我尝试通过 GUI lightdm 使用 AD 用户在 ubuntu 机器下登录,但访问被拒绝,并显示“密码无效,请重试”
我的机器已添加到 AD 中:net ads join -U 管理员,我使用 wbinfo -u 和 wbinfo -g 可视化用户和组
此外,我从 AC 可视化用户
id jn
uid=10019(jn) gid=10002(utilisateurs du domaine) ....
猫/etc/samba/smb.conf
[global]
workgroup = AAA
realm = AAA.LOCAL
netbios name = ubuntu
security = ads
encrypt passwords = yes
password server = XXX.XXX.XXX
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
template homedir = /data/commun
猫/etc/krb5.conf
[libdefaults]
default_realm = AAA.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
ticker_lifetile = 24h
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc-md5
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
PA8.LOCAL = {
kdc = XXX.XXX.XXX
admin_server = XXX.XXX.XXX
default_domain = AAA.LOCAL
}
[domain_realm]
.XXX.local = XXX.LOCAL
XXX.local = XXX.LOCAL
cat /etc/pam.d/common-account
account sufficient pam_winbind.so
account sufficient pam_unix.so
cat /etc/pam.d/common-auth
auth sufficient pam_winbind.so
auth sufficient pam_unix.so nullok_secure use_first_pass
auth required pam_deny.so
猫/etc/pam.d/common-session
session required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
所以,我不知道问题出在哪里,为什么我无法在 ubuntu 的机器上连接来自 AD 的用户
谢谢你的帮助。
答案1
我知道这是一个老问题。但似乎最好为一个老问题提供答案,而不是自己问一个问题,然后用我最终得到的结果来回答它!
你试过吗sssd
?我没有这样做winbind
。
/etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = MBA.AC.UK
[domain/MBA.AC.UK]
id_provider = ad
access_provider = ad
override_homedir = /home/%d/%u
default_shell = /bin/bash
/etc/krb5.conf除了默认领域指定于
sudo dpkg-reconfigure krb5-config
smb配置文件是不变的(我通过libpam_mount
--安装用户共享,但是,我可以提前告诉你,这将会搞砸lightdm
。也许lightdm 的 pam/广告问题会有所帮助。
我不思考安装/etc/pam.d/
时,我修改了自动配置之外的任何文件。sssd
/etc/pam.d/通用帐户
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
account sufficient pam_localuser.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
/etc/pam.d/common-auth
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_sss.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_mount.so
auth optional pam_cap.so
/etc/pam.d/common-session
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session optional pam_sss.so
session optional pam_mount.so
session optional pam_systemd.so
session optional pam_mkhomedir.so