enabled: [DONE(B] ===============================================================================(B ===============================================================================(B | check_system_policy |(B ------------------------------------------------------------------------------- $ /usr/sbin/control system-policy(B gpupdate $ readlink -f /etc/pam.d/system-policy(B /etc/pam.d/system-policy-gpupdate $ cat /etc/pam.d/system-policy(B ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #%PAM-1.0 session [success=2 perm_denied=ignore default=die] pam_localuser.so session substack gpupdate-remote-policy session [default=1] pam_permit.so session [default=6] pam_permit.so session [success=1 default=ignore] pam_succeed_if.so user ingroup users quiet session [default=4] pam_permit.so session [success=1 default=ignore] pam_succeed_if.so uid >= 500 quiet session [default=2] pam_permit.so -session required pam_oddjob_gpupdate.so session optional pam_env.so user_readenv=1 conffile=/etc/gpupdate/environment user_envfile=.gpupdate_environment session required pam_permit.so ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ------------------------------------------------------------------------------- System policy method: [DONE(B] ===============================================================================(B ===============================================================================(B | test_gpupdate_system_policy |(B ------------------------------------------------------------------------------- $ /usr/sbin/control system-policy(B gpupdate $ test gpupdate == gpupdate(B ------------------------------------------------------------------------------- System group policy enabled: [DONE(B] ===============================================================================(B ===============================================================================(B | check_krb5_conf_exists |(B ------------------------------------------------------------------------------- $ ls -l /etc/krb5.conf(B -rw-r--r-- 1 root root 541 апр 5 22:02 /etc/krb5.conf $ cat /etc/krb5.conf(B ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ includedir /etc/krb5.conf.d/ [logging] # default = FILE:/var/log/krb5libs.log # kdc = FILE:/var/log/krb5kdc.log # admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = TEHGID.HIT dns_lookup_kdc = true dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false # default_realm = EXAMPLE.COM default_ccache_name = KEYRING:persistent:%{uid} [realms] # EXAMPLE.COM = { # default_domain = example.com # } [domain_realm] # .example.com = EXAMPLE.COM # example.com = EXAMPLE.COM ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ------------------------------------------------------------------------------- Check Kerberos configuration exists: [DONE(B] ===============================================================================(B ===============================================================================(B | check_krb5_conf_ccache |(B ------------------------------------------------------------------------------- $ /usr/sbin/control krb5-conf-ccache(B keyring ------------------------------------------------------------------------------- Kerberos credential cache status: [DONE(B] ===============================================================================(B ===============================================================================(B | test_keyring_krb5_conf_ccache |(B ------------------------------------------------------------------------------- $ /usr/sbin/control krb5-conf-ccache(B keyring $ test -n keyring -a keyring == keyring(B ------------------------------------------------------------------------------- Using keyring as kerberos credential cache: [DONE(B] ===============================================================================(B ===============================================================================(B | check_krb5_conf_kdc_lookup |(B ------------------------------------------------------------------------------- /etc/krb5.conf: dns_lookup_kdc is enabled ------------------------------------------------------------------------------- Check DNS lookup kerberos KDC status: [DONE(B] ===============================================================================(B ===============================================================================(B | check_krb5_keytab_exists |(B ------------------------------------------------------------------------------- $ ls -l /etc/krb5.keytab(B -rw-r----- 1 root _keytab 2370 фев 28 15:55 /etc/krb5.keytab ------------------------------------------------------------------------------- Check machine crendetial cache is exists: [DONE(B] ===============================================================================(B ===============================================================================(B | check_keytab_credential_list |(B ------------------------------------------------------------------------------- # klist -ke(B Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 restrictedkrbhost/host-6.tehgid.hit@TEHGID.HIT (aes256-cts-hmac-sha1-96) 2 restrictedkrbhost/HOST-6@TEHGID.HIT (aes256-cts-hmac-sha1-96) 2 restrictedkrbhost/host-6.tehgid.hit@TEHGID.HIT (aes128-cts-hmac-sha1-96) 2 restrictedkrbhost/HOST-6@TEHGID.HIT (aes128-cts-hmac-sha1-96) 2 restrictedkrbhost/host-6.tehgid.hit@TEHGID.HIT (DEPRECATED:arcfour-hmac) 2 restrictedkrbhost/HOST-6@TEHGID.HIT (DEPRECATED:arcfour-hmac) 2 host/host-6.tehgid.hit@TEHGID.HIT (aes256-cts-hmac-sha1-96) 2 host/HOST-6@TEHGID.HIT (aes256-cts-hmac-sha1-96) 2 host/host-6.tehgid.hit@TEHGID.HIT (aes128-cts-hmac-sha1-96) 2 host/HOST-6@TEHGID.HIT (aes128-cts-hmac-sha1-96) 2 host/host-6.tehgid.hit@TEHGID.HIT (DEPRECATED:arcfour-hmac) 2 host/HOST-6@TEHGID.HIT (DEPRECATED:arcfour-hmac) 2 HOST-6$@TEHGID.HIT (aes256-cts-hmac-sha1-96) 2 HOST-6$@TEHGID.HIT (aes128-cts-hmac-sha1-96) 2 HOST-6$@TEHGID.HIT (DEPRECATED:arcfour-hmac) ------------------------------------------------------------------------------- Check machine credentials list in keytab: [DONE(B] ===============================================================================(B ===============================================================================(B | check_resolv_conf |(B ------------------------------------------------------------------------------- $ ls -l /etc/resolv.conf(B -rw-r--r-- 1 root root 147 апр 11 16:59 /etc/resolv.conf $ cat /etc/resolv.conf(B ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Generated by resolvconf # Do not edit manually, use # /etc/net/ifaces//resolv.conf instead. search tehgid.hit nameserver 192.168.11.32~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ------------------------------------------------------------------------------- Check nameserver resolver configuration: [DONE(B] ===============================================================================(B ===============================================================================(B | compare_resolv_conf_with_default_realm |(B ------------------------------------------------------------------------------- SEARCH_DOMAIN = 'search tehgid.hit' KRB5_DEFAULT_REALM = 'TEHGID.HIT' ------------------------------------------------------------------------------- Compare krb5 realm and first search domain: [WARN(B] ===============================================================================(B ===============================================================================(B | check_smb_conf |(B ------------------------------------------------------------------------------- $ ls -l /etc/samba/smb.conf(B -rw-r--r-- 1 root root 3867 фев 28 15:55 /etc/samba/smb.conf $ grep -v -e '^\s*[#;]' -e '^\s*$' /etc/samba/smb.conf(B ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [global] security = ads realm = TEHGID.HIT workgroup = TEHGID netbios name = HOST-6 template shell = /bin/bash kerberos method = system keytab wins support = no winbind use default domain = yes winbind enum users = no winbind enum groups = no template homedir = /home/TEHGID.HIT/%U idmap config * : range = 200000-2000200000 idmap config * : backend = sss machine password timeout = 0 [homes] comment = Home Directories browseable = no writable = yes [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ $ testparm -l -s(B ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Load smb config files from /etc/samba/smb.conf Loaded services file OK. Weak crypto is allowed Server role: ROLE_DOMAIN_MEMBER # Global parameters [global] kerberos method = system keytab machine password timeout = 0 realm = TEHGID.HIT security = ADS template homedir = /home/TEHGID.HIT/%U template shell = /bin/bash winbind use default domain = Yes workgroup = TEHGID idmap config * : range = 200000-2000200000 idmap config * : backend = sss [homes] browseable = No comment = Home Directories read only = No [printers] browseable = No comment = All Printers path = /var/spool/samba printable = Yes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ------------------------------------------------------------------------------- Check Samba configuration: [DONE(B] ===============================================================================(B ===============================================================================(B | compare_smb_realm_with_krb5_default_realm |(B ------------------------------------------------------------------------------- SMB_REALM = 'TEHGID.HIT' KRB5_DEFAULT_REALM = 'TEHGID.HIT' ------------------------------------------------------------------------------- Compare samba and krb5 realms: [DONE(B] ===============================================================================(B ===============================================================================(B | test_smb_realm |(B ------------------------------------------------------------------------------- DOMAIN_REALM = 'TEHGID.HIT' DOMAIN_DOMAIN = 'tehgid.hit' ------------------------------------------------------------------------------- Check Samba domain realm: [DONE(B] ===============================================================================(B ===============================================================================(B | test_domainname |(B ------------------------------------------------------------------------------- HOSTNAME_DOMAIN = '' ------------------------------------------------------------------------------- Check hostname FQDN domainname: [WARN(B] ===============================================================================(B ===============================================================================(B | check_time_synchronization |(B ------------------------------------------------------------------------------- $ timedatectl(B Local time: Вт 2023-04-11 17:23:35 MSK Universal time: Вт 2023-04-11 14:23:35 UTC RTC time: Вт 2023-04-11 14:23:35 Time zone: Europe/Moscow (MSK, +0300) System clock synchronized: no NTP service: active RTC in local TZ: no ------------------------------------------------------------------------------- Check time synchronization: [DONE(B] ===============================================================================(B ===============================================================================(B | test_time_synchronization |(B ------------------------------------------------------------------------------- $ test $(timedatectl show -p NTPSynchronized --value) == "yes"(B ------------------------------------------------------------------------------- Time synchronization enabled: [WARN(B] ===============================================================================(B ===============================================================================(B | check_nameservers |(B ------------------------------------------------------------------------------- $ ping -c 2 -i2 192.168.11.32(B PING 192.168.11.32 (192.168.11.32) 56(84) bytes of data. 64 bytes from 192.168.11.32: icmp_seq=1 ttl=128 time=0.495 ms 64 bytes from 192.168.11.32: icmp_seq=2 ttl=128 time=0.458 ms --- 192.168.11.32 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 2062ms rtt min/avg/max/mdev = 0.458/0.476/0.495/0.018 ms $ host tehgid.hit 192.168.11.32(B Using domain server: Name: 192.168.11.32 Address: 192.168.11.32#53 Aliases: tehgid.hit has address 192.168.11.32 $ ping -c 2 -i2 192.168.11.32(B PING 192.168.11.32 (192.168.11.32) 56(84) bytes of data. 64 bytes from 192.168.11.32: icmp_seq=1 ttl=128 time=0.401 ms 64 bytes from 192.168.11.32: icmp_seq=2 ttl=128 time=0.427 ms --- 192.168.11.32 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 2039ms rtt min/avg/max/mdev = 0.401/0.414/0.427/0.013 ms $ host tehgid.hit 192.168.11.32(B Using domain server: Name: 192.168.11.32 Address: 192.168.11.32#53 Aliases: tehgid.hit has address 192.168.11.32 $ ping -c 2 -i2 192.168.11.32(B PING 192.168.11.32 (192.168.11.32) 56(84) bytes of data. 64 bytes from 192.168.11.32: icmp_seq=1 ttl=128 time=0.415 ms 64 bytes from 192.168.11.32: icmp_seq=2 ttl=128 time=0.398 ms --- 192.168.11.32 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 2061ms rtt min/avg/max/mdev = 0.398/0.406/0.415/0.008 ms $ host tehgid.hit 192.168.11.32(B Using domain server: Name: 192.168.11.32 Address: 192.168.11.32#53 Aliases: tehgid.hit has address 192.168.11.32 ------------------------------------------------------------------------------- Check nameservers availability: [DONE(B] ===============================================================================(B ===============================================================================(B | check_domain_controllers |(B ------------------------------------------------------------------------------- $ host -t srv _ldap._tcp.tehgid.hit | cut -d ' ' -f 8(B win-gidoso9qiu9.tehgid.hit. $ host win-gidoso9qiu9.tehgid.hit. | sed 's/^.* //g'(B 192.168.11.32 $ kinit -k HOST-6$\@TEHGID.HIT(B $ ldapsearch -o nettimeout=30 -Y GSSAPI -N -h win-gidoso9qiu9.tehgid.hit. -b dc=tehgid,dc=hit "(&(ObjectClass=computer)(objectCategory=Computer)(name=win-gidoso9qiu9))" | grep 'operating\|name:' | cut -d ' ' -f 2 | tr '\n' ' '(B SASL/GSSAPI authentication started SASL username: HOST-6$@TEHGID.HIT SASL SSF: 56 SASL data security layer installed. WIN-GIDOSO9QIU9 Windows 6.3 $ kdestroy -A(B ------------------------------------------------------------------------------- Check domain controllers list: [DONE(B] ===============================================================================(B ===============================================================================(B | check_kerberos_and_ldap_srv_records |(B ------------------------------------------------------------------------------- $ host -t srv _kerberos._udp.tehgid.hit(B _kerberos._udp.tehgid.hit has SRV record 0 100 88 win-gidoso9qiu9.tehgid.hit. $ host -t srv _ldap._tcp.tehgid.hit(B _ldap._tcp.tehgid.hit has SRV record 0 100 389 win-gidoso9qiu9.tehgid.hit. ------------------------------------------------------------------------------- Check Kerberos and LDAP SRV-records: [DONE(B] ===============================================================================(B ===============================================================================(B | compare_netbios_name |(B ------------------------------------------------------------------------------- SMB_NETBIOS_NAME = 'HOST-6' HOSTNAME_SHORT = 'host-6' ------------------------------------------------------------------------------- Compare NetBIOS name and hostname: [DONE(B] ===============================================================================(B ===============================================================================(B | check_common_packages |(B ------------------------------------------------------------------------------- $ rpm -q alterator-auth(B alterator-auth-0.44.1-alt1.x86_64 $ rpm -q libnss-role(B libnss-role-0.5.6-alt1.x86_64 $ rpm -q libkrb5(B libkrb5-1.19.4-alt1.x86_64 $ rpm -q libsmbclient(B libsmbclient-4.16.9-alt1.x86_64 ------------------------------------------------------------------------------- Check common packages: [DONE(B] ===============================================================================(B ===============================================================================(B | check_group_policy_packages |(B ------------------------------------------------------------------------------- $ rpm -q local-policy(B local-policy-0.6.0-alt1.noarch $ rpm -q gpupdate(B gpupdate-0.9.12.3-alt1.noarch ------------------------------------------------------------------------------- Check group policy packages: [DONE(B] ===============================================================================(B ===============================================================================(B | check_sssd_ad_packages |(B ------------------------------------------------------------------------------- $ rpm -q task-auth-ad-sssd(B task-auth-ad-sssd-0.44.1-alt1.x86_64 ------------------------------------------------------------------------------- Check SSSD AD packages: [DONE(B] ===============================================================================(B ===============================================================================(B | check_sssd_winbind_packages |(B ------------------------------------------------------------------------------- $ rpm -q task-auth-ad-winbind(B пакет task-auth-ad-winbind не установлен ------------------------------------------------------------------------------- Check SSSD Winbind packages: [WARN(B] ===============================================================================(B