linux – Debian 6.0 AD集成

尽管已有多个问题,例如 Linux on Windows AD Domain我想知道如何使用开放源代码将Debian 6.0 Squeeze与AD集成,或者仅限商业用途工具免费使用

编辑：只有通过apt提供(安全)更新的工具才可以接受.

到目前为止,我已经能够通过kerberos获得实际的用户身份验证工作,例如日志显示用户名/密码检查成功,但用户无法登录,请参阅下面的日志摘录;

编辑：使用pam debug更新日志：

@H_242_8@may 12 10:06:33 debian-6-master login[10601]: pam_krb5(login:auth): pam_sm_authenticate: entry (0x0) May 12 10:06:33 debian-6-master login[10601]: pam_krb5(login:auth): (user test.linuX) attempTing authentication as test.linux@AD.DOMAIN May 12 10:06:36 debian-6-master login[10601]: pam_krb5(login:auth): user test.linux authenticated as test.linux@AD.DOMAIN May 12 10:06:36 debian-6-master login[10601]: pam_krb5(login:auth): pam_sm_authenticate: exit (success) May 12 10:06:36 debian-6-master login[10601]: pam_unix(login:account): Could not identify user (from getpwnam(test.linuX)) May 12 10:06:36 debian-6-master login[10601]: pam_krb5(login:account): pam_sm_acct_mgmt: entry (0x0) May 12 10:06:36 debian-6-master login[10601]: pam_krb5(login:account): (user test.linuX) retrieving principal from cache May 12 10:06:36 debian-6-master login[10601]: pam_krb5(login:account): pam_sm_acct_mgmt: exit (success) May 12 10:06:36 debian-6-master login[10601]: pam_env(login:session): No such user!? May 12 10:06:36 debian-6-master login[10601]: pam_env(login:session): No such user!? May 12 10:06:36 debian-6-master login[10601]: pam_krb5(login:session): pam_sm_open_session: entry (0x0) May 12 10:06:36 debian-6-master login[10601]: pam_krb5(login:session): (user test.linuX) getpwnam Failed for test.linux May 12 10:06:36 debian-6-master login[10601]: pam_krb5(login:session): pam_sm_open_session: exit (failurE) May 12 10:06:36 debian-6-master login[10601]: pam_unix(login:session): session opened for user test.linux by LOGIN(uid=0) May 12 10:06:36 debian-6-master login[10601]: User not kNown to the underlying authentication module May 12 10:06:36 debian-6-master login[10601]: PAM 1 more authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty3 ruser= rhost=

我的ldap.conf看起来像这样：

base dc=ad,dc=domain
uri ldap://10.10.10.10
ldap_version 3
binddn test.linux@ad.domain
bindpw password
scope sub
pam_password ad
nss_base_passwd dc=ad,dc=domain?sub
nss_base_shadow dc=ad,dc=domain?sub
nss_base_group dc=ad,dc=domain?sub? &(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos cn
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
pam_sasl_mech DIGEST-MD5

nsswitch.conf的：

# /etc/nsswitch.conf
#
# Example configuration of GNU Name service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,try:
# `info libc "Name service Switch"' for information about this file.

passwd:         compat
group:          compat
shadow:         compat

hosts:          files dns ldap
networks:       files ldap

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis ldap

passwd_compat: files ldap
group_compat: files ldap
shadow_compat: files ldap

所有/etc/pam.d都是由pam-auth-update创建的,所有三种(Kerberos,Unix和LDAp)身份验证方法都已选中.

我可以从数据包捕获中确认LDAP搜索结果是否正确用户信息,与下面显示的手动ldapsearch结果相同：

dn: CN=Linux\,test,OU=SpecialAccounts,OU=FI1-Helsinki,OU=EMEA,OU=_Managed Are
 as,DC=ad,DC=domain
objectClass: top
objectClass: person
objectClass: domainanizationalPerson
objectClass: user
cn: Linux,test
sn: Linux
givenName: test
disTinguishedName: CN=Linux\,OU=_Managed Areas,DC=domain
instanCEType: 4
whenCreated: 20110407131914.0Z
whenChanged: 20110511125854.0Z
displayName: Linux,test
uSNCreated: 4144737
uSNChanged: 4638378
name: Linux,test
objectGUID:: wwZt/MX/K0S36BL4bS2w+g==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badpasswordTime: 129489044965699903
lastlogoff: 0
lastlogon: 129495915807176914
pwdLastSet: 129466559550934238
priMaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAzXxBZqg31mUH5TsrkisAAA==
accountexpires: 9223372036854775807
logonCount: 35
sAMAccountName: test.linux
sAMAccountType: 805306368
userPrincipalName: test.linux@ad.domain
lockoutTime: 0
objectCategory: CN=Person,CN=scheR_101_11845@a,CN=Configuration,DC=domain
dscorePropagationData: 20110407131916.0Z
dscorePropagationData: 16010101000000.0Z
lastlogontimestamp: 129488989872488561
uid: test.linux
msSFU30Name: test.linux
msSFU30NisDomain: ad
uidnumber: 10002
gidnumber: 10000
unixHomeDirectory: /home/test.linux
loginSHell: /bin/sh

# refldap://DomainDnsZones.ad.domain/DC=DomainDnsZones,DC=domain

# refldap://ForestDnsZones.ad.domain/DC=ForestDnsZones,DC=domain

# refldap://ad.domain/CN=Configuration,DC=domain

# pagedresultscookie=

>使用正确的用户名和密码,我会收到MOTD和基础身份验证模块未知的用户消息
>如果用户名错误,我的登录信息不正确
>使用正确的用户名,但密码错误,我启动SASL / DIGEST-MD5身份验证,然后登录不正确

AD正在运行Windows 2k8(r2)服务器,所有debian软件包都是你从apt获得的.

任何想法都非常受欢迎.

编辑2：
如下所示,我尝试使用类似结果的sssd,现在要求密码两次,日志显示：

@H_242_8@may 12 14:53:06 debian-6-master login[11389]: pam_sss(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty3 ruser= rhost= user=test.linux May 12 14:53:06 debian-6-master login[11389]: pam_sss(login:auth): received for user test.linux: 10 (User not kNown to the underlying authentication modulE) May 12 14:53:14 debian-6-master login[11389]: pam_krb5(login:auth): user test.linux authenticated as test.linux@AD.DOMAIN May 12 14:53:14 debian-6-master login[11389]: pam_unix(login:account): Could not identify user (from getpwnam(test.linuX)) May 12 14:53:15 debian-6-master login[11389]: pam_sss(login:account): Access denied for user test.linux: 10 (User not kNown to the underlying authentication modulE) May 12 14:53:15 debian-6-master login[11389]: pam_env(login:session): No such user!? May 12 14:53:15 debian-6-master login[11389]: pam_env(login:session): No such user!? May 12 14:53:15 debian-6-master login[11389]: pam_krb5(login:session): (user test.linuX) getpwnam Failed for test.linux May 12 14:53:15 debian-6-master login[11389]: pam_unix(login:session): session opened for user test.linux by LOGIN(uid=0) May 12 14:53:15 debian-6-master login[11389]: User not kNown to the underlying authentication module

编辑3：

如果我在调试级别设置为5的前台运行sssd,则日志显示：

(Fri May 13 13:50:33 2011) [sssd[nss]] [nss_cmd_endpwent] (4): TerminaTing request info for all accounts
(Fri May 13 13:50:33 2011) [sssd[nss]] [nss_cmd_getpwnam] (4): requesTing info for [test.linux] from [<ALL>]
(Fri May 13 13:50:33 2011) [sssd[nss]] [nss_cmd_getpwnam] (2): No matching domain found for [test.linux],fail!
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_cmd_authenticate] (4): entering pam_cmd_authenticate
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): command: PAM_AUTHENTICATE
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): domain: (null)
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): user: test.linux
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): service: login
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): tty: /dev/tty3
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): ruser: (null)
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): rhost: (null)
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): authtok type: 1
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): authtok size: 8
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): newauthtok type: 0
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): newauthtok size: 0
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): priv: 1
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): cli_pid: 12507
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_reply] (4): pam_reply get called.
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_reply] (4): blen: 8
(Fri May 13 13:50:34 2011) [sssd[nss]] [nss_cmd_endpwent] (4): TerminaTing request info for all accounts
(Fri May 13 13:50:34 2011) [sssd[nss]] [nss_cmd_getpwnam] (4): requesTing info for [test.linux] from [<ALL>]
(Fri May 13 13:50:34 2011) [sssd[nss]] [nss_cmd_getpwnam] (2): No matching domain found for [test.linux],fail!

# SSSD configuration generated using /usr/lib/sssd/generate-config
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss,pam
domains = your.domain

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
debug_level = 8

[pam]
reconnection_retries = 3
debug_level = 8

[domain/<your.domain>]
; Using enumerate = true leads to high load and slow response
enumerate = false
cache_credentials = true
#entry_cache_timeout = 60

id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
#access_provider = ldap

ldap_uri = ldap://you.domain.controller
ldap_search_base = CN=Users,DC=your,DC=domain
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
ldap_defaulT_Bind_dn = cn=LDAPsearch,CN=Users,dc=your,dc=domain
ldap_default_authtok_type = password
ldap_default_authtok = <password for LDAPsearch>
ldap_pwd_policy = none
ldap_user_object_class = user
ldap_group_object_class = group
ldap_user_home_directory = unixHomeDirectory

krb5_kdcip = your.domain.controller
krb5_realm = <kerberos realm name>
krb5_changepw_principle = kadmin/changepw
krb5_auth_timeout = 15