为什么安装 nis 后 PAM 会损坏?

为什么安装 nis 后 PAM 会损坏?

我是一名软件工程师,具有一些系统管理经验,目前正在尝试在以前只有 Windows 基础设施的新工作场所设置一些 Linux 基础设施。出于政治原因,我无法简单地与当前的 Active Directory 设置集成,而必须从头开始。我正在使用Debian。

我目前正在尝试设置 kerbos、ldap、nfs 和 nis。我相信我已经正确设置了服务器,并且一切正常,因为我已经测试了使用 kerberos 登录,并且 nis 客户端一直在与服务器通信,我也可以安装 NFS 驱动器。

自从在客户端上安装 nis 后,我什至无法使用 root 帐户登录,除非我以恢复模式启动。

我已经尝试解决这个问题一天半了,但我没有想法。

这就是我认为问题所在,因为 pam 输出到/var/log/auth.log

lightdm: PAM (other) illegal module type: passwd:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (other) illegal module type: group:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (other) illegal module type: shadow:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (other) illegal module type: gshadow:
lightdm: PAM pam_parse: expecting return value; [...files]
lightdm: PAM (other) no module name supplied
lightdm: PAM (other) illegal module type: hosts:
lightdm: PAM pam_parse: expecting return value; [...files]
lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0)
systemd-logind[667]: New session c1 of user lightdm.
systemd: PAM (other) illegal module type: passwd:
systemd: PAM pam_parse: expecting return value; [...compat]
systemd: PAM (other) illegal module type: group:
systemd: PAM pam_parse: expecting return value; [...compat]
systemd: PAM (other) illegal module type: shadow:
systemd: PAM pam_parse: expecting return value; [...compat]
systemd: PAM (other) illegal module type: gshadow:
systemd: PAM pam_parse: expecting return value; [...files]
systemd: PAM (other) no module name supplied
systemd: PAM (other) illegal module type: hosts:
systemd: PAM pam_parse: expecting return value; [...files]
systemd: pam_unix(systemd-user:session): session opened for user lightdm by (uid=0)
lightdm: PAM (lightdm) illegal module type: passwd:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (lightdm) illegal module type: group:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (lightdm) illegal module type: shadow:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (lightdm) illegal module type: gshadow:
lightdm: PAM pam_parse: expecting return value; [...files]
lightdm: PAM (lightdm) no module name supplied
lightdm: PAM (lightdm) illegal module type: hosts:
lightdm: PAM pam_parse: expecting return value; [...files]
lightdm: PAM (other) illegal module type: passwd:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (other) illegal module type: group:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (other) illegal module type: shadow:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (other) illegal module type: gshadow:
lightdm: PAM pam_parse: expecting return value; [...files]
lightdm: PAM (other) no module name supplied
lightdm: PAM (other) illegal module type: hosts:
lightdm: PAM pam_parse: expecting return value; [...files]
lightdm: PAM (lightdm) illegal module type: passwd:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (lightdm) illegal module type: group:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (lightdm) illegal module type: shadow:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (lightdm) illegal module type: gshadow:
lightdm: PAM pam_parse: expecting return value; [...files]
lightdm: PAM (lightdm) no module name supplied
lightdm: PAM (lightdm) illegal module type: hosts:
lightdm: PAM pam_parse: expecting return value; [...files]
lightdm: PAM (other) illegal module type: passwd:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (other) illegal module type: group:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (other) illegal module type: shadow:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (other) illegal module type: gshadow:
lightdm: PAM pam_parse: expecting return value; [...files]
lightdm: PAM (other) no module name supplied
lightdm: PAM (other) illegal module type: hosts:
lightdm: PAM pam_parse: expecting return value; [...files]
lightdm: pam_krb5(lightdm:auth): user billy authenticated as billy@PROPACK
lightdm: PAM (lightdm) illegal module type: passwd:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (lightdm) illegal module type: group:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (lightdm) illegal module type: shadow:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (lightdm) illegal module type: gshadow:
lightdm: PAM pam_parse: expecting return value; [...files]
lightdm: PAM (lightdm) no module name supplied
lightdm: PAM (lightdm) illegal module type: hosts:
lightdm: PAM pam_parse: expecting return value; [...files]
lightdm: PAM (other) illegal module type: passwd:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (other) illegal module type: group:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (other) illegal module type: shadow:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (other) illegal module type: gshadow:
lightdm: PAM pam_parse: expecting return value; [...files]
lightdm: PAM (other) no module name supplied
lightdm: PAM (other) illegal module type: hosts:
lightdm: PAM pam_parse: expecting return value; [...files]

我不太清楚这是为什么。这一切都是在客户端安装 nis 包之后开始的,但是我不认为 nis 是问题所在,因为它正在与服务器通信,根据输出进行判断systemctl status nis

systemd[1]: Starting LSB: Start NIS client and server daemons....
nis[1348]: Setting NIS domainname to: domain.
nis[1348]: Starting NIS services: ypbind.
systemd[1]: Started LSB: Start NIS client and server daemons..

我还卸载了nis(因为安装nis是在启动时安装的),重新启动后问题仍然存在。

我检查了 nis 的依赖关系,但我不明白为什么它们会导致这种情况发生。我相信 pam 正在解析我的/etc/nsswitch.conf文件,如果需要,您可以在下面看到该文件。

passwd:         compat files systemd nis
group:          compat files systemd nis
shadow:         files
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

如果您需要任何其他信息来帮助调试此问题,请告诉我。

编辑:

/etc/pam.d/other内容:

#
# /etc/pam.d/other - specify the PAM fallback behaviour
#
# Note that this file is used for any unspecified service; for example
#if /etc/pam.d/cron  specifies no session modules but cron calls
#pam_open_session, the session module out of /etc/pam.d/other is
#used.  If you really want nothing to happen then use pam_permit.so or
#pam_deny.so as appropriate.

# We fall back to the system default in /etc/pam.d/common-*
# 

@include common-auth
@include common-account
@include common-password
@include common-session

/etc/pam.d/lightdm内容:

#%PAM-1.0

# Block login if they are globally disabled
auth      requisite pam_nologin.so

# Load environment from /etc/environment and ~/.pam_environment
session      required pam_env.so readenv=1
session      required pam_env.so readenv=1 envfile=/etc/default/locale

@include common-auth

-auth  optional pam_gnome_keyring.so

@include common-account

# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without out this it is possible
# that a module could execute code in the wrong domain.
# When the module is present, "required" would be sufficient (When SELinux
# is disabled, this returns success.)
session  [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close

session  required        pam_limits.so
session  required        pam_loginuid.so
@include common-session

# SELinux needs to intervene at login time to ensure that the process
# starts in the proper default security context. Only sessions which are
# intended to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# When the module is present, "required" would be sufficient (When SELinux
# is disabled, this returns success.)

-session optional        pam_gnome_keyring.so auto_start

@include common-password

/etc/pam.d/common-session按照要求

#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
session [default=1]         pam_permit.so
# here's the fallback if no module succeeds
session requisite           pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required            pam_permit.so
# and here are more per-package modules (the "Additional" block)
session optional            pam_krb5.so minimum_uid=1000
session required    pam_unix.so 
session optional            pam_sss.so 
session optional            pam_ldap.so 
session optional    pam_systemd.so 
# end of pam-auth-update config

passwd:         compat systemd nis
group:          compat systemd nis
shadow:         compat nis
gshadow:        files

hosts:          files dns nis

更新 我已按照@Michael Ströder 的建议切换到 sssd,但这并没有改变任何东西。

答案1

在你的末尾/etc/pam.d/common-session,似乎有一个(部分?)副本/etc/nsswitch.conf

# end of pam-auth-update config

passwd:         compat systemd nis  <--
group:          compat systemd nis  <-- These lines definitely
shadow:         compat nis          <-- don't belong here!
gshadow:        files               <--
                                    <--
hosts:          files dns nis       <--

这可能是一次简单的复制/粘贴事故,也可能是您一直关注的文档中的错误。

pam-auth-update,Debian 用于在安装/删除软件包时更新 PAM 配置的工具使用位于 中的模板/usr/share/pam-configs,但由于错误的行位于# end of pam-auth-update config注释行之后,我敢打赌是手动编辑错误。

答案2

可能不是您期望的答案:不要使用 NIS!

说实话,NIS 是一场安全噩梦。您公司的安全人员会责怪您今天安装了新的 NIS。

由于您已经拥有 LDAP 服务器,因此仅使用它即可将 NSS 地图数据传送到 Linux 机器。您需要客户端软件来根据 LDAP 服务器的数据提供本地 PAM 和 NSS 集成。

有两个通用的 NSS/PAM 客户端恶魔,它们都有不错的文档:

相关内容