我是一名软件工程师,具有一些系统管理经验,目前正在尝试在以前只有 Windows 基础设施的新工作场所设置一些 Linux 基础设施。出于政治原因,我无法简单地与当前的 Active Directory 设置集成,而必须从头开始。我正在使用Debian。
我目前正在尝试设置 kerbos、ldap、nfs 和 nis。我相信我已经正确设置了服务器,并且一切正常,因为我已经测试了使用 kerberos 登录,并且 nis 客户端一直在与服务器通信,我也可以安装 NFS 驱动器。
自从在客户端上安装 nis 后,我什至无法使用 root 帐户登录,除非我以恢复模式启动。
我已经尝试解决这个问题一天半了,但我没有想法。
这就是我认为问题所在,因为 pam 输出到/var/log/auth.log
lightdm: PAM (other) illegal module type: passwd:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (other) illegal module type: group:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (other) illegal module type: shadow:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (other) illegal module type: gshadow:
lightdm: PAM pam_parse: expecting return value; [...files]
lightdm: PAM (other) no module name supplied
lightdm: PAM (other) illegal module type: hosts:
lightdm: PAM pam_parse: expecting return value; [...files]
lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0)
systemd-logind[667]: New session c1 of user lightdm.
systemd: PAM (other) illegal module type: passwd:
systemd: PAM pam_parse: expecting return value; [...compat]
systemd: PAM (other) illegal module type: group:
systemd: PAM pam_parse: expecting return value; [...compat]
systemd: PAM (other) illegal module type: shadow:
systemd: PAM pam_parse: expecting return value; [...compat]
systemd: PAM (other) illegal module type: gshadow:
systemd: PAM pam_parse: expecting return value; [...files]
systemd: PAM (other) no module name supplied
systemd: PAM (other) illegal module type: hosts:
systemd: PAM pam_parse: expecting return value; [...files]
systemd: pam_unix(systemd-user:session): session opened for user lightdm by (uid=0)
lightdm: PAM (lightdm) illegal module type: passwd:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (lightdm) illegal module type: group:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (lightdm) illegal module type: shadow:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (lightdm) illegal module type: gshadow:
lightdm: PAM pam_parse: expecting return value; [...files]
lightdm: PAM (lightdm) no module name supplied
lightdm: PAM (lightdm) illegal module type: hosts:
lightdm: PAM pam_parse: expecting return value; [...files]
lightdm: PAM (other) illegal module type: passwd:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (other) illegal module type: group:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (other) illegal module type: shadow:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (other) illegal module type: gshadow:
lightdm: PAM pam_parse: expecting return value; [...files]
lightdm: PAM (other) no module name supplied
lightdm: PAM (other) illegal module type: hosts:
lightdm: PAM pam_parse: expecting return value; [...files]
lightdm: PAM (lightdm) illegal module type: passwd:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (lightdm) illegal module type: group:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (lightdm) illegal module type: shadow:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (lightdm) illegal module type: gshadow:
lightdm: PAM pam_parse: expecting return value; [...files]
lightdm: PAM (lightdm) no module name supplied
lightdm: PAM (lightdm) illegal module type: hosts:
lightdm: PAM pam_parse: expecting return value; [...files]
lightdm: PAM (other) illegal module type: passwd:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (other) illegal module type: group:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (other) illegal module type: shadow:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (other) illegal module type: gshadow:
lightdm: PAM pam_parse: expecting return value; [...files]
lightdm: PAM (other) no module name supplied
lightdm: PAM (other) illegal module type: hosts:
lightdm: PAM pam_parse: expecting return value; [...files]
lightdm: pam_krb5(lightdm:auth): user billy authenticated as billy@PROPACK
lightdm: PAM (lightdm) illegal module type: passwd:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (lightdm) illegal module type: group:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (lightdm) illegal module type: shadow:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (lightdm) illegal module type: gshadow:
lightdm: PAM pam_parse: expecting return value; [...files]
lightdm: PAM (lightdm) no module name supplied
lightdm: PAM (lightdm) illegal module type: hosts:
lightdm: PAM pam_parse: expecting return value; [...files]
lightdm: PAM (other) illegal module type: passwd:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (other) illegal module type: group:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (other) illegal module type: shadow:
lightdm: PAM pam_parse: expecting return value; [...compat]
lightdm: PAM (other) illegal module type: gshadow:
lightdm: PAM pam_parse: expecting return value; [...files]
lightdm: PAM (other) no module name supplied
lightdm: PAM (other) illegal module type: hosts:
lightdm: PAM pam_parse: expecting return value; [...files]
我不太清楚这是为什么。这一切都是在客户端安装 nis 包之后开始的,但是我不认为 nis 是问题所在,因为它正在与服务器通信,根据输出进行判断systemctl status nis
systemd[1]: Starting LSB: Start NIS client and server daemons....
nis[1348]: Setting NIS domainname to: domain.
nis[1348]: Starting NIS services: ypbind.
systemd[1]: Started LSB: Start NIS client and server daemons..
我还卸载了nis(因为安装nis是在启动时安装的),重新启动后问题仍然存在。
我检查了 nis 的依赖关系,但我不明白为什么它们会导致这种情况发生。我相信 pam 正在解析我的/etc/nsswitch.conf
文件,如果需要,您可以在下面看到该文件。
passwd: compat files systemd nis
group: compat files systemd nis
shadow: files
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
如果您需要任何其他信息来帮助调试此问题,请告诉我。
编辑:
/etc/pam.d/other
内容:
#
# /etc/pam.d/other - specify the PAM fallback behaviour
#
# Note that this file is used for any unspecified service; for example
#if /etc/pam.d/cron specifies no session modules but cron calls
#pam_open_session, the session module out of /etc/pam.d/other is
#used. If you really want nothing to happen then use pam_permit.so or
#pam_deny.so as appropriate.
# We fall back to the system default in /etc/pam.d/common-*
#
@include common-auth
@include common-account
@include common-password
@include common-session
/etc/pam.d/lightdm
内容:
#%PAM-1.0
# Block login if they are globally disabled
auth requisite pam_nologin.so
# Load environment from /etc/environment and ~/.pam_environment
session required pam_env.so readenv=1
session required pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
-auth optional pam_gnome_keyring.so
@include common-account
# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without out this it is possible
# that a module could execute code in the wrong domain.
# When the module is present, "required" would be sufficient (When SELinux
# is disabled, this returns success.)
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_limits.so
session required pam_loginuid.so
@include common-session
# SELinux needs to intervene at login time to ensure that the process
# starts in the proper default security context. Only sessions which are
# intended to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# When the module is present, "required" would be sufficient (When SELinux
# is disabled, this returns success.)
-session optional pam_gnome_keyring.so auto_start
@include common-password
/etc/pam.d/common-session
按照要求
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# and here are more per-package modules (the "Additional" block)
session optional pam_krb5.so minimum_uid=1000
session required pam_unix.so
session optional pam_sss.so
session optional pam_ldap.so
session optional pam_systemd.so
# end of pam-auth-update config
passwd: compat systemd nis
group: compat systemd nis
shadow: compat nis
gshadow: files
hosts: files dns nis
更新 我已按照@Michael Ströder 的建议切换到 sssd,但这并没有改变任何东西。
答案1
在你的末尾/etc/pam.d/common-session
,似乎有一个(部分?)副本/etc/nsswitch.conf
:
# end of pam-auth-update config
passwd: compat systemd nis <--
group: compat systemd nis <-- These lines definitely
shadow: compat nis <-- don't belong here!
gshadow: files <--
<--
hosts: files dns nis <--
这可能是一次简单的复制/粘贴事故,也可能是您一直关注的文档中的错误。
pam-auth-update
,Debian 用于在安装/删除软件包时更新 PAM 配置的工具使用位于 中的模板/usr/share/pam-configs
,但由于错误的行位于# end of pam-auth-update config
注释行之后,我敢打赌是手动编辑错误。
答案2
可能不是您期望的答案:不要使用 NIS!
说实话,NIS 是一场安全噩梦。您公司的安全人员会责怪您今天安装了新的 NIS。
由于您已经拥有 LDAP 服务器,因此仅使用它即可将 NSS 地图数据传送到 Linux 机器。您需要客户端软件来根据 LDAP 服务器的数据提供本地 PAM 和 NSS 集成。
有两个通用的 NSS/PAM 客户端恶魔,它们都有不错的文档: