安装 Kerberos 客户端后出现登录/权限问题
在 Ubuntu 16.04 台式机(和笔记本电脑)上设置 kerberos 服务器(在单独的计算机上)并安装 kerberos 客户端后,我遇到了身份验证和权限问题,我认为这些问题是由 PAM 配置引起的。我没有 AD 或 LDAP。
Ubuntu Kerberos 客户端安装:
sudo apt-get install krb5-user libpam-krb5 libpam-ccreds auth-client-config
sudo dpkg-reconfigure krb5-config
sudo auth-client-config -a -p kerberos_example
/etc/auth_client_config/profile.d/acc-默认
pam_auth=auth [authinfo_unavail=ignore success=1 default=2] pam_krb5.so use_first_pass ignore_root debug
auth [success=done default=ignore] pam_unix.so nullok_secure debug
auth [default=done] pam_ccreds.so action=validate use_first_pass
auth [default=done] pam_ccreds.so action=store
auth [default=bad] pam_ccreds.so action=update
pam_account=account sufficient pam_krb5.so debug
account sufficient pam_unix.so debug
account required pam_permit.so
pam_password=password sufficient pam_unix.so nullok obscure min=4 max=8 md5 debug
password sufficient pam_krb5.so debug try_first_pass
password required pam_deny.so
pam_session=session required pam_mkhomedir.so umask=0022 skel=/etc/skel
session optional pam_foreground.so
session optional pam_krb5.so debug
session required pam_unix.so debug
问题:
- 无法以用户身份登录到 unity 或命令行(密码不正确),但可以使用 ssh。
- 可以登录访客帐户(我以为已被禁用)并切换到用户帐户。
- 在笔记本电脑上,屏幕保护程序通常需要密码,但现在不需要了。-sudo 不接受密码。
- su 可以工作但不需要密码。
- 机器速度极慢,内存使用率高 - 日志显示尝试写入文件时出现权限问题。
- 屏幕配置(两个显示器)不正确并忽略设置。
盲目复制网络,我将配置修改为:
pam_auth=auth [success=2 default=ignore] pam_krb5.so use_first_pass ignore_root debug
auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass debug
auth requisite pam_deny.so
auth required pam_permit.so
auth [default=done] pam_ccreds.so action=validate use_first_pass
auth [default=done] pam_ccreds.so action=store
auth [default=bad] pam_ccreds.so action=update
pam_account=account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so debug
account requisite pam_deny.so
account required pam_permit.so
account required pam_krb5.so debug
pam_password=password [success=2 default=ignore] pam_krb5.so minimum_uid=1000
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password requisite pam_deny.so
password required pam_permit.so
pam_session=session required pam_mkhomedir.so umask=0022 skel=/etc/skel
session optional pam_foreground.so
session optional pam_krb5.so debug
session required pam_unix.so debug
- 登录时输入密码,表明我已经使用缓存的凭据登录,并且密码输入框显示登录>,我必须单击它才能登录。
- 可以 ssh 进入机器。
- sudo 现在可以工作了。
- su 需要密码并返回 su:身份验证失败。
- 机器仍然很慢。
- 屏幕配置仍然不正确。
/etc/krb5.conf
[libdefaults]
default_realm = MYDOMAIN.XXX
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following libdefaults parameters are only for Heimdal Kerberos.
# [CAN I DELETE THESE SINCE I HAVE MIT?]
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
[realms]
MYDOMAIN.XXX = {
kdc = master_kdc.mydomain.xxx
kdc = secondary_kdc.mydomain.xxx
admin_server = master_kdc.mydomain.xxx
}
[domain_realm]
.mydomain.xxx = MYDOMAIN.XXX
mydomain.xxx = MYDOMAIN.XXX
[login]
krb4_convert = true
krb4_get_tickets = false
系统日志中的示例条目:
gnome-session-binary[2652]: WARNING: Could not get session id for session. Check that logind is properly installed and pam_systemd is getting used at login.
gnome-session[2652]: gnome-session-binary[2652]: dconf-CRITICAL: unable to create file '/home/paul/.cache/dconf/user': Permission denied. dconf will not work properly.
org.gnome.ScreenSaver[2549]: ** (gnome-screensaver:2733): WARNING **: Couldn't get presence status: The name org.gnome.SessionManager was not provided by any .service files
org.gnome.ScreenSaver[2549]: (gnome-screensaver:2733): dconf-CRITICAL **: unable to create file '/home/paul/.cache/dconf/user': Permission denied. dconf will not work properly.
smbd[3754]: [2018/04/30 14:19:21.213850, 0] ../source3/param/loadparm.c:3259(process_usershare_file)
smbd[3754]: process_usershare_file: stat of /var/lib/samba/usershares/pictures failed. No such file or directory
gnome-session[2652]: (deja-dup-monitor:3449): dconf-CRITICAL **: unable to create file '/home/paul/.cache/dconf/user': Permission denied. dconf will not work properly.
gnome-session[2652]: (gnome-software:2890): dconf-CRITICAL **: unable to create file '/home/paul/.cache/dconf/user': Permission denied. dconf will not work properly.
认证日志
lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory
lightdm: PAM adding faulty module: pam_kwallet.so
lightdm: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or directory
lightdm: PAM adding faulty module: pam_kwallet5.so
lightdm: PAM unable to dlopen(pam_foreground.so): /lib/security/pam_foreground.so: cannot open shared object file: No such file or directory
lightdm: PAM adding faulty module: pam_foreground.so
lightdm: pam_krb5(lightdm-greeter:session): pam_sm_open_session: entry
lightdm: pam_krb5(lightdm-greeter:session): no context found, creating one
lightdm: pam_krb5(lightdm-greeter:session): (user lightdm) unable to get PAM_KRB5CCNAME, assuming non-Kerberos login
lightdm: pam_krb5(lightdm-greeter:session): pam_sm_open_session: exit (ignore)
lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0)
lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory
lightdm: PAM adding faulty module: pam_kwallet.so
lightdm: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or directory
lightdm: PAM adding faulty module: pam_kwallet5.so
lightdm: PAM unable to dlopen(pam_foreground.so): /lib/security/pam_foreground.so: cannot open shared object file: No such file or directory
lightdm: PAM adding faulty module: pam_foreground.so
lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "paul"
lightdm: pam_krb5(lightdm:auth): pam_sm_authenticate: entry
sshd[1062]: Received SIGHUP; restarting.
sshd[1062]: Server listening on 0.0.0.0 port 22.
sshd[1062]: Server listening on :: port 22.
sshd[1062]: Received SIGHUP; restarting.
sshd[1062]: Server listening on 0.0.0.0 port 22.
sshd[1062]: Server listening on :: port 22.
gnome-keyring-daemon[1955]: couldn't set environment variable in session: GDBus.Error:org.freedesktop.DBus.Error.UnknownMethod: No such method 'Setenv'
dbus[905]: [system] Failed to activate service 'org.bluez': timed out
lightdm: pam_krb5(lightdm:auth): (user paul) attempting authentication as [email protected]
lightdm: pam_krb5(lightdm:auth): user paul authenticated as [email protected]
lightdm: pam_krb5(lightdm:auth): (user paul) temporarily storing credentials in /tmp/krb5cc_pam_498NCw
lightdm: pam_krb5(lightdm:auth): pam_sm_authenticate: exit (success)
lightdm: pam_krb5(lightdm:account): pam_sm_acct_mgmt: entry
lightdm: pam_krb5(lightdm:account): (user paul) retrieving principal from cache
lightdm: pam_krb5(lightdm:account): pam_sm_acct_mgmt: exit (success)
lightdm: pam_krb5(lightdm-greeter:session): pam_sm_close_session: entry
lightdm: pam_krb5(lightdm-greeter:session): pam_sm_close_session: exit (success)
lightdm: pam_unix(lightdm-greeter:session): session closed for user lightdm
lightdm: pam_krb5(lightdm:setcred): pam_sm_setcred: entry (establish)
lightdm: pam_krb5(lightdm:setcred): (user paul) initializing ticket cache FILE:/tmp/krb5cc_1000_pYqd6X
lightdm: pam_krb5(lightdm:setcred): pam_sm_setcred: exit (success)
lightdm: pam_krb5(lightdm:session): pam_sm_open_session: entry
lightdm: pam_krb5(lightdm:session): pam_sm_open_session: exit (success)
lightdm: pam_unix(lightdm:session): session opened for user paul by (uid=0)
gnome-keyring-daemon[2463]: The Secret Service was already initialized
gnome-keyring-daemon[2463]: The SSH agent was already initialized
gnome-keyring-daemon[2463]: The PKCS#11 component was already initialized
dbus[905]: [system] Failed to activate service 'org.bluez': timed out
pkexec[3386]: paul: Error executing command as another user: Not authorized [USER=root] [TTY=unknown] [CWD=/home/paul] [COMMAND=/usr/lib/update-notifier/package-system-locked]
CRON[3474]: PAM unable to dlopen(pam_foreground.so): /lib/security/pam_foreground.so: cannot open shared object file: No such file or directory
CRON[3474]: PAM adding faulty module: pam_foreground.so
CRON[3474]: pam_krb5(cron:account): pam_sm_acct_mgmt: entry (silent)
CRON[3474]: pam_krb5(cron:account): skipping non-Kerberos login
CRON[3474]: pam_krb5(cron:account): pam_sm_acct_mgmt: exit (ignore)
CRON[3474]: pam_krb5(cron:setcred): pam_sm_setcred: entry (establish|silent)
CRON[3474]: pam_krb5(cron:setcred): no context found, creating one
CRON[3474]: pam_krb5(cron:setcred): ignoring root user
CRON[3474]: pam_krb5(cron:setcred): pam_sm_setcred: exit (success)
CRON[3474]: pam_unix(cron:session): session opened for user root by (uid=0)
CRON[3474]: pam_krb5(cron:setcred): pam_sm_setcred: entry (delete|silent)
CRON[3474]: pam_krb5(cron:setcred): pam_sm_setcred: exit (success)
CRON[3474]: pam_unix(cron:session): session closed for user root
CRON[3520]: PAM unable to dlopen(pam_foreground.so): /lib/security/pam_foreground.so: cannot open shared object file: No such file or directory
CRON[3520]: PAM adding faulty module: pam_foreground.so
CRON[3520]: pam_krb5(cron:account): pam_sm_acct_mgmt: entry (silent)
CRON[3520]: pam_krb5(cron:account): skipping non-Kerberos login
CRON[3520]: pam_krb5(cron:account): pam_sm_acct_mgmt: exit (ignore)
CRON[3520]: pam_krb5(cron:setcred): pam_sm_setcred: entry (establish|silent)
CRON[3520]: pam_krb5(cron:setcred): no context found, creating one
CRON[3520]: pam_krb5(cron:setcred): ignoring root user
CRON[3520]: pam_krb5(cron:setcred): pam_sm_setcred: exit (success)
CRON[3520]: pam_unix(cron:session): session opened for user root by (uid=0)
CRON[3520]: pam_krb5(cron:setcred): pam_sm_setcred: entry (delete|silent)
CRON[3520]: pam_krb5(cron:setcred): pam_sm_setcred: exit (success)
CRON[3520]: pam_unix(cron:session): session closed for user root
CRON[3701]: PAM unable to dlopen(pam_foreground.so): /lib/security/pam_foreground.so: cannot open shared object file: No such file or directory
CRON[3701]: PAM adding faulty module: pam_foreground.so
CRON[3701]: pam_krb5(cron:account): pam_sm_acct_mgmt: entry (silent)
CRON[3701]: pam_krb5(cron:account): skipping non-Kerberos login
CRON[3701]: pam_krb5(cron:account): pam_sm_acct_mgmt: exit (ignore)
CRON[3701]: pam_krb5(cron:setcred): pam_sm_setcred: entry (establish|silent)
CRON[3701]: pam_krb5(cron:setcred): no context found, creating one
CRON[3701]: pam_krb5(cron:setcred): ignoring root user
CRON[3701]: pam_krb5(cron:setcred): pam_sm_setcred: exit (success)
CRON[3701]: pam_unix(cron:session): session opened for user root by (uid=0)
CRON[3701]: pam_krb5(cron:setcred): pam_sm_setcred: entry (delete|silent)
CRON[3701]: pam_krb5(cron:setcred): pam_sm_setcred: exit (success)
CRON[3701]: pam_unix(cron:session): session closed for user root
CRON[3729]: PAM unable to dlopen(pam_foreground.so): /lib/security/pam_foreground.so: cannot open shared object file: No such file or directory
CRON[3729]: PAM adding faulty module: pam_foreground.so
CRON[3729]: pam_krb5(cron:account): pam_sm_acct_mgmt: entry (silent)
CRON[3729]: pam_krb5(cron:account): skipping non-Kerberos login
CRON[3729]: pam_krb5(cron:account): pam_sm_acct_mgmt: exit (ignore)
CRON[3729]: pam_krb5(cron:setcred): pam_sm_setcred: entry (establish|silent)
CRON[3729]: pam_krb5(cron:setcred): no context found, creating one
CRON[3729]: pam_krb5(cron:setcred): ignoring root user
CRON[3729]: pam_krb5(cron:setcred): pam_sm_setcred: exit (success)
CRON[3729]: pam_unix(cron:session): session opened for user root by (uid=0)
CRON[3729]: pam_krb5(cron:setcred): pam_sm_setcred: entry (delete|silent)
CRON[3729]: pam_krb5(cron:setcred): pam_sm_setcred: exit (success)
CRON[3729]: pam_unix(cron:session): session closed for user root