我正在使用 Winbind 对 Active Directory 的用户进行身份验证。当用户名匹配时,一切正常。问题是许多用户在 Windows 和 Linux 上有不同的用户名(祖父帐户和工程师对更改很顽固)。在大多数情况下,我可以通过为同一 DN 提供 openLDAP 2 个唯一的 UID 来解决此问题。
例如:
[bob.smith@myhost ~]$ ldapsearch -xLLL uid=bob
dn: uid=bob.smith,dc=example,dc=com
uid: bob.smith
uid: bob
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
loginShell: /bin/bash
uidNumber: 4563
cn: Bob Smith
homeDirectory: /home/bob
shadowMin: 0
shadowMax: 999999
shadowWarning: 7
shadowInactive: 0
shadowExpire: 24837
sn: Smith
mail: [email protected]
gidNumber: 555
shadowLastChange: 17044
现在使用 openLDAP 密码登录并运行whoami
[bob.smith@myhost bob]$ su - bob
Password:
Last login: Wed Sep 21 10:09:22 PDT 2016 on pts/3
[bob.smith@myhost ~]$ whoami
bob.smith
检查用户id
[bob.smith@myhost ~]$ id bob
uid=4563(bob.smith) gid=555(AGROUP) groups=555(AGROUP),988(x2gouser),19775215(domain users)
一切看起来都很棒吧?直到我尝试以 bob(而不是 bob.smith 的 Windows 名称)身份登录并使用 AD 密码(bob.smith 可以正常登录):
[bob.smith@myhost ~]$ su - bob
Password:
su: Authentication failure
据我所知,PAM 配置正确,正如我之前所展示的,即使我以 bob 身份登录,系统也会承认该用户为 bob.smith。但身份验证并未将 bob 视为有效用户。
[bob.smith@myhost ~]$ cat password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_ldap.so use_first_pass
auth sufficient pam_winbind.so krb5_auth krb5_ccache_type=KEYRING use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account [default=bad success=ok user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password sufficient pam_ldap.so use_authtok
password sufficient pam_winbind.so krb5_auth krb5_ccache_type=KEYRING use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
session optional pam_ldap.so
session optional pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
这是我的 smb.conf 文件(如果有影响的话):
[bob.smith@myhost ~]$ testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
# Global parameters
[global]
workgroup = EXAMPLE-USA
realm = EXAMPLE.COM
server string = Samba Server Version %v
security = ADS
kerberos method = secrets and keytab
log file = /var/log/samba/log.%m
max log size = 50
winbind use default domain = Yes
idmap config * : range = 16777216-33554431
idmap config * : backend = tdb
cups options = raw
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
print ok = Yes
browseable = No
如果 Linux 端有修复的话那就更好了,因为我不是 Windows 域管理员。但如果有人有 Windows 端的解决方案,我愿意探索该选项。如果没有有效的解决方案,那么我将考虑将 openLDAP 密码与 AD 密码同步。它基本上与最终结果相同。