我在使用当前设置的 sssd、kerberos、samba 和 AD 通过 AD 登录桌面时遇到了问题。这是 auth.log 文件的输出。似乎 pam 和 lightdm 不能很好地相互配合。奇怪的是,我可以 su -[电子邮件保护]从 cli 并运行命令(例如 id 或 getent passwd)以返回我的 AD 中的用户。
Jul 20 11:14:08 lx004109 lightdm: PAM adding faulty module: pam_kwallet5.so Jul 20 11:14:12 lx004109 lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "user@domain" Jul 20 11:14:15 lx004109 lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=user@domain Jul 20 11:14:15 lx004109 lightdm: pam_sss(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=user@domain Jul 20 11:14:15 lx004109 lightdm: pam_sss(lightdm:auth): received for user user@domain: 6 (Permission denied) Jul 20 11:14:16 lx004109 lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory Jul 20 11:14:16 lx004109 lightdm: PAM adding faulty module: pam_kwallet.so
这是我的 sssd.conf 文件
[sssd]
services = nss, pam
config_file_version = 2
domains = KQED.ORG
[domain/KQED.ORG]
ad_gpo_map_interactive = +polkit-1. +unity, +lightdm
id_provider = ad
access_provider = ad
ad_domain = my.domain.org
default_shell = /bin/bash
krb5_realm = KQED.ORG
dyndns_update = true
dyndsn_refresh_interval = 43200
dyndns_update_ptr = true
dyndns_ttl = 3600
auth_provider = ad
chpass_provider = ad
access_provider = ad
ldap_schema = ad
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
krb5_store_password_if_offline = True
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
override_homedir = /home/%d/%u
enumerate = true
有什么想法吗?我看过几篇文章声称下面是添加到 sssd 的解决方法,但它似乎并不适用于我的情况。
ad_gpo_map_interactive = +unity, +polkit-1
答案1
经过几个小时的故障排除后,我能够找到两个属性添加到我当前的 SSSD.conf 中,以允许 pam_sss 和 pam_unix 响应 sss 和 active directory。修复 AD 桌面 GUI 登录。ad_enable_gc = False
&ad_gpo_access_control = permissive
[sssd]
services = nss, pam
config_file_version = 2
domains = Webdomain.ORG
[domain/Webdomain.ORG]
ad_enable_gc = False
ad_gpo_map_interactive = +unity
ad_gpo_access_control = permissive