我有一些集中管理的 Ubuntu 工作站,它们根据 Active Directory 对用户进行身份验证,并在登录时使用 pam_mount 挂载用户主文件夹。这通常可以按预期工作,但是有时主文件夹无法挂载,并且对于每个要挂载的卷,我都会遇到这种情况 /var/log/auth.log:
(mount.c:72): Messages from underlying mount program:
(mount.c:76): mount error(115): Operation now in progress
(mount.c:76): Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
(pam_mount.c:522): mount of data/users/username/documents failed
它在每个卷上挂起超过 10 秒,因此登录或执行操作su实际上可能需要几分钟。当我在此期间打开另一个终端时,我异常地得到
I have no name!@VP-OH-01L:~$
我在以下位置看到此内容syslog:
Jun 11 18:28:16 VP-OH-01L kernel: [35851.544770] Status code returned 0xc000006d NT_STATUS_LOGON_FAILURE
Jun 11 18:28:16 VP-OH-01L kernel: [35851.544787] cifs_vfs_err: 10 callbacks suppressed
Jun 11 18:28:16 VP-OH-01L kernel: [35851.544789] CIFS VFS: Send error in SessSetup = -13
Jun 11 18:28:16 VP-OH-01L kernel: [35851.544912] CIFS VFS: cifs_mount failed w/return code = -13
Jun 11 18:28:26 VP-OH-01L kernel: [35861.554651] CIFS VFS: Error connecting to socket. Aborting operation.
Jun 11 18:28:26 VP-OH-01L kernel: [35861.554822] CIFS VFS: cifs_mount failed w/return code = -115
Jun 11 18:28:36 VP-OH-01L kernel: [35871.564834] CIFS VFS: Error connecting to socket. Aborting operation.
Jun 11 18:28:36 VP-OH-01L kernel: [35871.565010] CIFS VFS: cifs_mount failed w/return code = -115
它仍然登录(并且不会警告在没有连接时进行的离线登录),因此工作站和域之间存在连接。
我将在下面转储所有相关配置;抱歉,我写了一大堆文字!/etc/security/pam_mount.conf.xml我有大约 10 个这样的配置:
<volume user="*" fstype="cifs" server="ou.domain.com" path="data/users/%(USER)/documents" mountpoint="~/Documents" options="uid=%(USER),gid=100,dir_mode=0700,file_mode=0700,nounix,iocharset=utf8,rw,sec=ntlmsspi" />
在/etc/pam.d/common-auth:
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_mount.so disable_interactive
在/etc/pam.d/common-session:
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session optional pam_winbind.so
session optional pam_mount.so disable_interactive
session optional pam_systemd.so
在/etc/hosts:
127.0.0.1 localhost
127.0.1.1 COMPUTER_FQDN COMPUTER_HOSTNAME
在/etc/krb5.conf:
[libdefaults]
default_realm = OU.DOMAIN.COM
ticket_lifetime = 24000
default_tgs_enctypes = rc4-hmac des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-md5
dns_lookup_realm = true
dns_lookup_kdc = true
dns_fallback = yes
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
OU.DOMAIN.COM = {
kdc = ou.domain.com:88
default_domain = ou.domain.com
}
[domain_realm]
.ou.domain.com = OU.DOMAIN.COM
ou.domain.com = OU.DOMAIN.COM
[login]
krb4_convert = true
krb4_get_tickets = false
在/etc/nsswitch.conf:
passwd: compat winbind
group: compat winbind
shadow: compat
gshadow: files
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
在/etc/security/pam_winbind.conf:
cached_login = yes
最后,在/etc/samba/smb.conf:
[global]
netbios name = COMPUTER_HOSTNAME
security = ADS
workgroup = OU
realm = OU.DOMAIN.COM
encrypt passwords = yes
idmap config *:backend = rid
idmap config *:range = 5000-100000
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind offline logon = yes
client ntlmv2 auth = yes
client ldap sasl wrapping = sign
template shell = /bin/bash
wins server = 192.168.0.70
name resolve order = lmhosts host wins bcast
工作站装有 Ubuntu 16.04。当我启动计算机并登录(或稍后su登录另一个域用户)时,这种情况会非常随机地发生,我还没有找到重现它的方法。有时它工作得很好。工作站通过以太网连接到 LAN,DC 位于同一个 LAN 中(连接良好)。我没有主意了,任何帮助或建议都将不胜感激 :)