我正在使用 Ubuntu 18.04 客户端运行 Samba Active Directory 域。
我使用该/etc/security/group.conf文件成功地为域用户创建了到“dialout”组的映射。我在多台机器上进行了测试,运行良好……
rightmire@testpc:~$ groups
domain users dialout master BUILTIN+users rightmire
然而,今天毫无明显原因地——它不再映射拨出组......
rightmire@testpc:~$ groups
domain users master BUILTIN+users rightmire
重新运行pam-auth-update 做似乎看到了groups.conf......
我不确定如何开始解决这个问题。在日志中搜索group.conf或pam-auth-update没有结果。我没有在syslog或中看到任何相关信息auth.log
===
文件:
root@testpc:~# cat /etc/security/group.conf | sed '/^#/d'
*;*;*;Al0000-2400;dialout
root@testpc:~# cat /usr/share/pam-configs/my_groups
Name: activate /etc/security/group.conf
Default: yes
Priority: 900
Auth-Type: Primary
Auth:
required pam_group.so use_first_pass
root@testpc:~# DEBIAN_FRONTEND=noninteractive pam-auth-update
root@testpc:~#
(I.e. no error...)
更新:
看来该问题仅出现在su - user 本地登录时(即使本地登录是通过域进行的)。
即如果我以用户身份通过 ssh 登录,则拨出组显示正常......
rightmire@localPC:~$ ssh rightmire@remotePC
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-46-generic x86_64)
(...snip...)
68 packages can be updated.
43 updates are security updates.
rightmire@remotePC:~$ groups
domain users dialout master BUILTIN+users
rightmire@remotePC:~$
但如果su - rightmire我不是出现...
root@remotePC:~# su - rightmire
rightmire@remotePC:~$ groups
domain users master BUILTIN+users domain admins denied rodc password replication group staff konstrukteure vicongroup h2t rightmire
rightmire@remotePC:~$
更新
我查看了/etc/pam.d。包含对的两个文件pam_group.so是common-auth和login
./common-auth:auth required pam_group.so use_first_pass
./login:auth optional pam_group.so
但是,大多数(登录相关的)文件(包括su和sudo不设置组的文件,以及sshd设置组的文件)包括common-auth...
./chfn:@include common-auth
./chsh:@include common-auth
./cron:@include common-auth
./cups:@include common-auth
./gdm-password:@include common-auth
./lightdm:@include common-auth
./login:@include common-auth
./other:@include common-auth
./polkit-1:@include common-auth
./samba:@include common-auth
./slock:@include common-auth
./sshd:@include common-auth
./su:@include common-auth
./sudo:@include common-auth