六个月来,我们一直在使用 PowerBroker Identity Services Open 成功验证来自 ubuntu 主机的活动目录用户。
最近,在用户同时执行 200 多个程序包后,AD 身份验证在多个工作站上停止工作apt-get upgrade。身份验证尝试给出错误,“密码无效”、“用户帐户已过期”或“您的帐户是否被锁定?”
我无法将问题与特定的软件包升级联系起来,但使用相同软件包版本从头构建的工作站不会遇到此问题。我尝试重新安装 PBIS 并验证了所有配置文件,但我遗漏了一些东西......我很困惑,希望得到任何人的建议。下次发生这种情况时,我宁愿不必重建另一个盒子!
身份验证尝试
我首先确认 AD 用户帐户已启用、未被锁定且未过期。本地用户身份验证通过 lightdm 和 ssh 正常工作。
光调制
- 有效凭证
- 返回给用户的错误“密码无效,请重试。”
- auth.log:无
- 系统日志:无
密码错误
- 返回给用户的错误“密码无效,请重试。”
身份验证日志:
lightdm: [lsass-pam] [module:pam_lsass]pam_sm_authenticate error [login:username][error code:40022]系统日志:
lsass: [LwKrb5GetTgtImpl /builder/src-buildserver/Platform-8.0/src/linux/lwadvapi/threaded/krbtgt.c:276] KRB5 Error code: -1765328360 (Message: Preauthentication failed) lsass: [lsass] Failed to authenticate user (name = 'username') -> error = 40022, symbol = LW_ERROR_PASSWORD_MISMATCH, client pid = 17768
- 有效凭证
远程控制
有效凭证
- ssh 断开连接并显示“连接由 IP_ADDRESS 关闭。”
身份验证日志:
sshd[18237]: error: PAM: User account has expired for DOMAIN\\USER from HOSTNAME sshd[18237]: error: Received disconnect from IP_ADDRESS: 13: Unable to authenticate [preauth]- 系统日志:无
密码错误
- ssh 断开连接并显示“连接由 IP_ADDRESS 关闭。”
身份验证日志:
sshd[18276]: [lsass-pam] [module:pam_lsass]pam_sm_authenticate error [login:domain\username][error code:40022] sshd[18272]: error: PAM: Authentication failure for domain\\username from hostname系统日志
lsass: [LwKrb5GetTgtImpl /builder/src-buildserver/Platform-8.0/src/linux/lwadvapi/threaded/krbtgt.c:276] KRB5 Error code: -1765328360 (Message: Preauthentication failed) lsass: [lsass] Failed to authenticate user (name = 'domain\username') -> error = 40022, symbol = LW_ERROR_PASSWORD_MISMATCH, client pid = 18276
只是尝试一些疯狂的本地东西(不,帐户没有被锁定在 AD 中)
root@hostname:~# su - domain\\username su: Authentication failure (Ignored) reenter password for pam_mount: DOMAIN\username@hostname:~$ sudo cat /etc/fstab [sudo] password for DOMAIN\username: sudo: account validation failure, is your account locked? DOMAIN\username@hostname:~$
配置
- Ubuntu 14.04
- PBIS Open 8.0.1.2029(pbis-open-8.0.1.2029.linux.x86_64.deb.sh)
/opt/pbis/bin/config --dump
AllowDeleteTo "" AllowReadTo "" AllowWriteTo "" MaxDiskUsage 104857600 MaxEventLifespan 90 MaxNumEvents 100000 DomainSeparator "\\" SpaceReplacement "^" EnableEventlog false Providers "ActiveDirectory" DisplayMotd false PAMLogLevel "error" UserNotAllowedError "Access denied" AssumeDefaultDomain true CreateHomeDir true CreateK5Login true SyncSystemTime true TrimUserMembership true LdapSignAndSeal false LogADNetworkConnectionEvents true NssEnumerationEnabled true NssGroupMembersQueryCacheOnly true NssUserMembershipQueryCacheOnly false RefreshUserCredentials true CacheEntryExpiry 14400 DomainManagerCheckDomainOnlineInterval 300 DomainManagerUnknownDomainCacheTimeout 3600 MachinePasswordLifespan 2592000 MemoryCacheSizeCap 0 HomeDirPrefix "/home" HomeDirTemplate "%H/%D/%U" RemoteHomeDirTemplate "" HomeDirUmask "022" LoginShellTemplate "/bin/bash" SkeletonDirs "/etc/skel" UserDomainPrefix "DOMAIN.COM" DomainManagerIgnoreAllTrusts false DomainManagerIncludeTrustsList DomainManagerExcludeTrustsList RequireMembershipOf "DOMAIN\\DOMAIN-GROUP" Local_AcceptNTLMv1 true Local_HomeDirTemplate "%H/local/%D/%U" Local_HomeDirUmask "022" Local_LoginShellTemplate "/bin/sh" Local_SkeletonDirs "/etc/skel" UserMonitorCheckInterval 1800 LsassAutostart true EventlogAutostart true/opt/pbis/bin/获取状态
LSA Server Status: Compiled daemon version: 8.0.1.2029 Packaged product version: 8.0.2029.67662 Uptime: 1 days 1 hours 4 minutes 26 seconds [Authentication provider: lsa-activedirectory-provider] Status: Online Mode: Un-provisioned Domain: DOMAIN.COM Domain SID: S-1-5-21-3537566271-1428921453-776812789 Forest: domain.com Site: NYC Online check interval: 300 seconds [Trusted Domains: 1] [Domain: DOMAIN] DNS Domain: domain.com Netbios name: DOMAIN Forest name: domain.com Trustee DNS name: Client site name: NYC Domain SID: S-1-5-21-3537566271-1428921453-776812789 Domain GUID: 0b6b6d88-ea48-314a-8bad-a997a57bc1f4 Trust Flags: [0x001d] [0x0001 - In forest] [0x0004 - Tree root] [0x0008 - Primary] [0x0010 - Native] Trust type: Up Level Trust Attributes: [0x0000] Trust Direction: Primary Domain Trust Mode: In my forest Trust (MFT) Domain flags: [0x0001] [0x0001 - Primary] [Domain Controller (DC) Information] DC Name: dc2.nyc.domain.com DC Address: 10.x.x.50 DC Site: NYC DC Flags: [0x0000f1fc] DC Is PDC: no DC is time server: yes DC has writeable DS: yes DC is Global Catalog: yes DC is running KDC: yes [Global Catalog (GC) Information] GC Name: dc1.nyc.domain.com GC Address: 10.x.x.50 GC Site: NYC GC Flags: [0x0000f3fd] GC Is PDC: yes GC is time server: yes GC has writeable DS: yes GC is running KDC: yes/opt/pbis/bin/find-objects --user 用户名
User object [1 of 1] (S-1-5-21-3537566271-1428921453-776812789-1107) ============ Enabled: yes Distinguished name: CN=USERNAME,OU=User,OU=User Accounts,DC=domain,DC=com SAM account name: username NetBIOS domain name: DOMAIN UPN: [email protected] Display Name: First Last Alias: <null> UNIX name: DOMAIN\username GECOS: First LAst Shell: /bin/bash Home directory: /home/DOMAIN/username Windows home directory: \\domain.com\dfs\NYC\Users\username Local windows home directory: UID: 1023411283 Primary group SID: S-1-5-21-3537566271-1428921453-776812789-513 Primary GID: 1023410689 Password expired: no Password never expires: yes Change password on next logon: no User can change password: yes Account disabled: no Account expired: no Account locked: no/etc/pbis/pbis-krb5-ad.conf
[libdefaults] default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC dns_lookup_kdc = true pkinit_kdc_hostname = <DNS> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL> pkinit_eku_checking = kpServerAuth pkinit_win2k_require_binding = false pkinit_identities = PKCS11:/opt/pbis/lib/libpkcs11.so/etc/pam.d/common-session
session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session optional pam_umask.so session required pam_unix.so session optional pam_mount.so session [success=ok default=ignore] pam_lsass.so session optional pam_systemd.so/etc/pam.d/common-auth
auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_lsass.so try_first_pass auth requisite pam_deny.so auth required pam_permit.so auth optional pam_cap.so auth optional pam_mount.so/opt/pbis/share/pbis.pam-auth-update
Name: Likewise Default: yes Priority: 250 Conflicts: winbind Auth-Type: Primary Auth: [success=end default=ignore] pam_lsass.so try_first_pass Auth-Initial: [success=end default=ignore] pam_lsass.so Account-Type: Primary Account: [success=ok new_authtok_reqd=ok default=ignore] pam_lsass.so unknown_ok [success=end new_authtok_reqd=done default=ignore] pam_lsass.so Session-Type: Additional Session: sufficient pam_lsass.so Password-Type: Primary Password: [success=end default=ignore] pam_lsass.so use_authtok try_first_pass Password-Initial: [success=end default=ignore] pam_lsass.so/usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf
[SeatDefaults] user-session=ubuntu greeter-show-manual-login=true/usr/share/lightdm/lightdm.conf.d/50-unity-greeter.conf
[SeatDefaults] allow-guest=false greeter-show-remote-login=false greeter-show-manual-login=true greeter-session=unity-greeter
答案1
关键的一行是这样的:
sshd[18237]: error: PAM: User account has expired for DOMAIN\\USER from HOSTNAME
这表明 PAM 模块认为帐户已过期。我不太关注auth/,session而更关注account,这是专注于与身份验证无关的帐户属性的工具。您的首要任务是确定导致问题的模块。一旦您知道了这一点,识别应该会容易得多为什么该模块认为应该阻止该用户。
account逐一检查适用的模块,并尝试将debug标志添加到各个条目以扩展日志输出(如果您需要更多提示)。如果真的被难住了,并且不会违反关键环境的安全性,您也可以尝试逐行注释,account直到找到罪魁祸首。
至于发生了什么变化,很可能您的 PAM 配置在安装这些软件包时被修改了。很可能有问题的用户一直处于这种状态,但与行为不当的模块相关的数据库account被绕过了。(跳过、注释、根本不存在等)
答案2
仅供参考:domainjoin-cli configure --enable pam升级后也会重新添加这些行。PBIS Open 8.x 及更高版本正确提供了配置,/usr/share/pam-configs/pbis因此将来不会再发生这种情况。
此外,PBIS 将更具体的错误记录到 syslog 的守护进程工具中,因此您可以在 ubuntu 中/var/log/syslog而不是中查看它们/var/log/secure。
答案3
再次感谢@Andrew B 帮助我找到解决方案。
作为记录,这里是正确的 /etc/pam.d/common-account 配置的副本,它修复了我的问题(无法正常工作的系统中缺少两个 pam_lsass.so 行):
account [success=3 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=ok new_authtok_reqd=ok default=ignore] pam_lsass.so unknown_ok
account [success=1 new_authtok_reqd=done default=ignore] pam_lsass.so
account requisite pam_deny.so
account required pam_permit.so
答案4
我在最近的 ubuntu 22.04 与 windows 的双启动设置中遇到了类似的问题 - 一开始一切似乎都正确并且正常工作,但后来我总是得到
ERROR: The password is incorrect for the given account
但事实并非如此。ubuntu 的 GUI 也正确显示了 AD 用户的名称,但我无法登录。不过 Windows 确实运行良好。
问题是我将 Windows 安装和 Ubuntu 安装命名为相同的名称,就像laptop-home两者一样。我laptop-home从活动目录中删除了该对象,并将 Linux 安装重命名为laptop-linux-home(编辑/etc/hosts并/etc/hostname重新启动),然后再次加入这两个安装,现在两者都按预期工作。我现在在 AD 中也有 2 个对象。