![像 [email protected] 这样的登录会导致配置文件归 root 所有](https://linux22.com/image/953125/%E5%83%8F%20%5Bemail%20protected%5D%20%E8%BF%99%E6%A0%B7%E7%9A%84%E7%99%BB%E5%BD%95%E4%BC%9A%E5%AF%BC%E8%87%B4%E9%85%8D%E7%BD%AE%E6%96%87%E4%BB%B6%E5%BD%92%20root%20%E6%89%80%E6%9C%89.png)
[email protected]我学校的用户习惯使用登录名(通过 LDAP 使用 Active Directory 进行身份验证)登录电子邮件、Windows 等。不幸的是,这造成了严重破坏并破坏了他们的用户配置文件。
更新-原因: 这是由我们设置中的一些自定义修改引起的,我不知道这些修改,而且是在我之前进行的。对我来说有点难以发现。
自定义代码位于:/etc/pam.d/common-auth
运行执行的脚本chown -R ${PAM_USER}. ${HOME_DIR}。当用户以[电子邮件保护]这变成了。chown -R [email protected]. ${HOME_DIR}
问题登录:用户名@xyz
新用户以 身份登录[email protected]。LDAP 使用 AD 进行身份验证并接受登录。系统尝试在 /home 中创建新的用户配置文件。但是系统在某处失败,新配置文件归 root 所有。
工作登录:用户名
如果用户第一次登录,那么username一切正常。LDAP 使用 AD 进行身份验证,帐户已创建并具有正确的所有者。
系统:
- 操作系统:KUbuntu 22.04 LTS。KUbuntu 20.04 LTS 上也会出现错误
- 身份验证:LDAP(通过 SSSD)
如何攻克这一难题?
- sddm 或 sssd 可以过滤掉“@...”之后的所有内容吗?
- 哪个进程实际上复制 /etc/skel 然后执行 chown ?
- 如何调试?
日志文件
auth.log.1:Jul 26 15:26:43 linux042 sddm-helper: pam_unix(sddm:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= [email protected]
auth.log.1:Jul 26 15:26:43 linux042 sddm-helper: pam_sss(sddm:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= [email protected]
auth.log.1:Jul 26 15:26:43 linux042 sddm-helper: pam_succeed_if(sddm:auth): requirement "uid >= 1000000" was met by user "[email protected]"
auth.log.1:Jul 26 15:26:43 linux042 sddm-helper: pam_exec(sddm:auth): Calling /bin/bash ...
auth.log.1:Jul 26 15:26:43 linux042 sddm-helper: gkr-pam: unable to locate daemon control file
auth.log.1:Jul 26 15:26:43 linux042 sddm-helper: gkr-pam: stashed password to try later in open session
auth.log.1:Jul 26 15:26:43 linux042 sddm-helper: pam_kwallet5(sddm:auth): pam_kwallet5: pam_sm_authenticate
auth.log.1:Jul 26 15:26:43 linux042 sddm-helper: pam_kwallet5(sddm:setcred): pam_kwallet5: pam_sm_setcred
auth.log.1:Jul 26 15:26:43 linux042 sddm-helper: pam_unix(sddm:session): session opened for user [email protected](uid=15371234) by (uid=0)
auth.log.1:Jul 26 15:26:43 linux042 systemd-logind[1177]: New session 3 of user u5371234.
auth.log.1:Jul 26 15:26:43 linux042 systemd: pam_unix(systemd-user:session): session opened for user u5371234(uid=15371234) by (uid=0)
auth.log.1:Jul 26 15:26:43 linux042 sddm-helper: pam_unix(sddm-greeter:session): session closed for user sddm
auth.log.1:Jul 26 15:26:43 linux042 systemd-logind[1177]: Session 1 logged out. Waiting for processes to exit.
auth.log.1:Jul 26 15:26:43 linux042 systemd-logind[1177]: Removed session 1.
auth.log.1:Jul 26 15:26:43 linux042 sddm-helper: gkr-pam: gnome-keyring-daemon started properly and unlocked keyring
auth.log.1:Jul 26 15:26:43 linux042 sddm-helper: pam_kwallet5(sddm:session): pam_kwallet5: pam_sm_open_session
auth.log.1:Jul 26 15:26:43 linux042 sddm-helper: pam_kwallet5(sddm:session): pam_kwallet5: Couldn't create salt file
auth.log.1:Jul 26 15:26:43 linux042 sddm-helper: pam_kwallet5(sddm:session): pam_kwallet5: Couldn't read salt file
auth.log.1:Jul 26 15:26:43 linux042 sddm-helper: pam_kwallet5(sddm:session): pam_kwallet5: Fail into creating the hash
auth.log.1:Jul 26 15:26:43 linux042 sddm-helper: pam_unix(sddm:session): session closed for user [email protected]
auth.log.1:Jul 26 15:26:43 linux042 sddm-helper: pam_kwallet5(sddm:session): pam_kwallet5: pam_sm_close_session
auth.log.1:Jul 26 15:26:43 linux042 sddm-helper: pam_kwallet5(sddm:setcred): pam_kwallet5: pam_sm_setcred
auth.log.1:Jul 26 15:26:43 linux042 systemd-logind[1177]: Session 3 logged out. Waiting for processes to exit.
daemon.log.1:Jul 26 15:26:43 linux042 systemd[1]: Starting SSSD PAM Service responder private socket...
daemon.log.1:Jul 26 15:26:43 linux042 systemd[1]: Starting SSSD PAM Service responder socket...
daemon.log.1:Jul 26 15:26:43 linux042 systemd[1]: Starting SSSD PAC Service responder...
daemon.log.1:Jul 26 15:26:43 linux042 sssd_check_socket_activated_responders[1525]: [sssd] [main] (0x0070): Misconfiguration found for the pam responder.
daemon.log.1:Jul 26 15:26:43 linux042 sssd_check_socket_activated_responders[1525]: The pam responder has been configured to be socket-activated but it's still mentioned in the services' line in /etc/sss
d/sssd.conf.
daemon.log.1:Jul 26 15:26:43 linux042 sssd_check_socket_activated_responders[1525]: Please, consider either adjusting your services' line in /etc/sssd/sssd.conf or disabling the pam's socket by calling:
daemon.log.1:Jul 26 15:26:43 linux042 sssd_check_socket_activated_responders[1525]: "systemctl disable sssd-pam.socket"
daemon.log.1:Jul 26 15:26:43 linux042 systemd[1]: sssd-pam-priv.socket: Control process exited, code=exited, status=17/n/a
daemon.log.1:Jul 26 15:26:43 linux042 systemd[1]: sssd-pam-priv.socket: Failed with result 'exit-code'.
daemon.log.1:Jul 26 15:26:43 linux042 systemd[1]: Failed to listen on SSSD PAM Service responder private socket.
daemon.log.1:Jul 26 15:26:43 linux042 systemd[1]: Dependency failed for SSSD PAM Service responder socket.
daemon.log.1:Jul 26 15:26:43 linux042 systemd[1]: sssd-pam.socket: Job sssd-pam.socket/start failed with result 'dependency'.
daemon.log.1:Jul 26 15:26:43 linux042 sssd_check_socket_activated_responders[1526]: [sssd] [main] (0x0070): Misconfiguration found for the pam responder.
daemon.log.1:Jul 26 15:26:43 linux042 sssd_check_socket_activated_responders[1526]: The pam responder has been configured to be socket-activated but it's still mentioned in the services' line in /etc/sss
d/sssd.conf.
daemon.log.1:Jul 26 15:26:43 linux042 sssd_check_socket_activated_responders[1526]: Please, consider either adjusting your services' line in /etc/sssd/sssd.conf or disabling the pam's socket by calling:
daemon.log.1:Jul 26 15:26:43 linux042 sssd_check_socket_activated_responders[1526]: "systemctl disable sssd-pam.socket"
daemon.log.1:Jul 26 15:26:43 linux042 systemd[1]: Started SSSD PAC Service responder.
daemon.log.1:Jul 26 15:26:43 linux042 systemd[1]: sssd-pam.socket: Control process exited, code=exited, status=17/n/a
daemon.log.1:Jul 26 15:26:43 linux042 systemd[1]: sssd-pam.socket: Failed with result 'exit-code'.
daemon.log.1:Jul 26 15:26:43 linux042 systemd[1]: Closed SSSD PAM Service responder socket.
daemon.log.1:Jul 26 15:26:43 linux042 sssd_pac[1528]: Starting up
daemon.log.1:Jul 26 15:26:43 linux042 systemd[1]: Created slice User Slice of UID 15371234.
daemon.log.1:Jul 26 15:26:43 linux042 systemd[1]: Starting User Runtime Directory /run/user/15371234...
daemon.log.1:Jul 26 15:26:43 linux042 systemd[1]: Finished User Runtime Directory /run/user/15371234.
daemon.log.1:Jul 26 15:26:43 linux042 systemd[1]: Starting User Manager for UID 15371234...
daemon.log.1:Jul 26 15:26:43 linux042 systemd[1546]: Failed to open configuration file '/home/u5371234/.config/systemd/user.conf': Permission denied
答案1
原因:
问题出在我们这边,而不是 Ubuntu 的。这是由我们的设置中的一些自定义修改引起的,我不知道这些修改是在我之前进行的。我很难找到它。
自定义代码位于:/etc/pam.d/common-auth,然后运行执行的脚本chown -R ${PAM_USER}. ${HOME_DIR}。当用户以[电子邮件保护]这变成了。chown 命令失败,用户配置文件权限被破坏。chown -R [email protected]. ${HOME_DIR}
使固定:
修剪变量 PAM_USER 的“@”后面的所有内容可修复帐户创建过程。
### Trim PAM_USER: :: [email protected] -> zid
# Students are logging in as [email protected] which breaks chown below -> then breaks KDE login
PAM_USER=${PAM_USER%@*}
# ... this fixes: chown -R ${PAM_USER}. ${HOME_DIR}