用户“[email protected]”未满足 PBIS auth.log 要求“user ingroup nopasswdlogin”

我想使用我的 Windows AD 凭据登录 Ubuntu 16.04 计算机。我使用 Beyondtrust 版本 8.5.2.265 的 PBIS（PowerBroker Identity Services）AD-bridge。 Windows版本是Windows Server 2012 R2。

这些错误会在 /var/log/auth.log 中弹出：

Jan 16 08:34:51 [HOSTNAME] lightdm: PAM adding faulty module: pam_kwallet5.so
Jan 16 08:34:59 [HOSTNAME] lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "[email protected]"
Jan 16 08:35:01 [HOSTNAME] CRON[12249]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 16 08:35:01 [HOSTNAME] CRON[12249]: pam_unix(cron:session): session closed for user root
Jan 16 08:35:03 [HOSTNAME] lightdm: [lsass-pam] [module:pam_lsass]User [email protected] is denied access because they are not in the 'require membership of' list
Jan 16 08:35:03 [HOSTNAME] lightdm: [lsass-pam] [module:pam_lsass]pam_sm_authenticate error [login:[email protected]][error code:40158]
Jan 16 08:35:07 [HOSTNAME] systemd-logind[1050]: Removed session c2.

我已更改配置选项 RequireMembershipOf 以匹配我从 /opt/pbis/bin/enum-groups 复制的安全组“domain^users”

/opt/pbis/bin/config --dump 中的选项：

AllowDeleteTo ""
AllowReadTo ""
AllowWriteTo ""
MaxDiskUsage 104857600
MaxEventLifespan 90
MaxNumEvents 100000
DomainSeparator "\\"
SpaceReplacement "^"
EnableEventlog false
SaslMaxBufSize 16777215
Providers "ActiveDirectory"
DisplayMotd false
PAMLogLevel "error"
UserNotAllowedError "Access denied"
AssumeDefaultDomain true
CreateHomeDir true
CreateK5Login true
SyncSystemTime true
TrimUserMembership true
LdapSignAndSeal false
LogADNetworkConnectionEvents true
NssEnumerationEnabled true
NssGroupMembersQueryCacheOnly true
NssUserMembershipQueryCacheOnly false
RefreshUserCredentials true
CacheEntryExpiry 14400
DomainManagerCheckDomainOnlineInterval 300
DomainManagerUnknownDomainCacheTimeout 3600
MachinePasswordLifespan 2592000
MemoryCacheSizeCap 0
HomeDirPrefix "/home"
HomeDirTemplate "%H/%U"
RemoteHomeDirTemplate ""
HomeDirUmask "022"
LoginShellTemplate "/bin/bash"
SkeletonDirs "/etc/skel"
UserDomainPrefix "winsrv.local"
DomainManagerIgnoreAllTrusts false
DomainManagerIncludeTrustsList
DomainManagerExcludeTrustsList
RequireMembershipOf "domain^users"
Local_AcceptNTLMv1 true
Local_HomeDirTemplate "%H/local/%D/%U"
Local_HomeDirUmask "022"
Local_LoginShellTemplate "/bin/sh"
Local_SkeletonDirs "/etc/skel"
UserMonitorCheckInterval 1800
LsassAutostart true
EventlogAutostart true
BlacklistDC

/etc/pam.d/common-session 文件：

# here are the per-package modules (the "Primary" block)
session [default=1]                     pam_permit.so
# here's the fallback if no module succeeds
session requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required                        pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional                        pam_umask.so
# and here are more per-package modules (the "Additional" block)
session optional        pam_lsass.so
session required        pam_unix.so
session optional        pam_systemd.so
session optional        pam_ecryptfs.so unwrap
# end of pam-auth-update config

/etc/pam.d/common-auth 文件：

# here are the per-package modules (the "Primary" block)
auth    [success=2 default=ignore]      pam_lsass.so
auth    [success=1 default=ignore]      pam_unix.so nullok_secure
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth    optional        pam_ecryptfs.so unwrap
# end of pam-auth-update config

/etc/pam.d/common-account 文件：

# here are the per-package modules (the "Primary" block)
account [success=ok new_authtok_reqd=ok default=ignore]         pam_lsass.so unknown_ok
account [success=2 new_authtok_reqd=done default=ignore]        pam_lsass.so
account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so
# here's the fallback if no module succeeds
account requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config