将 Samba Active Directory 转换为 sssd 而不是 winbind

tag-icon tag-icon active-directory samba4 ubuntu-18.04 sssd winbind
将 Samba Active Directory 转换为 sssd 而不是 winbind

我继承了一台Samba 4 Active Directory(AD) 服务器。它与 配合得很好winbind,但出于安全原因,我们想改为sssd。该域有两个域控制器(主域控制器和辅助域控制器),均在线。

我已经创建了一台测试客户端机器,并按照以下步骤操作这里使用 连接到域sssd。客户端表示已连接到域,并且出现在域中(当我使用时Active directory users and computers

但是,登录却getent不起作用。

/var/log/auth.log

Jun 12 14:19:16 clientCompName sshd[9349]: Invalid user adusername from xxx.xxx.xx8.149 port 42304
Jun 12 14:19:20 clientCompName sshd[9349]: pam_unix(sshd:auth): check pass; user unknown
Jun 12 14:19:20 clientCompName sshd[9349]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xx8.149
Jun 12 14:19:21 clientCompName sshd[9349]: Failed password for invalid user adusername from xxx.xxx.xx8.149 port 42304 ssh2

如果我这样做realm discover,我会注意到客户端似乎被锁定使用winbind

root@clientCompName:/etc/pam.d# realm discover ADDOMAIN.MYDOMAN.DE
addomain.mydomain.de
type: kerberos
realm-name: ADDOMAIN.MYDOMAN.DE
domain-name: addomain.mydomain.de
configured: kerberos-member
server-software: active-directory
client-software: winbind
required-package: winbind
required-package: libpam-winbind
required-package: samba-common-bin
login-formats: SMBAD\%U
login-policy: allow-any-login

/etc/pam.d/common-auth

auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_sss.so use_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so
auth    optional                        pam_cap.so 
# end of pam-auth-update config

/etc/pam.d/common-session

session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session optional                        pam_umask.so
session required        pam_unix.so 
session optional                        pam_sss.so 
session optional        pam_systemd.so 
# end of pam-auth-update config

/etc/pam.d/通用帐户

account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so 
account requisite                       pam_deny.so
account required                        pam_permit.so
account sufficient                      pam_localuser.so 
account [default=bad success=ok user_unknown=ignore]    pam_sss.so 
# end of pam-auth-update config

有没有办法将 AD 转换为使用sssdwinbind或接受两者?)

答案1

这对我有用 - 如果你愿意,你可以排除 samba 包吗?

yum install sssd krb5­workstation samba­common authconfig adcli krb5-workstation samba samba-client sssd-libwbclient policycoreutils-python 
systemctl enable sssd
systemctl start sssd
systemctl enable smb
systemctl restart smb
authconfig --update --enablesssd --enablesssdauth --enablemkhomedir

编辑/etc/nsswitch.conf行使其看起来像……

passwd:     files sss
shadow:     files sss
group:      files sss

然后

kinit adminuser

(使用 AD 管理员帐户)

klist

(查看票)

realm join --user=\adminuser@DOMAIN DOMAIN

编辑/etc/sssd/sssd.conf

use_fully_qualified_names = False
fallback_homedir = /home/%u

然后:

systemctl start sssd

编辑/etc/samba/smb.conf并检查仍然存在的行:

security = ads
realm = DOMAIN 
workgroup = ...

然后:

systemctl restart smb

测试:

realm discover DOMAIN
id domainuser

相关内容