无法使用已加入(samba4 -ubuntu 14.04)活动目录域的 ubuntu 14.04 客户端上的域成员登录

tag-icon tag-icon active-directory client samba4
无法使用已加入(samba4 -ubuntu 14.04)活动目录域的 ubuntu 14.04 客户端上的域成员登录

我有一个 samba4 服务器:

[global]
    workgroup = MYWG
    realm = MYWG.ORG
    netbios name = MYWGADM
    server role = active directory domain controller
    dns forwarder = 8.8.8.8
    idmap_ldb:use rfc2307 = yes
    log level = 3
    template shell    = /bin/bash
    template homedir  = /home/%D/%U

[netlogon]
    path = /var/lib/samba/sysvol/mywg.org/scripts
    read only = No

[sysvol]
    path = /var/lib/samba/sysvol
    read only = No

[home]
    path = /data/share/home/
    read only = No

并且 ubuntu 14.04 客户端加入域:

[global]
    workgroup = MYWG
    realm = MYWG.ORG
    netbios name = pcl01
    security = ADS
    encrypt passwords = yes
    idmap config MYWG:backend = ad
    idmap config MYWG:schema_mode = rfc2307
    idmap config MYWG:range = 10000-39999
    idmap config *:backend = tdb
    idmap config *:range = 40000-49999
    winbind nss info = rfc2307
    winbind trusted domains only = no
    winbind use default domain = yes
    winbind enum users = yes
    winbind enum groups = yes
    winbind refresh tickets = yes
    kerberos method = system keytab
    template homedir = /home/MYWG.ORG/%U
    template shell = /bin/bash
    log level = 3

wbinfo -u shows:
    administrator
    usrtest
    krbtgt
    guest
wbinfo -g shows:
    allowed rodc password replication group
    enterprise read-only domain controllers
    denied rodc password replication group
    read-only domain controllers
    group policy creator owners
    ras and ias servers
    domain controllers
    enterprise admins
    domain computers
    cert publishers
    dnsupdateproxy
    domain admins
    domain guests
    schema admins 
    domain users
    dnsadmins

net ads info shows:
    LDAP server: 10.0.0.1
    LDAP server name: mydc.mywg.org
    Realm: MYWG.ORG
    Bind Path: dc=MYWG,dc=ORG
    LDAP port: 389
    Server time: mar., 29 mars 2016 17:22:19 CEST
    KDC server: 10.0.0.1
    Server time offset: 20

wbinfo -a usrtest%mypassword shows:
    plaintext password authentication succeeded
    challenge/response password authentication succeeded

如果我尝试通过控制台登录屏幕验证域用户(例如:usrtest),我会收到此错误消息(并且用户未登录):

Mar 29 17:16:48 pcl01 login[1971]: pam_unix(login:auth): authentication  failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty2 ruser= rhost=  user=usrtest
Mar 29 17:16:48 pcl01 login[1971]: pam_winbind(login:auth): getting password (0x00000388)
Mar 29 17:16:48 pcl01 login[1971]: pam_winbind(login:auth): pam_get_item returned a password
Mar 29 17:16:48 pcl01 login[1971]: pam_winbind(login:auth): user 'usrtest' granted access
Mar 29 17:16:48 pcl01 login[1971]: Authentication service cannot retrieve authentication info

这是我的 /etc/pam.d/login 文件:

auth       optional   pam_faildelay.so  delay=3000000
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad   default=die] pam_securetty.so
auth       requisite  pam_nologin.so
session [success=ok ignore=ignore module_unknown=ignore default=bad]  pam_selinux.so close
session       required   pam_env.so readenv=1
session       required   pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
auth       optional   pam_group.so
session    required   pam_limits.so
session    optional   pam_lastlog.so
session    optional   pam_motd.so  motd=/run/motd.dynamic noupdate
session    optional   pam_motd.so
session    optional   pam_mail.so standard
@include common-account
@include common-session
@include common-password
session [success=ok ignore=ignore module_unknown=ignore default=bad]  pam_selinux.so open

和我的 /etc/pam.d/common-auth 文件(由 pam-auth-update 生成):

auth    [success=3 default=ignore]  pam_unix.so nullok_secure
auth    [success=2 default=ignore]  pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth    [success=1 default=ignore]  pam_sss.so use_first_pass
auth    requisite           pam_deny.so
auth    required            pam_permit.so
auth    optional            pam_cap.so

通用帐户文件:

account [success=2 new_authtok_reqd=done default=ignore]    pam_unix.so 
account [success=1 new_authtok_reqd=done default=ignore]    pam_winbind.so 
account requisite           pam_deny.so
account required            pam_permit.so
account sufficient          pam_localuser.so 
account [default=bad success=ok user_unknown=ignore]    pam_sss.so

公共会话文件:

session [default=1]         pam_permit.so
session requisite           pam_deny.so
session required            pam_permit.so
session optional            pam_umask.so
session required pam_mkhomedir.so umask=0077 skel=/etc/skel
session required    pam_unix.so 
session sufficient          pam_winbind.so 
session optional            pam_sss.so 
session optional    pam_systemd.so 
session optional            pam_ck_connector.so nox11

以及通用密码文件:

password    requisite           pam_pwquality.so retry=3
password    [success=3 default=ignore]  pam_unix.so obscure use_authtok try_first_pass sha512
password    [success=2 default=ignore]  pam_winbind.so use_authtok try_first_pass
password    sufficient          pam_sss.so use_authtok
password    requisite           pam_deny.so
password    required            pam_permit.so
password    optional    pam_gnome_keyring.so

我无法解释错误消息(在 auth.log 中),也不知道我还能检查什么,所以...任何帮助都将非常感谢。

干杯。

相关内容