基于数值的活动目录用户无法登录

tag-icon tag-icon active-directory sssd
基于数值的活动目录用户无法登录

基于数字(01012578)的活动目录无法登录,但使用相同的 DC,我们可以使用名称用户名登录,例如 syed 客户端操作系统 20.0.4 桌面版 AD 脚本

#!/bin/sh

#Linux 
 Ingration with Active Directory Script
#Author: Syed

#Install all required Components
echo Installation all Required Components

sudo apt install -y krb5-config
sudo apt install -y msktutil
sudo apt install -y samba
sudo apt-get install -y realmd sssd sssd-tools libpam-sss libnss-sss
sudo apt-get install -y krb5-user adcli packagekit
sudo apt-get install ntpdate

read -p "Enter your Domain name : " DomainName
echo using $DomainName

sudo ntpdate -q $DomainName
sudo ntpdate $DomainName

REALMD="/etc/realmd.conf"

/bin/cat <<EOM >$REALMD

automatic-install = no

EOM

sed -i '28isession optional      pam_mkhomedir.so  skel = /etc/skel/  mask=0077' /etc/pam.d/common-session

sudo realm discover $DomainName

sudo realm join $DomainName -U administrator --verbose

sudo realm list

sudo realm permit--all

sudo realm permit -g AD_group

sudo mv /etc/krb5.conf /etc/krb5.conf.default

read -p "Enter your Domain System name : " SystemName

KRB5FILE="/etc/krb5.conf"

/bin/cat <<EOM >$KRB5FILE
[libdefaults]
default_realm = $DomainName
rdns = no
dns_lookup_kdc = true
dns_lookup_realm = true

[realms]
$DomainName = {
kdc = $SystemName.$DomainName
admin_server = $SystemName.$DomainName
}

EOM

kinit syed

klist


read -p "Enter your Local Host name : " HostName

msktutil -N -c -b 'CN=COMPUTERS' -s $HostName/$HostName.$DomainName -k my-keytab.keytab --computer-name $HostName --upn $HostName$ --server $SystemName.$DomainName --user-creds-only

sudo mv my-keytab.keytab /etc/sssd/my-keytab.keytab

sudo mv /etc/sssd/sssd.conf /etc/sssd/sssd.conf.default

SSSDFILE="/etc/sssd/sssd.conf"
/bin/cat <<EOM >$SSSDFILE

[sssd]
services = nss, pam
config_file_version = 2
domains = $DomainName

[nss]
entry_negative_timeout = 0
#debug_level = 5

[pam]
#debug_level = 5

[domain/$DomainName]
#debug_level = 10
enumerate = false
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
dyndns_update = false
ad_hostname = $HostName.$DomainName
ad_server = $SystemName.$DomainName
ad_domain = $DomainName
ldap_schema = ad
ldap_id_mapping = true
fallback_homedir = /home/%u
default_shell = /bin/bash
ldap_sasl_mech = gssapi
ldap_sasl_authid = $HostName$
krb5_keytab = /etc/sssd/my-keytab.keytab
ldap_krb5_init_creds = true

EOM

sudo chmod 0600 /etc/sssd/sssd.conf

sudo nano /etc/pam.d/common-session

sudo systemctl restart sssd

答案1

这是因为 systemd 禁止使用纯数字用户名。您可以通过附加域名(例如)来解决这个问题,01012578@DOMAIN但据说这会导致其他问题。我还没有找到解决这些新问题的适当方法。

相关内容