我有 2 个虚拟机 Ubuntu 14.04 LTS,按照文档一步步配置了 Samba + Winbind,但 ssh 登录不起作用。我可以查询主 AD 和其中一个受信任 AD,如您所见:
查询主 AD
id [email protected]
uid=10004(test) gid=10000(ad\domain users) gruppi=10004(test),10000(ad\domain users)...
查询受信任的 AD(AD2)
id [email protected]
uid=4294967295 gid=10059(ad2\domain users) gruppi=4294967295,10059(ad2\domain users)...
第一个问题是,当我从另一台 Linux 服务器(但 RHEL)查询 AD2 上的用户时,发现有更多的组。
无论如何,服务器已正确加入 AD:
net ads testjoin
Join is OK
wbinfo -g
ad\domain users
ecc
wbinfo -u
ad\toba1
ecc
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
14/02/2017 11:18:35 14/02/2017 21:18:35 krbtgt/[email protected]
renew until 21/02/2017 11:18:31
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat winbind
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
sudoers: files
cat /etc/ssh/sshd_config
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication yes (ssh login doesn't work even if uncommented)
#KerberosGetAFSToken yes (ssh login doesn't work even if uncommented)
#KerberosOrLocalPasswd yes (ssh login doesn't work even if uncommented)
#KerberosTicketCleanup yes (ssh login doesn't work even if uncommented)
# GSSAPI options
#GSSAPIAuthentication yes (ssh login doesn't work even if uncommented)
#GSSAPICleanupCredentials yes (ssh login doesn't work even if uncommented)
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
useDNS no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
[global]
workgroup = AD
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = AD.COM
security = ads
cat /etc/pam.d/common-account
#
# /etc/pam.d/common-account - authorization settings common to all services
#
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
account sufficient pam_localuser.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
# end of pam-auth-update config
cat /etc/pam.d/common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
auth [success=3 default=ignore] pam_unix.so nullok_secure
auth [success=2 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth [success=1 default=ignore] pam_sss.so use_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config
我无法以 AD1 用户或 AD2 用户(受信任域)的身份登录。
tail -f /var/log/auth.log
Login test SSH
username:toba1 NOK
username:ad1+toba1 NOK
username:ad1\\toba1 NOK
username:ad1\toba1 it seems it works but then it colesed the putty shell immediately.
Feb 14 12:34:15 vmubuntu sshd[7221]: rexec line 56: Unsupported option KerberosGetAFSToken
Feb 14 12:34:17 vmubuntu sshd[7221]: Invalid user tooah from 10.7.17.21
Feb 14 12:34:17 vmubuntu sshd[7221]: input_userauth_request: invalid user toba1 [preauth]
Feb 14 12:34:21 vmubuntu sshd[7221]: pam_unix(sshd:auth): check pass; user unknown
Feb 14 12:34:21 vmubuntu sshd[7221]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.7.17.21
Feb 14 12:34:21 vmubuntu sshd[7221]: pam_winbind(sshd:auth): getting password (0x00000388)
Feb 14 12:34:21 vmubuntu sshd[7221]: pam_winbind(sshd:auth): pam_get_item returned a password
Feb 14 12:34:22 vmubuntu sshd[7221]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.7.17.21 user=toba1
Feb 14 12:34:22 vmubuntu sshd[7221]: pam_sss(sshd:auth): received for user toba1 : 13 (User account has expired)
Feb 14 12:34:24 vmubuntu sshd[7221]: Failed password for invalid user toba1 from 10.7.17.21 port 53148 ssh2
Feb 14 12:34:53 vmubuntu sshd[6959]: Invalid user ad1+toba1 from 10.7.17.21
Feb 14 12:34:53 vmubuntu sshd[6959]: input_userauth_request: invalid user ad1+toba1 [preauth]
Feb 14 12:34:59 vmubuntu sshd[6964]: rexec line 56: Unsupported option KerberosGetAFSToken
Feb 14 12:35:11 vmubuntu sshd[6964]: Invalid user ad1\\\\toba1 from 10.7.17.21
Feb 14 12:35:11 vmubuntu sshd[6964]: input_userauth_request: invalid user ad1\\\\\\\\toba1 [preauth]
Feb 14 12:35:15 vmubuntu sshd[6966]: rexec line 56: Unsupported option KerberosGetAFSToken
Feb 14 12:35:41 vmubuntu sshd[6966]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.7.17.21 user=ad1\toba1
Feb 14 12:35:41 vmubuntu sshd[6966]: pam_winbind(sshd:auth): getting password (0x00000388)
Feb 14 12:35:41 vmubuntu sshd[6966]: pam_winbind(sshd:auth): pam_get_item returned a password
Feb 14 12:35:41 vmubuntu sshd[6966]: pam_winbind(sshd:auth): user 'ivecoeurope\toba1 ' granted access
Feb 14 12:35:42 vmubuntu sshd[6966]: Accepted password for ivecoeurope\\toba1 from 10.7.17.21 port 52992 ssh2
Feb 14 12:35:42 vmubuntu sshd[6966]: pam_unix(sshd:session): session opened for user ad1\toba1 by (uid=0)
Feb 14 12:35:42 vmubuntu systemd-logind[936]: New session 57 of user test.
Feb 14 12:35:44 vmubuntu sshd[6966]: pam_unix(sshd:session): session closed for user ad1\toba1
Feb 14 12:35:44 vmubuntu sshd[6966]: pam_winbind(sshd:setcred): user 'ad1\toba1 ' OK
Feb 14 12:35:52 vmubuntu sshd[6964]: Connection closed by 10.7.17.21 [preauth]
Feb 14 12:35:54 vmubuntu sshd[6959]: Connection closed by 10.7.17.21 [preauth]
Feb 14 12:36:01 vmubuntu sshd[7107]: rexec line 56: Unsupported option KerberosGetAFSToken
Feb 14 12:36:12 vmubuntu sshd[7107]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.7.17.21 user=toba1 @ad1
Feb 14 12:36:12 vmubuntu sshd[7107]: pam_winbind(sshd:auth): getting password (0x00000388)
Feb 14 12:36:12 vmubuntu sshd[7107]: pam_winbind(sshd:auth): pam_get_item returned a password
Feb 14 12:36:13 vmubuntu sshd[7107]: pam_winbind(sshd:auth): user 'ad1\toba1 ' granted access
Feb 14 12:36:16 vmubuntu sshd[7107]: Accepted password for toba1 @ivecoeurope from 10.7.17.21 port 53011 ssh2
Feb 14 12:36:16 vmubuntu sshd[7107]: pam_unix(sshd:session): session opened for user ad1\toba1 by (uid=0)
Feb 14 12:36:16 vmubuntu systemd-logind[936]: Removed session 57.
Feb 14 12:36:16 vmubuntu systemd-logind[936]: New session 58 of user test.
Feb 14 12:36:17 vmubuntu sshd[7107]: pam_unix(sshd:session): session closed for user ad1\toba1
Feb 14 12:36:17 vmubuntu sshd[7107]: pam_winbind(sshd:setcred): user 'ad1\toba1 ' OK --> It close the Putty immediately!
桑巴舞
[2017/02/14 15:22:48.018826, 0] ../source3/lib/util_tdb.c:494(tdb_chainlock_with_timeout_internal)
tdb_chainlock_with_timeout_internal: alarm (40) timed out for key ad1.com in tdb /var/run/samba/mutex.tdb
[2017/02/14 15:22:48.019195, 0] ../source3/winbindd/winbindd_cm.c:1032(cm_prepare_connection)
cm_prepare_connection: mutex grab failed for ad1.com
[2017/02/14 15:23:28.148922, 0] ../source3/lib/util_tdb.c:494(tdb_chainlock_with_timeout_internal)
tdb_chainlock_with_timeout_internal: alarm (40) timed out for key ad1.com in tdb /var/run/samba/mutex.tdb
[2017/02/14 15:23:28.149209, 0] ../source3/winbindd/winbindd_cm.c:1032(cm_prepare_connection)
cm_prepare_connection: mutex grab failed for ad1.com
[2017/02/14 15:24:31.634755, 0] ../source3/lib/util_tdb.c:494(tdb_chainlock_with_timeout_internal)
tdb_chainlock_with_timeout_internal: alarm (40) timed out for key ad1.com in tdb /var/run/samba/mutex.tdb
[2017/02/14 15:24:31.635092, 0] ../source3/winbindd/winbindd_cm.c:1032(cm_prepare_connection)
cm_prepare_connection: mutex grab failed for ad1.com
[2017/02/14 15:47:33.917742, 0] ../source3/winbindd/winbindd_dual.c:107(child_write_response)