无法使用可信域AD凭据登录到Ubuntu服务器
我有一个AD域加入了Ubuntu22.04服务器。我需要能够使用来自附加到服务器成员的AD域的可信域的凭据登录到它。登录不使用受信任的域凭据。安装了下列软件包:
winbind,krb5 5-user,sssd-ad,samba
域是domain1.org和domain2.local。and是我的服务器连接到的域,domain2.local是受信任的域。
我可以使用domain1.orgcreds登录,以下所有命令都可以工作:
ping domain1.org
ping domain2.local
id someuser@domain1.org
id someuser@domain2.local
wbinfo -i someuser@domain1.org
wbinfo -i someuser@domain2.local
wbinfo -n someuser@domain2.local
net cache flush
wbinfo --sid-to-uid <SID returned in the wbinfo -n command>我无法使用domain2.localcreds登录到这个Ubuntu服务器。我确实有一个Rocky Linux服务器,它的设置方式与这个差不多,而且我能够使用domain2.local cred登录。
下面是samba、sssd、nsswitch和krb5吐露:
/etc/samba/smb.conf
[global]
workgroup = DOMAIN1
realm = DOMAIN1.ORG
netbios name = MYTEST
security = ads
server signing = mandatory
client signing = mandatory
client lanman auth = no
min protocol = SMB2
client min protocol = SMB2
client max protocol = SMB3
restrict anonymous = 2
os level = 0
preferred master = no
local master = no
domain master = no
kerberos method = secrets and keytab
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
template homedir = /home/%D/%U
template shell = /bin/bash
map acl inherit = yes
nt acl support = yes
inherit acls = Yes
acl group control = yes
log level = 10
max log size = 10
log file = /var/log/samba/samba.log
winbind use default domain = yes
idmap config * : range = 1100-65534
idmap config * : backend = tdb
idmap config * : backend = autorid
idmap config * : range = 1000000-999999999/etc/sssd/con.d/sssd.conf
[sssd]
config_file_version = 2
domains = DOMAIN1.ORG
reconnection_retries = 3
services = nss, pam, ssh, autofs
[domain/DOMAIN1.ORG]
#debug_level = 9
ad_hostname = mytest.domain1.org
id_provider = ad
auth_provider = ad
access_provider = ad
override_homedir = /home/%d/%u
default_shell = /bin/bash
cache_credentials = True
krb5_store_password_if_offline = True
krb5_realm = DOMAIN1.ORG
fallback_homedir = /home/%u/%d
ad_domain = domain1.org
use_fully_qualified_names = False
case_sensitive = False
ad_gpo_ignore_unreadable = True
dyndns_update = true
dyndns_refresh_interval = 43200
ad_update_samba_machine_account_password = True
[nss]
filter_users = root
[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5/etc/nsswitch.conf
passwd: files winbind systemd sss
group: files winbind systemd sss
shadow: files sss
gshadow: files
hosts: files resolve dns
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis sss
automount: sss/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5.log
[libdefaults]
default_realm = DOMAIN1.ORG
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
udp_preference_limit = 1我感谢任何和所有的评论和/或帮助。谢谢!
回答 1
Unix & Linux用户
发布于 2023-04-06 08:38:19
首先,
apt-get purge sssd同时运行sssd和winbind是没有意义的,您需要使用winbind作为信任。
第二,修复您的smb.conf。这是错误的:
使用默认域= yes idmap config *:range = 1100-65534 idmap config *:后端= tdb idmap config *:后端= autorid idmap config *:range = 1000000-999999999
最后两行覆盖上面的两行,您不能将winbind use default domain = yes与autorid idmap后端一起使用。删除上面的前三行,如果所需的信任已经到位,它就会工作。
https://unix.stackexchange.com/questions/742106
复制相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号