我已经在 ubuntu 上设置了 LDAP 和 nsswitch,并且在某种程度上它似乎可以工作。例如,列出来自LDAP 服务器getent passwd的帐户。/etc/passwd
但是,例如id <user>,sudo -u <user> bash似乎无法识别 LDAP 服务器中的帐户。这些程序是否只/etc/passwd考虑 nsswitch 设置?是否还有其他(重要)程序只调查/etc/passwd我应该注意的?
我的/etc/nsswitch.conf是:
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat ldap
group: compat ldap
shadow: compat ldap
hosts: files ldap mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
但由于getent似乎可以识别 LDAP 中的帐户,我不相信这nsswitch就是问题所在。
至于pam配置,我真的不知道我应该寻找什么,对我来说它看起来不错。grep "^[^#]" *给出
accountsservice:password substack common-password
accountsservice:password optional pam_pin.so
chfn:auth sufficient pam_rootok.so
chfn:@include common-auth
chfn:@include common-account
chfn:@include common-session
chpasswd:@include common-password
chsh:auth required pam_shells.so
chsh:auth sufficient pam_rootok.so
chsh:@include common-auth
chsh:@include common-account
chsh:@include common-session
common-account:account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
common-account:account [success=1 default=ignore] pam_ldap.so
common-account:account requisite pam_deny.so
common-account:account required pam_permit.so
common-auth:auth [success=2 default=ignore] pam_unix.so nullok_secure
common-auth:auth [success=1 default=ignore] pam_ldap.so use_first_pass
common-auth:auth requisite pam_deny.so
common-auth:auth required pam_permit.so
common-password:password [success=2 default=ignore] pam_unix.so obscure sha512
common-password:password [success=1 user_unknown=ignore default=die] pam_ldap.so try_first_pass
common-password:password requisite pam_deny.so
common-password:password required pam_permit.so
common-session:session [default=1] pam_permit.so
common-session:session requisite pam_deny.so
common-session:session required pam_permit.so
common-session:session optional pam_umask.so
common-session:session required pam_unix.so
common-session:session optional pam_ldap.so
common-session:session optional pam_systemd.so
common-session-noninteractive:session [default=1] pam_permit.so
common-session-noninteractive:session requisite pam_deny.so
common-session-noninteractive:session required pam_permit.so
common-session-noninteractive:session optional pam_umask.so
common-session-noninteractive:session required pam_unix.so
common-session-noninteractive:session optional pam_ldap.so
cron:@include common-auth
cron:session required pam_loginuid.so
cron:session required pam_env.so
cron:session required pam_env.so envfile=/etc/default/locale
cron:@include common-account
cron:@include common-session-noninteractive
cron:session required pam_limits.so
login:auth optional pam_faildelay.so delay=3000000
login:auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
login:auth requisite pam_nologin.so
login:session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
login:session required pam_env.so readenv=1
login:session required pam_env.so readenv=1 envfile=/etc/default/locale
login:@include common-auth
login:auth optional pam_group.so
login:session required pam_limits.so
login:session optional pam_lastlog.so
login:session optional pam_motd.so motd=/run/motd.dynamic noupdate
login:session optional pam_motd.so
login:session optional pam_mail.so standard
login:@include common-account
login:@include common-session
login:@include common-password
login:session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
newusers:@include common-password
other:@include common-auth
other:@include common-account
other:@include common-password
other:@include common-session
passwd:@include common-password
polkit-1:@include common-auth
polkit-1:@include common-account
polkit-1:@include common-password
polkit-1:session required pam_env.so readenv=1 user_readenv=0
polkit-1:session required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
polkit-1:@include common-session
ppp:auth required pam_nologin.so
ppp:@include common-auth
ppp:@include common-account
ppp:@include common-session
runuser:auth sufficient pam_rootok.so
runuser:session optional pam_keyinit.so revoke
runuser:session required pam_limits.so
runuser:session required pam_unix.so
runuser-l:auth include runuser
runuser-l:session optional pam_keyinit.so force revoke
runuser-l:-session optional pam_systemd.so
runuser-l:session include runuser
sshd:@include common-auth
sshd:account required pam_nologin.so
sshd:@include common-account
sshd:session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
sshd:session required pam_loginuid.so
sshd:session optional pam_keyinit.so force revoke
sshd:@include common-session
sshd:session optional pam_motd.so motd=/run/motd.dynamic
sshd:session optional pam_motd.so noupdate
sshd:session optional pam_mail.so standard noenv # [1]
sshd:session required pam_limits.so
sshd:session required pam_env.so # [1]
sshd:session required pam_env.so user_readenv=1 envfile=/etc/default/locale
sshd:session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
sshd:@include common-password
su:auth sufficient pam_rootok.so
su:session required pam_env.so readenv=1
su:session required pam_env.so readenv=1 envfile=/etc/default/locale
su:session optional pam_mail.so nopen
su:@include common-auth
su:@include common-account
su:@include common-session
sudo:session required pam_env.so readenv=1 user_readenv=0
sudo:session required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
sudo:@include common-auth
sudo:@include common-account
sudo:@include common-session-noninteractive
systemd-user:@include common-account
systemd-user:@include common-session-noninteractive
systemd-user:session optional pam_systemd.so