我为我的域设置了通用的 Kerberos 身份验证。之后,它运行良好,没有任何问题。但用户无法使用 Linux 命令更改密码。对此进行分析后,我收到以下错误/var/log/auth.log
:
bharathi passwd[3715]: pam_unix(passwd:chauthtok): 身份验证失败;logname=test uid=1000 euid=0 tty= ruser= rhost= user=test
Kerberos 管理服务器的响应。
May 11 16:44:48 bharathi krb5kdc[28795](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.27.50: NEEDED_PREAUTH: [email protected] for kadmin/[email protected], Additional pre-authentication required
May 11 16:44:48 bharathi krb5kdc[28795](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.27.50: ISSUE: authtime 1368270888, etypes {rep=18 tkt=18 ses=18}, [email protected] for kadmin/[email protected]
May 11 16:45:07 bharathi krb5kdc[28795](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.27.50: NEEDED_PREAUTH: [email protected] for kadmin/[email protected], Additional pre-authentication required
May 11 16:45:07 bharathi krb5kdc[28795](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.27.50: ISSUE: authtime 1368270907, etypes {rep=18 tkt=18 ses=18}, [email protected] for kadmin/[email protected]
Kerberos 管理服务器的响应似乎没问题。我怀疑问题可能出在pam.d
配置上。
通用认证
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
auth sufficient pam_krb5.so minimum_uid=1000
# here are the per-package modules (the "Primary" block)
auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=1 default=ignore] pam_lsass.so try_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
普通账户
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
#
account required pam_krb5.so minimum_uid=1000
# here are the per-package modules (the "Primary" block)
account [success=3 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=ok new_authtok_reqd=ok default=ignore] pam_lsass.so unknown_ok
account [success=1 new_authtok_reqd=done default=ignore] pam_lsass.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
通用密码
#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords. The default is pam_unix.
# Explanation of pam_unix options:
#
# The "sha512" option enables salted SHA512 passwords. Without this option,
# the default is Unix crypt. Prior releases used the option "md5".
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs.
#
# See the pam_unix manpage for other options.
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
password requisite pam_krb5.so minimum_uid=1000
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password [success=1 default=ignore] pam_lsass.so use_authtok try_first_pass
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
password optional pam_gnome_keyring.so
# end of pam-auth-update config
我在这里做错了什么?
答案1
您的 auth.log 包含以下提示:
bharathi 密码[3715]:pam_unix(passwd:chauthtok):身份验证失败;logname=test uid=1000euid=0 tty=ruser=rhost=用户=测试
查看通用密码,相关行如下:
密码 必需品 pam_krb5.so 最小_uid=1000
Kerberos-PAM 模块只处理 uid>=1000 的用户,这样root
即使在网络出现故障时也能保持本地帐户正常工作。
这必需品将此模块标记为始终需要,因此在这种情况下成功被存储为结果,但仍执行后面的模块。
密码 [成功=2 默认=忽略] pam_unix.so 模糊 use_authtok try_first_pass sha512
下一个模块是失败的unix模块,现在尝试更改 中的密码/etc/shadow
。但由于这是 Kerberos 用户, 中可能没有条目/etc/shadow
。由于忽略忽略此失败:仍记录错误,但 PAM 堆栈的结果不会改变。
但接下来是下一个模块:
需要密码 pam_deny 配置文件
这将最终用以下代码覆盖先前的结果代码否定从而拒绝更改密码的请求。
如果仅更改 Kerbers 密码就足够了,请更改必需品将 Kerberos 转换为[成功=3 默认=忽略],如果成功,它将跳过接下来的 3 个模块(unix、lsass、deny),从而继续pam_许可,强制堆栈最终返回成功。
另一方面,如果你的用户同时拥有/etc/shadow在 Kerberos 中,如果你想让这两个密码保持同步,那么正确设置起来就复杂得多了。下面这样的操作应该可以奏效:
- 首先尝试更改 Kerberos 密码。
- 如果成功,尝试可选地还可以更改 中的本地 Unix 密码
/etc/shadow
。 否则
require
Unix 密码更改成功。password [success=3 user_unknown=ignore default=ignore] pam_krb5.so minimum_uid=1000 password [success=3 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 password [success=2 default=ignore] pam_lsass.so use_authtok try_first_pass password requisite pam_deny.so password [success=ok default=ignore] pam_unix.so obscure use_authtok use_first_pass sha512 password required pam_permit.so