我有一个加入 AD 域的 Ubuntu 22.04 服务器。我需要能够使用来自受信任域的凭据登录到它,该受信任域附加到服务器所属的 AD 域。使用受信任的域凭据无法登录。安装了以下软件包:
winbind、krb5 用户、sssd-ad、samba
域是domain1.org 和domain2.local。 domain1.org 是我的服务器加入的域,domain2.local 是受信任的域。
我可以使用 domain1.org 凭据登录,并且以下所有命令都有效:
ping domain1.org
ping domain2.local
id [email protected]
id [email protected]
wbinfo -i [email protected]
wbinfo -i [email protected]
wbinfo -n [email protected]
net cache flush
wbinfo --sid-to-uid <SID returned in the wbinfo -n command>
我无法使用domain2.local 凭据登录此Ubuntu 服务器。我确实有一台 Rocky Linux 服务器,其设置方式与此服务器几乎相同,并且我是能够使用domain2.local凭据登录。
以下是 samba、sssd、nsswitch 和 krb5 配置:
/etc/samba/smb.conf
[global]
workgroup = DOMAIN1
realm = DOMAIN1.ORG
netbios name = MYTEST
security = ads
server signing = mandatory
client signing = mandatory
client lanman auth = no
min protocol = SMB2
client min protocol = SMB2
client max protocol = SMB3
restrict anonymous = 2
os level = 0
preferred master = no
local master = no
domain master = no
kerberos method = secrets and keytab
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
template homedir = /home/%D/%U
template shell = /bin/bash
map acl inherit = yes
nt acl support = yes
inherit acls = Yes
acl group control = yes
log level = 10
max log size = 10
log file = /var/log/samba/samba.log
winbind use default domain = yes
idmap config * : range = 1100-65534
idmap config * : backend = tdb
idmap config * : backend = autorid
idmap config * : range = 1000000-999999999
/etc/sssd/conf.d/sssd.conf
[sssd]
config_file_version = 2
domains = DOMAIN1.ORG
reconnection_retries = 3
services = nss, pam, ssh, autofs
[domain/DOMAIN1.ORG]
#debug_level = 9
ad_hostname = mytest.domain1.org
id_provider = ad
auth_provider = ad
access_provider = ad
override_homedir = /home/%d/%u
default_shell = /bin/bash
cache_credentials = True
krb5_store_password_if_offline = True
krb5_realm = DOMAIN1.ORG
fallback_homedir = /home/%u/%d
ad_domain = domain1.org
use_fully_qualified_names = False
case_sensitive = False
ad_gpo_ignore_unreadable = True
dyndns_update = true
dyndns_refresh_interval = 43200
ad_update_samba_machine_account_password = True
[nss]
filter_users = root
[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
/etc/nsswitch.conf
passwd: files winbind systemd sss
group: files winbind systemd sss
shadow: files sss
gshadow: files
hosts: files resolve dns
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis sss
automount: sss
/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5.log
[libdefaults]
default_realm = DOMAIN1.ORG
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
udp_preference_limit = 1
我感谢任何和所有评论和/或帮助。谢谢!
答案1
首先,
apt-get purge sssd
sssd运行和是没有意义的winbind,并且您需要winbind信任。
其次,修复你的smb.conf.这是错误的:
winbind use default domain = yes idmap config * : range = 1100-65534 idmap config * : backend = tdb idmap config * : backend = autorid idmap config * : range = 1000000-999999999
最后两行覆盖上面的两行,并且您不能winbind use default domain = yes与autorididmap 后端一起使用。删除上面的前三行,并提供所需的信任,它应该可以工作。