我想在没有 GUI 的客户端上使用 AD 用户登录。这是一台带有 SSSD 的 Ubuntu 16.04 机器。Active Directory 服务器是 Windows Server 2012 R2。我无法使用“[电子邮件保护]“或“aduser\srv.local”都不能用“su aduser”但是我可以kinit并成功获得票证并且将机器添加到域中也可以。
我遵循了本教程:https://help.ubuntu.com/lts/serverguide/sssd-ad.html
我不确定 PAM 是否配置正确,或者在启动时是否创建了票证,或者密钥表是否正确。
SSSD 版本为:1.13.4-1ubuntu1.1 libpam-modules 版本为:1.1.8-3.2ubuntu2
我做了什么:
root@srv2:~# sudo kinit Administrator
Password for [email protected]:
root@srv2:~# sudo klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
12/29/2016 07:27:28 12/29/2016 17:27:28 krbtgt/[email protected]
renew until 01/05/2017 07:27:27
加入域:
root@srv2:~# net ads join -k
Using short domain name -- SRV
Joined 'SRV2' to dns domain 'srv.local'
配置并加入域后,我重新启动了计算机,在名为 linux 的活动目录中创建了一个名为 linux 的测试用户。我尝试使用 su linux 更改为该用户,但该用户尚未添加到密码中
获取密码:
root@srv2:~# getent passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
mark:x:1000:1000:mark,,,:/home/mark:/bin/bash
ntp:x:111:117::/home/ntp:/bin/false
sssd:x:112:118:SSSD system user,,,:/var/lib/sss:/bin/false
wbinfo查询信息:
root@srv2:~# wbinfo -t
checking the trust secret for domain SRV via RPC calls succeeded
wbinfo-u-g:
root@srv2:~# wbinfo -u -g
SRV\administrator
SRV\guest
SRV\krbtgt
SRV\mark
SRV\test1
SRV\linux
SRV\winrmremotewmiusers__
SRV\domain computers
SRV\domain controllers
SRV\schema admins
SRV\enterprise admins
SRV\cert publishers
SRV\domain admins
SRV\domain users
SRV\domain guests
SRV\group policy creator owners
SRV\ras and ias servers
SRV\allowed rodc password replication group
SRV\denied rodc password replication group
SRV\read-only domain controllers
SRV\enterprise read-only domain controllers
SRV\cloneable domain controllers
SRV\protected users
SRV\dnsadmins
SRV\dnsupdateproxy
SRV\dhcp users
SRV\dhcp administrators
使用 GSSAPI 的 ldapsearch 显示 keytabs 错误:
root@srv2:~# /usr/bin/ldapsearch -H ldap://srv.local -Y GSSAPI -N -b "dc=src,dc=local" "(&(objectClass=user)(sAMAccountName=ad
user))"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)
/var/log/sssd/ldap_child.log:
(Thu Dec 29 07:27:40 2016) [[sssd[ldap_child[33841]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Preauthe
ntication fail
/var/log/auth.log:
Dec 29 20:03:59 srv2 login[1344]: pam_unix(login:auth): check pass; user unknown
Dec 29 20:03:59 srv2 login[1344]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser$Dec 29 20:04:24 srv2 sssd_be: GSSAPI client step 1
Dec 29 20:04:24 srv2 sssd_be: GSSAPI client step 1
Dec 29 20:04:24 srv2 sssd_be: GSSAPI client step 1
Dec 29 20:04:24 srv2 sssd_be: GSSAPI client step 1
我使用 tcpdump 过滤了 ldap、dns 和 krb5 端口。捕获的内容可在此处查看:http://www.filedropper.com/ldap-sssd
发生的错误是:
67 0.112875 192.168.253.200 192.168.253.100 DNS 151 Standard query response 0xe2ee No such name SRV _kerberos-master._tcp.SRV.LOCAL SOA dc1.srv.local
我已读到以下错误可以安全地忽略:
31 0.094884 192.168.253.200 192.168.253.100 KRB5 231 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
配置文件:
在 /etc/hosts 中:
127.0.0.1 localhost
192.168.253.100 srv2.srv.local srv2
# The following lines are desirable for IPv6 capable hosts
#::1 localhost ip6-localhost ip6-loopback
#ff02::1 ip6-allnodes
#ff02::2 ip6-allrouters
/etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 192.168.253.200
search srv.local
/etc/krb5.conf:
[libdefaults]
default_realm = SRV.LOCAL
renew_lifetime = 7d
ticket_lifetime = 24h
dns_lookup_realm = true
dns_lookup_kdc = true
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
rdns = false
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
SRV.LOCAL = {
kdc = srv.local
admin_server = srv.local
default_domain = srv.local
}
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu:88
kdc = kerberos-1.mit.edu:88
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
MEDIA-LAB.MIT.EDU = {
kdc = kerberos.media.mit.edu
admin_server = kerberos.media.mit.edu
}
ZONE.MIT.EDU = {
kdc = casio.mit.edu
kdc = seiko.mit.edu
admin_server = casio.mit.edu
}
MOOF.MIT.EDU = {
kdc = three-headed-dogcow.mit.edu:88
kdc = three-headed-dogcow-1.mit.edu:88
admin_server = three-headed-dogcow.mit.edu
}
CSAIL.MIT.EDU = {
kdc = kerberos-1.csail.mit.edu
kdc = kerberos-2.csail.mit.edu
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
krb524_server = krb524.csail.mit.edu
}
IHTFP.ORG = {
kdc = kerberos.ihtfp.org
admin_server = kerberos.ihtfp.org
}
GNU.ORG = {
kdc = kerberos.gnu.org
kdc = kerberos-2.gnu.org
kdc = kerberos-3.gnu.org
admin_server = kerberos.gnu.org
}
1TS.ORG = {
kdc = kerberos.1ts.org
admin_server = kerberos.1ts.org
}
GRATUITOUS.ORG = {
kdc = kerberos.gratuitous.org
admin_server = kerberos.gratuitous.org
}
DOOMCOM.ORG = {
kdc = kerberos.doomcom.org
admin_server = kerberos.doomcom.org
}
ANDREW.CMU.EDU = {
kdc = kerberos.andrew.cmu.edu
kdc = kerberos2.andrew.cmu.edu
kdc = kerberos3.andrew.cmu.edu
admin_server = kerberos.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
CS.CMU.EDU = {
kdc = kerberos.cs.cmu.edu
kdc = kerberos-2.srv.cs.cmu.edu
admin_server = kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc = kerberos.dementix.org
kdc = kerberos2.dementix.org
admin_server = kerberos.dementix.org
}
stanford.edu = {
kdc = krb5auth1.stanford.edu
kdc = krb5auth2.stanford.edu
kdc = krb5auth3.stanford.edu
master_kdc = krb5auth1.stanford.edu
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
}
UTORONTO.CA = {
kdc = kerberos1.utoronto.ca
kdc = kerberos2.utoronto.ca
kdc = kerberos3.utoronto.ca
admin_server = kerberos1.utoronto.ca
default_domain = utoronto.ca
}
[domain_realm]
.srv.local = dc1.srv.local
srv.local = dc1.srv.local
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.slac.stanford.edu = SLAC.STANFORD.EDU
.toronto.edu = UTORONTO.CA
.utoronto.ca = UTORONTO.CA
[login]
krb4_convert = true
krb4_get_tickets = false
[logging]
default = FILE:/var/log/krb5libs.log
权限 sssd.conf
drw------- 2 root root 4096 Dec 29 08:37 .
drwxr-xr-x 96 root root 4096 Dec 29 08:34 ..
-rw------- 1 root root 696 Dec 29 08:30 sssd.conf
/etc/sssd/sssd.conf:
[sssd]
services = nss, pam
config_file_version = 2
domains = SRV.LOCAL
#default_domain_suffix = SRV.LOCAL
[domain/SRV.LOCAL]
id_provider = ad
access_provider = ad
# Use this if users are being logged in at /.
# This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so
override_homedir = /home/%d/%u
# Uncomment if the client machine hostname doesn't match the computer object on the DC.
# ad_hostname = srv2.srv.local
# Uncomment if DNS SRV resolution is not working
# ad_server = dc1.srv.local
# Uncomment if the AD domain is named differently than the Samba domain
# ad_domain = SRV.LOCAL
# Enumeration is discouraged for performance reasons.
# enumerate = true
/etc/samba/smb.conf:
[global]
workgroup = SRV
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = SRV.LOCAL
security = ads
/etc/nsswitch.conf:
passwd: compat sss
shadow: compat
group: compat sss
gshadow: files
hosts: files dns
bootparams: files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: nis sss
publickey: files
automount: files
aliases: files
sudoers: files sss
/etc/pam.d/common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_sss.so use_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
/etc/pam.d/通用密码
#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords. The default is pam_unix.
# Explanation of pam_unix options:
#
# The "sha512" option enables salted SHA512 passwords. Without this option,
# the default is Unix crypt. Prior releases used the option "md5".
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs.
#
# See the pam_unix manpage for other options.
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
password requisite pam_pwquality.so retry=3
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password sufficient pam_sss.so use_authtok
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config