Debian 6.0 AD 集成

Debian 6.0 AD 集成

尽管已经有很多关于此的问题,例如Windows AD 域上的 Linux我想知道如何将 Debian 6.0 Squeeze 与 AD 集成使用开源或其他免费商业用途工具

编辑只有通过 apt 提供其(安全)更新的工具才是可以接受的。

到目前为止,我已经能够获得实际用户验证通过 kerberos 工作,例如日志显示用户名/密码检查成功,但用户无法登录,请参阅下面的日志摘录;

编辑:使用 pam debug 更新日志:

May 12 10:06:33 debian-6-master login[10601]: pam_krb5(login:auth): pam_sm_authenticate: entry (0x0)
May 12 10:06:33 debian-6-master login[10601]: pam_krb5(login:auth): (user test.linux) attempting authentication as [email protected]
May 12 10:06:36 debian-6-master login[10601]: pam_krb5(login:auth): user test.linux authenticated as [email protected]
May 12 10:06:36 debian-6-master login[10601]: pam_krb5(login:auth): pam_sm_authenticate: exit (success)
May 12 10:06:36 debian-6-master login[10601]: pam_unix(login:account): could not identify user (from getpwnam(test.linux))
May 12 10:06:36 debian-6-master login[10601]: pam_krb5(login:account): pam_sm_acct_mgmt: entry (0x0)
May 12 10:06:36 debian-6-master login[10601]: pam_krb5(login:account): (user test.linux) retrieving principal from cache
May 12 10:06:36 debian-6-master login[10601]: pam_krb5(login:account): pam_sm_acct_mgmt: exit (success)
May 12 10:06:36 debian-6-master login[10601]: pam_env(login:session): No such user!?
May 12 10:06:36 debian-6-master login[10601]: pam_env(login:session): No such user!?
May 12 10:06:36 debian-6-master login[10601]: pam_krb5(login:session): pam_sm_open_session: entry (0x0)
May 12 10:06:36 debian-6-master login[10601]: pam_krb5(login:session): (user test.linux) getpwnam failed for test.linux
May 12 10:06:36 debian-6-master login[10601]: pam_krb5(login:session): pam_sm_open_session: exit (failure)
May 12 10:06:36 debian-6-master login[10601]: pam_unix(login:session): session opened for user test.linux by LOGIN(uid=0)
May 12 10:06:36 debian-6-master login[10601]: User not known to the underlying authentication module
May 12 10:06:36 debian-6-master login[10601]: PAM 1 more authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty3 ruser= rhost=

我的ldap.conf样子是这样的:

base dc=ad,dc=domain
uri ldap://10.10.10.10
ldap_version 3
binddn [email protected]
bindpw password
scope sub
pam_password ad
nss_base_passwd dc=ad,dc=domain?sub
nss_base_shadow dc=ad,dc=domain?sub
nss_base_group dc=ad,dc=domain?sub? &(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos cn
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
pam_sasl_mech DIGEST-MD5

nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat
group:          compat
shadow:         compat

hosts:          files dns ldap
networks:       files ldap

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis ldap

passwd_compat: files ldap
group_compat: files ldap
shadow_compat: files ldap

全部/etc/pam.d由 创建pam-auth-update,选择了三种(Kerberos、Unix 和 LDAP)身份验证方法。

我可以从数据包捕获中确认 LDAP 搜索结果为正确的用户信息,与下面显示的手动结果相同ldapsearch

dn: CN=Linux\, test,OU=SpecialAccounts,OU=FI1-Helsinki,OU=EMEA,OU=_Managed Are
 as,DC=ad,DC=domain
objectClass: top
objectClass: person
objectClass: domainanizationalPerson
objectClass: user
cn: Linux, test
sn: Linux
givenName: test
distinguishedName: CN=Linux\, test,OU=SpecialAccounts,OU=FI1-Helsinki,OU=EMEA,
 OU=_Managed Areas,DC=ad,DC=domain
instanceType: 4
whenCreated: 20110407131914.0Z
whenChanged: 20110511125854.0Z
displayName: Linux, test
uSNCreated: 4144737
uSNChanged: 4638378
name: Linux, test
objectGUID:: wwZt/MX/K0S36BL4bS2w+g==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 129489044965699903
lastLogoff: 0
lastLogon: 129495915807176914
pwdLastSet: 129466559550934238
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAzXxBZqg31mUH5TsrkisAAA==
accountExpires: 9223372036854775807
logonCount: 35
sAMAccountName: test.linux
sAMAccountType: 805306368
userPrincipalName: [email protected]
lockoutTime: 0
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ad,DC=domain
dSCorePropagationData: 20110407131916.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 129488989872488561
uid: test.linux
msSFU30Name: test.linux
msSFU30NisDomain: ad
uidNumber: 10002
gidNumber: 10000
unixHomeDirectory: /home/test.linux
loginShell: /bin/sh

# refldap://DomainDnsZones.ad.domain/DC=DomainDnsZones,DC=ad,DC=domain

# refldap://ForestDnsZones.ad.domain/DC=ForestDnsZones,DC=ad,DC=domain

# refldap://ad.domain/CN=Configuration,DC=ad,DC=domain

# pagedresultscookie=
  1. 使用正确的用户名和密码,我会收到 MOTD 和一条消息User not known to the underlying authentication module
  2. 使用错误的用户名我得到Login incorrect
  3. 用户名正确但密码错误,我会被SASL/DIGEST-MD5 authentication started跟踪Login incorrect

AD 运行的是 Windows 2k8(r2) 服务器,所有 debian 包都是从 apt 获得的。

欢迎任何想法。

编辑2:按照下面的建议,我尝试了sssd类似的结果,现在询问密码两次,并且日志显示:

May 12 14:53:06 debian-6-master login[11389]: pam_sss(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty3 ruser= rhost= user=test.linux
May 12 14:53:06 debian-6-master login[11389]: pam_sss(login:auth): received for user test.linux: 10 (User not known to the underlying authentication module)
May 12 14:53:14 debian-6-master login[11389]: pam_krb5(login:auth): user test.linux authenticated as [email protected]
May 12 14:53:14 debian-6-master login[11389]: pam_unix(login:account): could not identify user (from getpwnam(test.linux))
May 12 14:53:15 debian-6-master login[11389]: pam_sss(login:account): Access denied for user test.linux: 10 (User not known to the underlying authentication module)
May 12 14:53:15 debian-6-master login[11389]: pam_env(login:session): No such user!?
May 12 14:53:15 debian-6-master login[11389]: pam_env(login:session): No such user!?
May 12 14:53:15 debian-6-master login[11389]: pam_krb5(login:session): (user test.linux) getpwnam failed for test.linux
May 12 14:53:15 debian-6-master login[11389]: pam_unix(login:session): session opened for user test.linux by LOGIN(uid=0)
May 12 14:53:15 debian-6-master login[11389]: User not known to the underlying authentication module

编辑3

如果我sssd在前台运行并将调试级别设置为 5,则日志显示:

(Fri May 13 13:50:33 2011) [sssd[nss]] [nss_cmd_endpwent] (4): Terminating request info for all accounts
(Fri May 13 13:50:33 2011) [sssd[nss]] [nss_cmd_getpwnam] (4): Requesting info for [test.linux] from [<ALL>]
(Fri May 13 13:50:33 2011) [sssd[nss]] [nss_cmd_getpwnam] (2): No matching domain found for [test.linux], fail!
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_cmd_authenticate] (4): entering pam_cmd_authenticate
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): command: PAM_AUTHENTICATE
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): domain: (null)
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): user: test.linux
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): service: login
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): tty: /dev/tty3
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): ruser: (null)
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): rhost: (null)
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): authtok type: 1
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): authtok size: 8
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): newauthtok type: 0
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): newauthtok size: 0
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): priv: 1
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): cli_pid: 12507
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_reply] (4): pam_reply get called.
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_reply] (4): blen: 8
(Fri May 13 13:50:34 2011) [sssd[nss]] [nss_cmd_endpwent] (4): Terminating request info for all accounts
(Fri May 13 13:50:34 2011) [sssd[nss]] [nss_cmd_getpwnam] (4): Requesting info for [test.linux] from [<ALL>]
(Fri May 13 13:50:34 2011) [sssd[nss]] [nss_cmd_getpwnam] (2): No matching domain found for [test.linux], fail!

答案1

我建议使用 sssd。这是 Debian squeeze 中的一个标准包,它让生活变得轻松很多更简单。当您安装 sssd 时,它会询问您应该使用哪种身份验证方法。在那里做出选择,nsswitch.conf 和 pam.d 脚本将自动更新。您需要掌握一些有关 AD 域的详细信息,但无论如何您都应该知道它们(例如,使用哪个 DC 以及 kerberos 域名是什么等)。

相信我,我对此进行过大量研究(本网站上就此问题提出的一些问题也来自我),而 sssd 就是答案。它甚至在笔记本电脑上也能很好地工作,因为凭据会被缓存,而且您可以确定缓存的特性。

以下是我们的 sssd.conf 文件,其中包含一些注释:

# SSSD configuration generated using /usr/lib/sssd/generate-config
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = your.domain

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
debug_level = 8

[pam]
reconnection_retries = 3
debug_level = 8

[domain/<your.domain>]
; Using enumerate = true leads to high load and slow response
enumerate = false
cache_credentials = true
#entry_cache_timeout = 60

id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
#access_provider = ldap

ldap_uri = ldap://you.domain.controller
ldap_search_base = CN=Users,DC=your,DC=domain
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
ldap_default_bind_dn = cn=LDAPsearch,CN=Users,dc=your,dc=domain
ldap_default_authtok_type = password
ldap_default_authtok = <password for LDAPsearch>
ldap_pwd_policy = none
ldap_user_object_class = user
ldap_group_object_class = group
ldap_user_home_directory = unixHomeDirectory

krb5_kdcip = your.domain.controller
krb5_realm = <kerberos realm name>
krb5_changepw_principle = kadmin/changepw
krb5_auth_timeout = 15

这是基于使用 Windows Server 2008 中的 UNIX 服务(现在是它的一个组成部分,曾经是 2k3 及更早版本中的插件)。

与其他 LDAP 系统不同,AD 需要经过身份验证的会话才能检索任何数据。我们创建了一个名为 LDAPsearch 的特殊用户来促进这一点,但实际的域用户也可能做到这一点。

配置用户时,您必须设置他们的 UNIX 服务详细信息(主目录、用户 ID 和主要组成员身份),但这非常简单。

显然,您可以使用不同的搜索基础,还可以添加过滤器以确保用户是特定组的成员等。只需阅读 sssd 的手册页。

答案2

看一眼同样开放。无需费心打乱,尽管拥有模拟的 Windows 注册表对我来说并不是一件好事。但是,较新的版本已经变得相当稳定,值得一看。

答案3

Likewise 很流行,但我一直在使用集中快递最近我在我的工作实验室里安装了所有的 Linux 机器,效果非常好。它自带 SAMBA 版本,安装起来很简单,就像安装 RPM 一样(不过一定要阅读 PDF)。

答案4

SSSD 可能是答案,尽管我还没有用过,所以我不知道。我使用的是 samba3x 的 winbind,效果相当好。至少对我来说,直接配置 kerberos 和 ldap 的问题在于,您必须为所有现有用户填充 UID/GID 和主目录,并在 AD/LDAP 中维护两个数据世界,这似乎不是很好的时间利用方式。winbind 将公开本机 AD 组,在 kerberos 中重新键入其机器帐户等。唯一的缺点是,它坚持使用 15 个字符或更少的主机名来维护某种奇怪的 netbios 兼容性,我不再确信这种兼容性实际上存在或对 Windows 内部的任何东西都重要,而且守护进程偶尔会被卡住并需要重新启动,这需要有效的 OOB 访问。结合 pam_mkhomedir 和 pam_access,这样帐户的主目录就会自动填充,您可以根据需要限制谁有权访问哪些主机。请注意,虽然带有空格的用户名和组在很多地方都能正常工作,但它们会破坏某些工具,例如 pam_access access.conf 无法与带有空格的组一起使用。

相关内容