使用替代 openLDAP UID 向 Active Directory 进行身份验证

使用替代 openLDAP UID 向 Active Directory 进行身份验证

我正在使用 Winbind 对 Active Directory 的用户进行身份验证。当用户名匹配时,一切正常。问题是许多用户在 Windows 和 Linux 上有不同的用户名(祖父帐户和工程师对更改很顽固)。在大多数情况下,我可以通过为同一 DN 提供 openLDAP 2 个唯一的 UID 来解决此问题。

例如:

[bob.smith@myhost ~]$ ldapsearch -xLLL uid=bob
dn: uid=bob.smith,dc=example,dc=com
uid: bob.smith
uid: bob
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
loginShell: /bin/bash
uidNumber: 4563
cn: Bob Smith
homeDirectory: /home/bob
shadowMin: 0
shadowMax: 999999
shadowWarning: 7
shadowInactive: 0
shadowExpire: 24837
sn: Smith
mail: [email protected]
gidNumber: 555
shadowLastChange: 17044

现在使用 openLDAP 密码登录并运行whoami

[bob.smith@myhost bob]$ su - bob
Password: 
Last login: Wed Sep 21 10:09:22 PDT 2016 on pts/3
[bob.smith@myhost ~]$ whoami
bob.smith

检查用户id

[bob.smith@myhost ~]$ id bob
uid=4563(bob.smith) gid=555(AGROUP) groups=555(AGROUP),988(x2gouser),19775215(domain users)

一切看起来都很棒吧?直到我尝试以 bob(而不是 bob.smith 的 Windows 名称)身份登录并使用 AD 密码(bob.smith 可以正常登录):

[bob.smith@myhost ~]$ su - bob
Password: 
su: Authentication failure

据我所知,PAM 配置正确,正如我之前所展示的,即使我以 bob 身份登录,系统也会承认该用户为 bob.smith。但身份验证并未将 bob 视为有效用户。

[bob.smith@myhost ~]$ cat password-auth 
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_krb5.so use_first_pass
auth        sufficient    pam_ldap.so use_first_pass
auth        sufficient    pam_winbind.so krb5_auth krb5_ccache_type=KEYRING use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    sufficient    pam_ldap.so use_authtok
password    sufficient    pam_winbind.so krb5_auth krb5_ccache_type=KEYRING use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so
session     optional      pam_ldap.so
session     optional      pam_winbind.so krb5_auth krb5_ccache_type=KEYRING

这是我的 smb.conf 文件(如果有影响的话):

[bob.smith@myhost ~]$ testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

# Global parameters
[global]
        workgroup = EXAMPLE-USA
        realm = EXAMPLE.COM
        server string = Samba Server Version %v
        security = ADS
        kerberos method = secrets and keytab
        log file = /var/log/samba/log.%m
        max log size = 50
        winbind use default domain = Yes
        idmap config * : range = 16777216-33554431
        idmap config * : backend = tdb
        cups options = raw


[homes]
        comment = Home Directories
        read only = No
        browseable = No


[printers]
        comment = All Printers
        path = /var/spool/samba
        printable = Yes
        print ok = Yes
        browseable = No

如果 Linux 端有修复的话那就更好了,因为我不是 Windows 域管理员。但如果有人有 Windows 端的解决方案,我愿意探索该选项。如果没有有效的解决方案,那么我将考虑将 openLDAP 密码与 AD 密码同步。它基本上与最终结果相同。

相关内容