如何配置 pam 以仅使用 winbind 身份验证进行挂载

tag-icon tag-icon active-directory ldap samba mount pam
如何配置 pam 以仅使用 winbind 身份验证进行挂载

我正在尝试使用以下请求配置 pam:

  • 您可以使用本地帐户(root,本地用户)登录
  • 您可以使用 AD 帐户登录,如果这样做,pam mount home share
  • 如果无法访问 AD,您可以通过缓存凭据 (ccreds) 使用 AD 帐户登录,如果这样做,pam 不会尝试挂载家庭共享

到目前为止,我几乎设法以这种方式配置 pam,但是当我登录无法访问的 AD 帐户时,pam 会尝试挂载同样无法访问的主共享。

我认为我已经了解了 pam 配置文件的工作原理,并且测试了很多不同的东西,因此,如果有 pam 专家愿意提供帮助,我将不胜感激

以下是 pam 配置文件:

/etc/pam.d/common-auth

# here are the per-package modules (the "Primary" block)
auth    [success=4 default=ignore]      pam_unix.so nullok_secure
auth    [success=2 default=ignore]      pam_winbind.so krb5_auth         krb5_ccache_type=FILE cached_login try_first_pass
auth    [success=2 default=ignore]      pam_ccreds.so minimum_uid=1000 action=validate use_first_pass
#               auth    [success=2 default=ignore]              pam_ccreds.so minimum_uid=1000 action=update
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
auth    optional                        pam_mount.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth    optional                        pam_ccreds.so minimum_uid=1000 action=store
# end of pam-auth-update config

/etc/pam.d/common-session

# here are the per-package modules (the "Primary" block)
session [default=1]                     pam_permit.so
# here's the fallback if no module succeeds
session requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required                        pam_unix.so
session [success=ok default=1]          pam_winbind.so
session [success=done default=ignore]   pam_mount.so
session sufficient                      pam_ccreds.so
# end of pam-auth-update config

/etc/pam.d/common-session-noninterractive

session [default=1]                     pam_permit.so
# here's the fallback if no module succeeds
session requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required        pam_unix.so
session sufficient      pam_ccreds.so

如果您需要更多信息,请随时询问。提前谢谢您。

答案1

我设法使用 pam_exec.so 模块来检查 ActiveDirectory 服务器是否可加入,以完成我想要做的事情。以下是 pam 文件:

/etc/pam.d/common-auth

 auth    optional                        pam_exec.so log=/var/tmp/pam.log  /bin/echo "-----AUTH------"
auth    [success=5 default=ignore]      pam_unix.so nullok_secure
auth    [success=3 authinfo_unavail=ignore  default=1]  pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth    [success=4 default=ignore]      pam_ccreds.so minimum_uid=1000 action=validate use_first_pass
auth    [success=die default=die]               pam_ccreds.so minimum_uid=1000 action=update
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
auth    [success=1 default=die]                 pam_ccreds.so minimum_uid=1000 action=store
auth    [success=4 default=die]                  pam_exec.so log=/var/tmp/pam.log  /bin/echo "sucessfully log with unix"
session [success=ok default=2]          pam_exec.so log=/var/tmp/script.log  /bin/ping  -c 1 ipaddress.to.AD.server
auth    optional        pam_mount.so
auth    [success=1 default=die]                  pam_exec.so log=/var/tmp/pam.log  /bin/echo "sucessfully log with winbind"
auth    [default=die]                            pam_exec.so log=/var/tmp/pam.log  /bin/echo "sucessfully log with ccreds"
auth    required                        pam_permit.so

/etc/pam.d/通用帐户

account optional                        pam_exec.so log=/var/tmp/pam.log  /bin/echo "-----ACCOUNT------"
account [success=ok new_authtok_reqd=done default=1]    pam_unix.so
account [success=3]                     pam_exec.so log=/var/tmp/pam.log  /bin/echo "Logged with Unix account"
account [success=1 new_authtok_reqd=done default=ignore]        pam_winbind.so
account requisite                       pam_deny.so
account optional                        pam_exec.so log=/var/tmp/pam.log  /bin/echo "Logged with winbind account"
account required                        pam_permit.so

/etc/pam.d/common-session

session    optional                             pam_exec.so log=/var/tmp/pam.log  /bin/echo "-----SESSION------"
session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session [success=ok default=1]  pam_unix.so
session [success=ok]            pam_exec.so log=/var/tmp/pam.log  /bin/echo "unix session started"
session [success=ok default=die]        pam_winbind.so
session required        pam_mkhomedir.so skel=/etc/skel/ umask=0077
session [success=ok default=2]          pam_exec.so log=/var/tmp/script.log  /bin/ping  -c 1 ipaddress.to.AD.server
session optional        pam_mount.so
session [success=done]  pam_exec.so log=/var/tmp/pam.log  /bin/echo "winbind session started + homedir mounted"
session optional        pam_exec.so log=/var/tmp/pam.log  /bin/echo "ccreds session started"

您只需更改 auth 和 session 文件中的 IP 地址即可使其正常工作。您将在 /var/tmp/ 中拥有用于 ping 和 echo 的个性化登录。我认为有比我更好的解决方案来解决该问题,但我没有找到。

希望这些配置文件能够对一些人有所帮助!

相关内容