使用debian杰西上的活动目录用户登录
使用debian杰西上的活动目录用户登录
提问于 2015-12-14 12:30:03
我正在尝试让活跃目录用户登录到现在已经工作了将近一周了。首先,我对pam、samba、kerberos和winbind非常陌生。我们以前与本地用户和sudo合作过,但决定使用active目录进行用户身份验证,这样我们就不必在每台机器上维护AD和本地用户。我在谷歌上搜索并找到了一些关于如何实现这一目标的类似文档。
首先,我和Debian建立了一个测试箱。第二步是安装这些软件包。大括号是我所理解的目的,如果我错了,请纠正我:
• krb5-user (Kerberos client, for recieving TGT and user authentication)
• samba (Samba for joining the AD with the Linux-box)
• smbclient (mounting the home-directory)
• winbind (second way of user-authentication, if Kerberos fails for any reason)
• libpam-winbind (PA-Module for winbind)
• libpam-mount (Not sure about this one)
• libpam-ccreds (Storing credentials, if the DC is not reachable)
• libpam-krb5 (PAM-Module for Kerberos)
• cifs-utils (Mounting cif shares)我可以通过以下命令加入域:
net ads join member -k -S DC1.DOMAIN.LOCAL -U {User_with_admin_rights} createcomputer=IT/BLA osName=Debian osVer=`cat /etc/debian_version` -d 1在成功地加入AD之后,获得Kerberos是很简单的:
kinit -V user@DOMAIN.LOCAL得到一份清单:
root@testbox / % klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user@DOMAIN.LOCAL
Valid starting Expires Service principal
14.12.2015 09:47:01 14.12.2015 19:47:01 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
renew until 15.12.2015 09:46:57但是,当我尝试使用AD用户(用户名: username@DOMAIN.LOCAL)登录时,它将无法工作:
Dec 14 13:19:58 testbox login[2875]: pam_krb5(login:auth): user username@DOMAIN.LOCAL authenticated as username@DOMAIN.LOCAL
Dec 14 13:20:01 testbox login[2875]: FAILED LOGIN (1) on '/dev/pts/2' FOR 'UNKNOWN', User not known to the underlying authentication module据我所知,用户名可以通过Kerberos进行身份验证,但是这些信息没有发送到下一个模块,对吗?
回到pam-配置,我做了一个pam更新并激活了所有的东西:
[*] Kerberos authentication
[*] Ccreds credential caching - password saving
[*] Unix authentication
[*] Winbind NT/Active Directory authentication
[*] Mount volumes for user
[*] Ccreds credential caching - password checking然后重新启动服务(smbd,winbind)。
DC的名称解析在linuxbox上以两种方式工作。
任何帮助都将不胜感激!提前感谢!
以下是我的/etc/krb5.conf (我删除了注释):
[libdefaults]
default_realm = DOMAIN
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
DOMAIN.LOCAL = {
kdc = DC1.domain.local
kdc = DC2.domain.local
kdc = DC.domain.local
kdc = DC4.domain.local
kdc = DC5.domain.local
admin_server = DC1.domain.local
default_domain = domain
}
[domain_realm]
kerberos.server = DOMAIN.LOCAL
[login]
krb4_convert = true
krb4_get_tickets = false
[logging]
kdc = FILE:/var/log/krb5.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON这是我的smb.conf:
#======================= Global Settings =======================
[global]
security = ADS
encrypt passwords = yes
realm = DOMAIN.LOCAL
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind refresh tickets = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
os level = 0
workgroup = DOMAIN
; wins server = w.x.y.z
dns proxy = no
; interfaces = 127.0.0.0/8 eth0
; bind interfaces only = yes
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
#####
server role = standalone server
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
########
; logon path = \\%N\profiles\%U
; logon drive = H:
; logon script = logon.cmd
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
; add machine script = /usr/sbin/useradd -g machines -c "%u machineaccount" -d /var/lib/samba -s /bin/false %u
; add group script = /usr/sbin/addgroup --force-badname %g
##########
; include = /home/samba/etc/smb.conf.%m
; idmap uid = 10000-20000
; idmap gid = 10000-20000
; template shell = /bin/bash
; usershare max shares = 100
usershare allow guests = yes
#======================= Share Definitions =======================
[homes]
comment = Home Directories
browseable = no
read only = yes
create mask = 0700
directory mask = 0700
valid users = %S
;[netlogon]
; comment = Network Logon Service
; path = /home/samba/netlogon
; guest ok = yes
; read only = yes
;[profiles]
; comment = Users profiles
; path = /home/samba/profiles
; guest ok = no
; browseable = no
; create mask = 0600
; directory mask = 0700最后,但并非最不重要的是,nsswitch.conf: passwd: compat组: compat阴影: compat :file
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis回答 2
Server Fault用户
发布于 2015-12-16 12:38:02
好吧,我自己做的,至少是登录。Testet在两个不同的输出框和uid & gid上的idmapping都是相同的。唯一不能工作的atm是在设置的用户Unix-选项卡中安装主目录。作为解决办法,目录在/home/domainname/username下创建。我将在这里张贴我的信任,当我得到安装的“AD-home-目录”工作,更新,偏离了轨道。
smb.conf:
[global]
workgroup = DOMAIN
security = ADS
realm = DOMAIN.LOCAL
netbios name = HOSTNAME
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
idmap config DOMAIN : default = yes
idmap config DOMAIN : backend = ad
idmap config DOMAIN : schema_mode = rfc2307
idmap config DOMAIN : readonly = yes
idmap config DOMAIN : range = 10000-1999999
idmap cache time = 604800
template homedir = /home/%D/%U
template shell = /bin/bash
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = no
winbind enum groups = no
winbind refresh tickets = yes
winbind expand groups = 4
winbind offline logon = true
winbind nss info = rfc2307
domain master = no
local master = no
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
client ldap sasl wrapping = sign
encrypt passwords = yes
client use spnego = yes
client ntlmv2 auth = yes
restrict anonymous = 2
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
server role = member server
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad userkrb5.conf
libdefaults default_realm = DOMAIN.LOCAL krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync =1 ccache_type =4 ccache_type= true proxiable = true default_keytab_name = FILE:/etc/krb5.keytab
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
DOMAIN.LOCAL = {
kdc = DC1.DOMAIN.local
admin_server = DC1.DOMAIN.local
default_domain = DOMAIN.local
}
[domain_realm]
.DOMAIN.local = DOMAIN.LOCAL
DOMAIN.local = DOMAIN.LOCAL
[login]
krb4_convert = true
krb4_get_tickets = false
[logging]
default = SYSLOG:DEBUG:DAEMON巫婆并没有改变。如果对如何安装另一个主目录有任何建议或提示,我将非常感激:)
Server Fault用户
发布于 2015-12-16 15:36:09
另一件事也有效了。你必须安装libpam安装。之后,在/etc/panam.d/公共会话中添加以下行
session optional pam_mount.so有一个挂载的配置文件:/etc/security/pam_mount.conf.
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<pam_mount>
<debug enable="0" />
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />
<logout wait="100000" hup="yes" term="yes" kill="no" />
<volume options="username=%(USER)" fstype="cifs" server="server.domain.local" path="User/%(USER)" mountpoint="/home/domain/%(USER)/Shares/%(DOMAIN_USER)" />
<volume options="username=%(USER)" fstype="cifs" server="server.domain.local" path="Data" mountpoint="/home/domain/%(USER)/Shares/Data" />
<umount>umount %(MNTPT)</umount>
<mkmountpoint enable="1" remove="false" />
</pam_mount>页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://serverfault.com/questions/742867
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号