我正在测试 openpbis 8.3 版本,当我尝试在 Ubuntu 14.04 LTS 上打开新会话时遇到了身份验证问题,不是在本地网络中,而是在远程网络中。
在活动目录中添加计算机非常简单,而且在我的本地和远程网络上都没有遇到任何问题。
但是当我想使用我的活动目录帐户打开会话时,我收到消息“密码错误”
因此,我在活动目录下重新初始化了密码,并再次尝试打开会话
我输入默认密码,没有问题,系统要求我输入新密码,没有消息,一切似乎正常,之后,我输入了我的登录名和密码,并收到密码错误的消息。
如果我在 Windows 7 PC 上使用相同的登录名和密码,打开会话就没有问题。
我正在尝试调试 openpbis:
Make Sure You Are Joined to the Domain
/opt/pbis/bin/domainjoin-cli query
Name = chou-l64
Domain = mydomain.LAN
Distinguished Name = CN=CHOU-L64,CN=Computers,DC=mydomain,DC=lan
###
Check Whether You Are Using a Valid Logon Form
MYDOMAIN\username
works
###
Clear the Cache
/opt/pbis/bin/ad-cache --delete-all
ok
###
Check the Status of the PBIS Authentication Service
/opt/pbis/bin/lwsm status lsass
running (container: 1436)
###
Check Communication between the PBIS Service and AD
/opt/pbis/bin/get-dc-name mydomain.lan
Printing LWNET_DC_INFO fields:
===============================
dwDomainControllerAddressType = 24
dwFlags = 312
dwVersion = 5
wLMToken = 65535
wNTToken = 65535
pszDomainControllerName = robinson.mydomain.lan
pszDomainControllerAddress = 172.16.0.253
pucDomainGUID(hex) = 21 40 5F 7F EB EA 19 4E 8E 42 0E 13 96 19 AF EB
pszNetBIOSDomainName = MYDOMAIN
pszFullyQualifiedDomainName = mydomain.lan
pszDnsForestName = mydomain.lan
pszDCSiteName = Lyon
pszClientSiteName = Paris
pszNetBIOSHostName = ROBINSON
pszUserName = <EMPTY>
###
Verify that PBIS Can Find a User in AD
/opt/pbis/bin/find-user-by-name MYDOMAIN.lan\\dupond
User info (Level-0):
====================
Name: dupond
SID: S-1-5-21-545202174-1067577326-598125351-6851
Uid: 1657281219
Gid: 1657274881
Gecos: dupond dupond
Shell: /bin/bash
Home dir: /home/dupond
Logon restriction: NO
/opt/pbis/bin/find-user-by-name mydomain.lan\\admindupont
User info (Level-0):
====================
Name: admindupont
SID: S-1-5-21-545202174-1067577326-598125351-6830
Uid: 1657281198
Gid: 1657274881
Gecos: Administrateur dupont
Shell: /bin/bash
Home dir: /home/admindupont
Logon restriction: NO
###
Make Sure the AD Authentication Provider Is Running
/opt/pbis/bin/get-status
LSA Server Status:
Compiled daemon version: 8.3.0.3287
Packaged product version: 8.3.3287.68880
Uptime: 0 days 1 hours 47 minutes 43 seconds
[Authentication provider: lsa-activedirectory-provider]
Status: Online
Mode: Un-provisioned
Domain: MYDOMAIN.LAN
Domain SID: S-1-5-21-545202174-1067577326-598125351
Forest: mydomain.lan
Site: Lyon
Online check interval: 300 seconds
[Trusted Domains: 1]
[Domain: MYDOMAIN]
DNS Domain: mydomain.lan
Netbios name: MYDOMAIN
Forest name: mydomain.lan
Trustee DNS name:
Client site name: Paris
Domain SID: S-1-5-21-545202174-1067577326-598125351
Domain GUID: 00000000-0000-0000-0000-000000000000
Trust Flags: [0x001d]
[0x0001 - In forest]
[0x0004 - Tree root]
[0x0008 - Primary]
[0x0010 - Native]
Trust type: Up Level
Trust Attributes: [0x0000]
Trust Direction: Primary Domain
Trust Mode: In my forest Trust (MFT)
Domain flags: [0x0003]
[0x0001 - Primary]
[0x0002 - Offline]
[Domain Controller (DC) Information]
DC Name: robinson.mydomain.lan
DC Address: 172.16.0.253
DC Site: Lyon
DC Flags: [0x00000138]
DC Is PDC: no
DC is time server: no
DC has writeable DS: yes
DC is Global Catalog: no
DC is running KDC: yes
###
Run the id Command to Check the User
id mydomain.lan\\dupond
uid=1657281219(dupond) gid=1657274881(utilisa.^du^domaine groupes=1657274881(utilisa.^du^domaine)
###
/etc/nsswitch.conf
passwd: compat lsass
group: compat lsass
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
###
/etc/pam.d/less common-session
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session [success=ok default=ignore] pam_lsass.so
session optional pam_mount.so
session optional pam_systemd.so
session optional pam_ck_connector.so nox11
当我尝试在这台电脑上打开会话时,我收到以下消息/var/log/auth.log
:
Jul 23 15:22:26 chou-l64 login[1728]: [lsass-pam] [module:pam_lsass]pam_sm_authenticate error [login:dupond][error code:40355]
Jul 23 15:22:29 chou-l64 login[1728]: FAILED LOGIN (1) on '/dev/tty1' FOR 'dupond', Authentication failure
Jul 23 15:24:25 chou-l64 sshd[11898]: [lsass-pam] [module:pam_lsass]pam_sm_authenticate error [login:dupond][error code:40355]
Jul 23 15:24:26 chou-l64 sshd[11896]: error: PAM: Authentication failure for dupond from localhost
Jul 23 15:24:34 chou-l64 sshd[11919]: [lsass-pam] [module:pam_lsass]pam_sm_authenticate error [login:dupond][error code:40355]
Jul 23 15:24:39 chou-l64 sshd[11922]: [lsass-pam] [module:pam_lsass]pam_sm_authenticate error [login:dupond][error code:40022]
Jul 23 15:24:41 chou-l64 sshd[11896]: message repeated 2 times: [ error: PAM: Authentication failure for dupond from localhost]
Jul 23 15:24:50 chou-l64 sshd[11896]: [lsass-pam] [module:pam_lsass]pam_sm_authenticate error [login:dupond][error code:40022]
Jul 23 15:24:52 chou-l64 sshd[11896]: Failed password for dupond from 127.0.0.1 port 39657 ssh2
Jul 23 15:24:58 chou-l64 sshd[11896]: [lsass-pam] [module:pam_lsass]pam_sm_authenticate error [login:dupond][error code:40355]
Jul 23 15:25:01 chou-l64 sshd[11896]: Failed password for dupond from 127.0.0.1 port 39657 ssh2
我该如何解决这个问题?