我们有一个 samba AD(4.3.11-Ubuntu),连接到 Windows 和 Linux 客户端(Ubuntu 14 和 Ubuntu 18)
如果我检查用户的 LDAP,他的loginShell参数是/bin/zsh。这在 Ubuntu 14 上有效,但在 Ubuntu 18 的全新安装中,他的登录尝试使用bash。
我已确认zsh安装在 Ubuntu 18 台计算机上。
如果我/etc/passwd在本地 Ubuntu 18 机器上为用户添加一个条目,zsh则可以正确使用。
我如何确定问题出在哪里?
编辑:
使用 Puppet 在客户端上设置 Samba 活动目录,以推送配置文件并运行任何所需的命令。流程如下:
puppet 初始化.pp
class samba {
package {'mycustompackage-samba':
ensure => present,
require => Exec['apt-get-update'],
}
file {"/etc/resolv.conf.local":
ensure => file,
source => "puppet:///modules/samba/resolv.conf",
before => File['/etc/resolv.conf'],
}
file {"/etc/resolv.conf":
ensure => link,
target => "/etc/resolv.conf.local",
}
service {"systemd-resolved":
ensure => false,
enable => false
}
file {'/etc/nsswitch.conf':
source => [
"puppet:///modules/samba/nsswitch.conf.${hostname}",
"puppet:///modules/samba/nsswitch.conf.${role}",
"puppet:///modules/samba/nsswitch.conf",
],
owner => root,
group => root,
mode => "0644",
ensure => present
}
file {'/etc/NetworkManager/NetworkManager.conf':
source => "puppet:///modules/samba/NetworkManager.conf",
owner => root,
group => root,
mode => "644",
ensure => present,
before => File['/etc/resolv.conf'],
}
file {'/etc/krb5.conf':
source => [
"puppet:///modules/samba/krb5.conf.${hostname}",
"puppet:///modules/samba/krb5.conf.${role}",
"puppet:///modules/samba/krb5.conf",
],
owner => root,
group => root,
mode => "0600",
ensure => present
}
file {'/etc/samba/smb.conf':
source => [
"puppet:///modules/samba/smb.conf.${hostname}",
"puppet:///modules/samba/smb.conf.${role}",
"puppet:///modules/samba/smb.conf",
],
ensure => present,
owner => root,
group => root,
mode => "0644",
require => Package['h2t-samba']
}
host {'Servername.redacted.de':
ip => 'xxx.yyy.zzz.9',
host_aliases => ["Servername"]
}
}
smb配置文件
[global]
workgroup = RedactedDomainName
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = RedactedDomainName.redacted.de
security = ads
preferred master = no
encrypt passwords = true
log level = 3
log file = /var/log/samba/log.%m
max log size = 50
printcap name = cups
printing = cups
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
winbind refresh tickets = Yes
winbind nss info = rfc2307
idmap config * : backend = tdb
idmap config * : range = 1000-999999
idmap config RedactedDomainName : backend = rid
idmap config RedactedDomainName : range=1000-999999
idmap config RedactedDomainName : base_rid = 0
;template primary group = "redactedPrimaryGroup"
winbind rpc only = no
template homedir = /share/homes/all/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
restrict anonymous = 2
socket options = IPTOS_LOWDELAY TCP_NODELAY
网络管理器配置文件
[main]
plugins=ifupdown,keyfile
dns=none
[ifupdown]
managed=false
[device]
wifi.scan-rand-mac-address=no
krb5配置文件
[libdefaults]
default_realm = RedactedDomainName.redacted.de
ticket_lifetime = 24h #
renew_lifetime = 7d
# The following krb5.conf variables are only for MIT Kerberos.
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
[realms]
RedactedDomainName.redacted.de = {
kdc = Servrname.redacted.de
admin_server = Servername.redacted.de
default_domain = RedactedDomainName.redacted.de
}
[domain_realm]
.RedactedDomainName.redacted.de = RedactedDomainName.redacted.de
RedactedDomainName.redacted.de = RedactedDomainName.redacted.de
nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat systemd winbind
group: compat systemd winbind
shadow: compat
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
解析配置文件
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver xxx.yyy.zzz.9
nameserver xxx.yyy.zzz.90
nameserver xxx.yyy.zzz.91
search redacted.de
sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = RedactedDomainName.redacted.de
[domain/RedactedDomainName.redacted.de]
id_provider = ad
access_provider = ad
# Use this if users are being logged in at /.
# This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so
override_homedir = /home/%g/%u
# Uncomment if the client machine hostname doesn't match the computer object on the DC.
# ad_hostname = mymachine.myubuntu.example.com
# Uncomment if DNS SRV resolution is not working
# ad_server = dc.mydomain.example.com
# Uncomment if the AD domain is named differently than the Samba domain
# ad_domain = MYUBUNTU.EXAMPLE.COM
# Enumeration is discouraged for performance reasons.
enumerate = true
答案1
您能否重现将 Ubuntu 客户端集成到 AD 中所需的步骤?如果您使用的是sssd,您可以检查密码的值是否已在您的类似文件sss中设置nsswitch.confpasswd: files sss
编辑: 我认为有两点可能:
换成里面
template shell = /bin/bashtemplate shell = /bin/zshsmb配置文件全局设置修改
passwd条目nsswitch.conf让passwd: compat systemd winbind ssssssd 解析 passwd 属性
看来 winbind 无法将 LDAP 属性映射到本地 nsswitch 密码。Nsswitch、Winbind 和 sssd 是您可能需要进一步调查的领域。