经过数周的尝试和失败后,我终于需要寻求帮助。
首先,我使用 Ubuntu 22.04 LTS,其中已经设置了 winbind、PAM 和 Kerberos。
总的来说,我正在尝试让工作站能够使用 Active Directory 帐户。到目前为止,我可以管理以下内容:
- 将计算机加入 Active Directory,
- 连接并使用 Active Directory 中的帐户
- 今天我甚至成功建立了离线连接,但我非常困惑的是重启后如何建立离线连接。考虑到这台机器是一台笔记本电脑,它可能会在任何网络连接之外使用,所以我需要它在这个用例中工作。
更详细地解释一下,如果我没有记错的话,身份验证令牌缓存在 krb5cc 文件中,我应该保留这个文件以允许离线身份验证。
我认为问题的一部分在于该文件默认存储在 /tmp 中。只要机器没有重新启动,该文件就会保留,因此我可以继续进行身份验证。我尝试将 krb5cc 文件重新定位到 /var/tmp,因为它在重新启动时没有被清除,但即使我成功了,看起来该文件在 AD 用户注销后被删除了。更不用说更改该位置的参数在 3 个地方可用(pam_winbind.conf、pam_krb5.so 中的 common-auth 和 pam_winbind.so 部分),我只是不知道哪一个优先。
最后,我不确定应该参与身份验证过程的应用程序(如 pam、samba、winbind、kerberos)与未参与但有影响的应用程序(apparmor、systemd tmpfiles.d)之间发生了什么。
我还尝试启用日志以获取更多详细信息,但没有成功。
基本上,我很高兴能有一个成功的策略,比如我应该把文件放在什么地方,以及我应该在哪个地方配置它。
尝试了一大堆文档和配置更改,但还是没能取得任何进展。任何指点我都感激不尽。
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
auth [success=4 default=ignore] pam_krb5.so minimum_uid=1000 ccache=~/krb5commonauth_%u
auth [success=3 default=ignore] pam_unix.so nullok try_first_pass
auth [success=2 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE:~/krb5cocommonauth_%u cached_login try_first_pass
auth [success=1 default=ignore] pam_sss.so use_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_intune.so
auth optional pam_cap.so
# end of pam-auth-update config
#
# pam_winbind configuration file
#
# /etc/security/pam_winbind.conf
#
# For more details see man pam_winbind.conf(5)
[global]
# turn on debugging
;debug = no
# turn on extended PAM state debugging
;debug_state = no
# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
cached_login = yes
# authenticate using kerberos
krb5_auth = yes
# when using kerberos, request a "FILE" or "DIR" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
krb5_ccache_type = FILE:~/krbpwc_%u
;krb5_ccache_type = DIR:/run/user/%u/krb5cc
# make successful authentication dependend on membership of one SID
# (can also take a name)
;require_membership_of =
# password expiry warning period in days
;warn_pwd_expire = 14
# omit pam conversations
;silent = no
silent = no
# create homedirectory on the fly
;mkhomedir = no
mkhomedir = yes
[libdefaults]
default_realm = AP.ECOMM.GLOBAL
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
default_ccache_name = FILE:/var/tmp/krb5cc_%{uid}
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
udp_preference_limit = 0
[logging]
default = FILE:/var/tmp/krb5libs.log
kdc = FILE:/var/tmp/krb5kdc.log
admin_server = FILE:/var/tmp/kadmind.log
[realms]
AP.ECOMM.GLOBAL = {
kdc = 10.19.26.134
admin_server = 10.19.26.134
}
ECOMM.GLOBAL = {
kdc = 10.19.26.144
admin_server = 10.19.26.144
default_domain = ecomm.global
}
[domain_realm]
.ap.ecomm.global = AP.ECOMM.GLOBAL
ap.ecomm.global = AP.ECOMM.GLOBAL
.ecomm.global = ECOMM.GLOBAL
ecomm.global = ECOMM.GLOBAL
一个有趣的示例是,当 ccache 位于 /tmp 中时,在 /var/tmp 中查找它。
dentsulinuxops@vn-7yndkr3:/var/log/samba$ klist
klist: No credentials cache found (filename: /var/tmp/krb5cc_1000)
dentsulinuxops@vn-7yndkr3:/var/log/samba$ ls -al /tmp
total 235
drwxrwxrwt 20 root root 27 Thg 11 30 19:02 .
drwxr-xr-x 19 root root 25 Thg 11 21 17:41 ..
drwxrwxrwt 2 root root 2 Thg 11 30 18:00 .font-unix
drwxrwxrwt 2 root root 6 Thg 11 30 18:02 .ICE-unix
-rw------- 1 olimaq domain users 3737 Thg 11 30 19:01 krb5cc_170209_7UiwN1
srwxr-xr-x 1 root root 0 Thg 11 30 18:00 nmh_msg_bus.sock
-rw-r--r-- 1 root mdatp 51 Thg 11 30 18:00 .ses