我一直在尝试在 Ubuntu 20.04 上设置 Samba AD DC,并取得了一些成功。我将运行此 Samba 实例的服务器用作我的主要工作站,因此我需要能够使用域帐户登录它,直到今天我才能够这样做。老实说,我想不出我破坏了什么,因为它只是停止了——我的屏幕因不活动而被锁定,当我尝试解锁时,机器拒绝了我的正确密码。它确实允许我在本地登录,但服务器要求重新启动。从那以后,我就无法使用域帐户登录了。这很奇怪,因为域成员 PC(Ubuntu 20.04 也是如此)可以使用域帐户登录而不会出现问题,尽管他们是通过 SSSD 而不是 winbind 进行登录的。我以为 AD 数据库可能在有点硬核的重启过程中被损坏了,但如果是这样的话,我认为成员也无法让用户登录,对吗?
以下是一些配置片段:
/etc/samba/smb.conf
# Global parameters
[global]
dns forwarder = 192.168.1.1
netbios name = PRIMARYDC
realm = MYDOM.COM
server role = active directory domain controller
workgroup = MYDOM
vfs objects = dfs_samba4 acl_xattr recycle
idmap_ldb:use rfc2307 = Yes
template shell = /bin/bash
template homedir = /home/%D/%U
unix extensions = Yes
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
log level = 4
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/mydom.com/scripts
read only = No
/etc/nssswitch.conf
passwd: files systemd winbind
group: files systemd winbind
shadow: files
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
/etc/pam.d/通用密码
# here are the per-package modules (the "Primary" block)
password [success=3 default=ignore] pam_krb5.so minimum_uid=1000
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password [success=1 default=ignore] pam_winbind.so try_authtok try_first_pass
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
password optional pam_gnome_keyring.so
# end of pam-auth-update config
/etc/pam.d/common-auth
uth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config
/etc/pam.d/common-session
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional pam_umask.so
# and here are more per-package modules (the "Additional" block)
session optional pam_krb5.so minimum_uid=1000
session required pam_unix.so
session optional pam_winbind.so
session optional pam_systemd.so
session optional pam_mkhomedir.so
/etc/pam.d/通用帐户
# here are the per-package modules (the "Primary" block)
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
account required pam_krb5.so minimum_uid=1000
# end of pam-auth-update config
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
在 AD DC 上,我可以使用 检索用户wbinfo -u。使用 samba-tool 检索用户信息也会给我有关我的用户的所有信息。但是尝试getent passwd MYDOM\\someuser什么也没得到,而getent group MYDOM\\somegroup给我提供了所述组的正确信息,除了它的成员 - 列表是空的。在成员 PC 上,所有这些都运行良好并getent group返回完整的用户列表。任何关于这里可能出现问题的提示都将不胜感激。我猜这与 nssswitch 和 pam 模块有关,但我目前无法找出配置错误的地方。有趣的是,我家里有一台连接到此域的 Windows 10 PC,我也可以使用该 PC 上的域帐户登录...