我想使用 Ubuntu 16.04 机器加入域。服务器是 Windows Server 2012 R2。我已安装 PowerBroker Identity Services (PBIS) 8.5.2.265
我在 /var/log/syslog 中收到此错误:
Restricted login list - couldn't resolve srv\DomainUsers [40071]
这里有几个错误:/var/log/auth:
Dec 30 08:56:47 srv3 login[1713]: PAM (login) illegal module type: sessions
Dec 30 08:56:47 srv3 login[1713]: PAM (other) illegal module type: sessions
Dec 30 08:56:50 srv3 login[1713]: [lsass-pam] [module:pam_lsass]User user12 is denied access because they are not in the 'require membership of' list
Dec 30 08:56:50 srv3 login[1713]: [lsass-pam] [module:pam_lsass]pam_sm_authenticate error [login:user12][error code:40158]
Dec 30 08:56:50 srv3 login[1713]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=user12
Dec 30 08:56:50 srv3 login[1713]: pam_sss(login:auth): Request to sssd failed. Connection refused
Dec 30 08:56:53 srv3 login[1713]: FAILED LOGIN (1) on '/dev/tty1' FOR 'user12', Authentication failure
/opt/pbis/bin/config --转储:
root@srv3:~# /opt/pbis/bin/config --dump
AllowDeleteTo ""
AllowReadTo ""
AllowWriteTo ""
MaxDiskUsage 104857600
MaxEventLifespan 90
MaxNumEvents 100000
DomainSeparator "\\"
SpaceReplacement "^"
EnableEventlog false
SaslMaxBufSize 16777215
Providers "ActiveDirectory"
DisplayMotd false
PAMLogLevel "verbose"
UserNotAllowedError "Access denied"
AssumeDefaultDomain true
CreateHomeDir true
CreateK5Login true
SyncSystemTime true
TrimUserMembership true
LdapSignAndSeal false
LogADNetworkConnectionEvents true
NssEnumerationEnabled true
NssGroupMembersQueryCacheOnly true
NssUserMembershipQueryCacheOnly false
RefreshUserCredentials true
CacheEntryExpiry 14400
DomainManagerCheckDomainOnlineInterval 300
DomainManagerUnknownDomainCacheTimeout 3600
MachinePasswordLifespan 2592000
MemoryCacheSizeCap 0
HomeDirPrefix "/home"
HomeDirTemplate "%H/%U"
RemoteHomeDirTemplate ""
HomeDirUmask "022"
LoginShellTemplate "/bin/bash"
SkeletonDirs "/etc/skel"
UserDomainPrefix "srv"
DomainManagerIgnoreAllTrusts false
DomainManagerIncludeTrustsList
DomainManagerExcludeTrustsList
RequireMembershipOf "srv\\DomainUsers"
Local_AcceptNTLMv1 true
Local_HomeDirTemplate "%H/local/%D/%U"
Local_HomeDirUmask "022"
Local_LoginShellTemplate "/bin/sh"
Local_SkeletonDirs "/etc/skel"
UserMonitorCheckInterval 1800
LsassAutostart true
EventlogAutostart true
BlacklistDC
root@srv3:~# /opt/pbis/bin/get-status
LSA Server Status:
Compiled daemon version: 8.5.2.265
Packaged product version: 8.5.265.1
Uptime: 0 days 0 hours 14 minutes 5 seconds
[Authentication provider: lsa-activedirectory-provider]
Status: Online
Mode: Un-provisioned
Domain: SRV.LOCAL
Domain SID: S-1-5-21-2727847642-148432537-1030246457
Forest: srv.local
Site: Default-First-Site-Name
Online check interval: 300 seconds
[Trusted Domains: 1]
[Domain: SRV]
DNS Domain: srv.local
Netbios name: SRV
Forest name: srv.local
Trustee DNS name:
Client site name: Default-First-Site-Name
Domain SID: S-1-5-21-2727847642-148432537-1030246457
Domain GUID: 8ac2ba85-7313-6746-abfe-d44f9856708e
Trust Flags: [0x001d]
[0x0001 - In forest]
[0x0004 - Tree root]
[0x0008 - Primary]
[0x0010 - Native]
Trust type: Up Level
Trust Attributes: [0x0000]
Trust Direction: Primary Domain
Trust Mode: In my forest Trust (MFT)
Domain flags: [0x0001]
[0x0001 - Primary]
[Domain Controller (DC) Information]
DC Name: dc1.srv.local
DC Address: 192.168.253.200
DC Site: Default-First-Site-Name
DC Flags: [0x0000f1fd]
DC Is PDC: yes
DC is time server: yes
DC has writeable DS: yes
DC is Global Catalog: yes
DC is running KDC: yes
[Global Catalog (GC) Information]
GC Name: dc1.srv.local
GC Address: 192.168.253.200
GC Site: Default-First-Site-Name
GC Flags: [0x0000f1fd]
GC Is PDC: yes
GC is time server: yes
GC has writeable DS: yes
GC is running KDC: yes
/opt/pbis/share/pbis.pam-auth-update
Name: PowerBroker Identity Services (PBIS)
Default: yes
Priority: 260
Conflicts: winbind
Auth-Type: Primary
Auth:
[success=end default=ignore] pam_lsass.so try_first_pass
Auth-Initial:
[success=end default=ignore] pam_lsass.so
Account-Type: Primary
Account:
[success=ok new_authtok_reqd=ok default=ignore] pam_lsass.so unknown_ok
[success=end new_authtok_reqd=done default=ignore] pam_lsass.so
Session-Type: Additional
Session:
optional pam_lsass.so
Password-Type: Primary
Password:
[success=end default=ignore] pam_lsass.so use_authtok try_first_pass
Password-Initial:
[success=end default=ignore] pam_lsass.so
/etc/pam.d/通用帐户
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
#
# here are the per-package modules (the "Primary" block)
account [success=ok new_authtok_reqd=ok default=ignore] pam_lsass.so unknown_ok
account [success=2 new_authtok_reqd=done default=ignore] pam_lsass.so
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
account sufficient pam_localuser.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
# end of pam-auth-update config
/etc/pam.d/common-session:
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional pam_umask.so
# and here are more per-package modules (the "Additional" block)
#session optional pam_lsass.so
sessions [success=ok default=ignore] pam_lsass.so
session required pam_unix.so
session optional pam_sss.so
session optional pam_systemd.so
# end of pam-auth-update config
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
/etc/pam.d/common-auth:
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
auth [success=3 default=ignore] pam_lsass.so
auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=1 default=ignore] pam_sss.so use_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
~
~
/etc/pbis/pbis-krb5-ad.conf:
[libdefaults]
default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
dns_lookup_kdc = true
pkinit_kdc_hostname = <DNS>
pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
pkinit_eku_checking = kpServerAuth
pkinit_win2k_require_binding = false
pkinit_identities = PKCS11:/opt/pbis/lib/libpkcs11.so
答案1
受限登录列表 - 无法解析 srv\DomainUsers [40071]
您应该检查该组的命名域用户在设置中,PBIS 对应于它如何看待 PBIS。为此,请运行以下命令:
/opt/pbis/bin/enum-groups | grep -i Domain
找你域用户显示的组名,并将组名以相同的形式放入配置中。