大佬教程收集整理的这篇文章主要介绍了linux – Debian 6.0 AD集成,大佬教程大佬觉得挺不错的,现在分享给大家,也给大家做个参考。
编辑:只有通过apt提供(安全)更新的工具才可以接受.
到目前为止,我已经能够通过kerberos获得实际的用户身份验证工作,例如日志显示用户名/密码检查成功,但用户无法登录,请参阅下面的日志摘录;
编辑:使用pam debug更新日志:
@H_929_22@may 12 10:06:33 debian-6-master login[10601]: pam_krb5(login:auth): pam_sm_authenticate: entry (0x0) May 12 10:06:33 debian-6-master login[10601]: pam_krb5(login:auth): (user test.linuX) attempTing authentication as test.linux@AD.DOMAIN May 12 10:06:36 debian-6-master login[10601]: pam_krb5(login:auth): user test.linux authenticated as test.linux@AD.DOMAIN May 12 10:06:36 debian-6-master login[10601]: pam_krb5(login:auth): pam_sm_authenticate: exit (success) May 12 10:06:36 debian-6-master login[10601]: pam_unix(login:account): Could not identify user (from getpwnam(test.linuX)) May 12 10:06:36 debian-6-master login[10601]: pam_krb5(login:account): pam_sm_acct_mgmt: entry (0x0) May 12 10:06:36 debian-6-master login[10601]: pam_krb5(login:account): (user test.linuX) retrieving principal from cache May 12 10:06:36 debian-6-master login[10601]: pam_krb5(login:account): pam_sm_acct_mgmt: exit (success) May 12 10:06:36 debian-6-master login[10601]: pam_env(login:session): No such user!? May 12 10:06:36 debian-6-master login[10601]: pam_env(login:session): No such user!? May 12 10:06:36 debian-6-master login[10601]: pam_krb5(login:session): pam_sm_open_session: entry (0x0) May 12 10:06:36 debian-6-master login[10601]: pam_krb5(login:session): (user test.linuX) getpwnam @L_673_8@ for test.linux May 12 10:06:36 debian-6-master login[10601]: pam_krb5(login:session): pam_sm_open_session: exit (failurE) May 12 10:06:36 debian-6-master login[10601]: pam_unix(login:session): session opened for user test.linux by LOGIN(uid=0) May 12 10:06:36 debian-6-master login[10601]: User not kNown to the underlying authentication module May 12 10:06:36 debian-6-master login[10601]: PAM 1 more authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty3 ruser= rhost=@H_502_9@我的ldap.conf看起来像这样:
base dc=ad,dc=domain uri ldap://10.10.10.10 ldap_version 3 binddn test.linux@ad.domain bindpw password scope sub pam_password ad nss_base_passwd dc=ad,dc=domain?sub nss_base_shadow dc=ad,dc=domain?sub nss_base_group dc=ad,dc=domain?sub? &(objectCategory=group)(gidnumber=*) nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_objectclass posixGroup group nss_map_attribute gecos cn nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute uniqueMember member pam_sasl_mech DIGEST-MD5@H_502_9@nsswitch.conf的:
# /etc/nsswitch.conf # # Example configuration of GNU Name service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed,try: # `info libc "Name service Switch"' for information about this file. passwd: compat group: compat shadow: compat hosts: files dns ldap networks: files ldap protocols: db files services: db files ethers: db files rpc: db files netgroup: nis ldap passwd_compat: files ldap group_compat: files ldap shadow_compat: files ldap@H_502_9@所有/etc/pam.d都是由pam-auth-update创建的,所有三种(Kerberos,Unix和LDAp)身份验证方法都已选中.
我可以从数据包捕获中确认LDAP搜索结果是否正确用户信息,与下面显示的手动ldapsearch结果相同:
dn: CN=Linux\,test,OU=SpecialAccounts,OU=FI1-Helsinki,OU=EMEA,OU=_Managed Are as,DC=ad,DC=domain objectClass: top objectClass: person objectClass: domainanizationalPerson objectClass: user cn: Linux,test sn: Linux givenName: test disTinguishedName: CN=Linux\,OU=_Managed Areas,DC=domain instanCEType: 4 whenCreated: 20110407131914.0Z whenChanged: 20110511125854.0Z displayName: Linux,test uSNCreated: 4144737 uSNChanged: 4638378 name: Linux,test objectGUID:: wwZt/MX/K0S36BL4bS2w+g== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badpasswordTime: 129489044965699903 lastlogoff: 0 lastlogon: 129495915807176914 pwdLastSet: 129466559550934238 priMaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAzXxBZqg31mUH5TsrkisAAA== accountexpires: 9223372036854775807 logonCount: 35 sAMAccountName: test.linux sAMAccountType: 805306368 userPrincipalName: test.linux@ad.domain lockoutTime: 0 objectCategory: CN=Person,CN=scheR_143_11845@a,CN=Configuration,DC=domain dscorePropagationData: 20110407131916.0Z dscorePropagationData: 16010101000000.0Z lastlogontimestamp: 129488989872488561 uid: test.linux msSFU30Name: test.linux msSFU30NisDomain: ad uidnumber: 10002 gidnumber: 10000 unixHomeDirectory: /home/test.linux loginSHell: /bin/sh # refldap://DomainDnsZones.ad.domain/DC=DomainDnsZones,DC=domain # refldap://ForestDnsZones.ad.domain/DC=ForestDnsZones,DC=domain # refldap://ad.domain/CN=Configuration,DC=domain # pagedresultscookie=@H_502_9@>使用正确的用户名和密码,我会收到MOTD和基础身份验证模块未知的用户消息
>如果用户名错误,我的登录信息不正确
>使用正确的用户名,但密码错误,我启动SASL / DIGEST-MD5身份验证,然后登录不正确AD正在运行Windows 2k8(r2)服务器,所有debian软件包都是你从apt获得的.
任何想法都非常受欢迎.
编辑2:
@H_929_22@may 12 14:53:06 debian-6-master login[11389]: pam_sss(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty3 ruser= rhost= user=test.linux May 12 14:53:06 debian-6-master login[11389]: pam_sss(login:auth): received for user test.linux: 10 (User not kNown to the underlying authentication modulE) May 12 14:53:14 debian-6-master login[11389]: pam_krb5(login:auth): user test.linux authenticated as test.linux@AD.DOMAIN May 12 14:53:14 debian-6-master login[11389]: pam_unix(login:account): Could not identify user (from getpwnam(test.linuX)) May 12 14:53:15 debian-6-master login[11389]: pam_sss(login:account): Access denied for user test.linux: 10 (User not kNown to the underlying authentication modulE) May 12 14:53:15 debian-6-master login[11389]: pam_env(login:session): No such user!? May 12 14:53:15 debian-6-master login[11389]: pam_env(login:session): No such user!? May 12 14:53:15 debian-6-master login[11389]: pam_krb5(login:session): (user test.linuX) getpwnam @L_673_8@ for test.linux May 12 14:53:15 debian-6-master login[11389]: pam_unix(login:session): session opened for user test.linux by LOGIN(uid=0) May 12 14:53:15 debian-6-master login[11389]: User not kNown to the underlying authentication module@H_502_9@
如下所示,我尝试使用类似结果的sssd,现在要求密码两次,日志显示:编辑3:
(Fri May 13 13:50:33 2011) [sssd[nss]] [nss_cmd_endpwent] (4): TerminaTing request info for all accounts (Fri May 13 13:50:33 2011) [sssd[nss]] [nss_cmd_getpwnam] (4): requesTing info for [test.linux] from [<ALL>] (Fri May 13 13:50:33 2011) [sssd[nss]] [nss_cmd_getpwnam] (2): No matching domain found for [test.linux],fail! (Fri May 13 13:50:34 2011) [sssd[pam]] [pam_cmd_authenticate] (4): entering pam_cmd_authenticate (Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): command: PAM_AUTHENTICATE (Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): domain: (null) (Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): user: test.linux (Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): service: login (Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): tty: /dev/tty3 (Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): ruser: (null) (Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): rhost: (null) (Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): authtok type: 1 (Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): authtok size: 8 (Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): newauthtok type: 0 (Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): newauthtok size: 0 (Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): priv: 1 (Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): cli_pid: 12507 (Fri May 13 13:50:34 2011) [sssd[pam]] [pam_reply] (4): pam_reply get called. (Fri May 13 13:50:34 2011) [sssd[pam]] [pam_reply] (4): blen: 8 (Fri May 13 13:50:34 2011) [sssd[nss]] [nss_cmd_endpwent] (4): TerminaTing request info for all accounts (Fri May 13 13:50:34 2011) [sssd[nss]] [nss_cmd_getpwnam] (4): requesTing info for [test.linux] from [<ALL>] (Fri May 13 13:50:34 2011) [sssd[nss]] [nss_cmd_getpwnam] (2): No matching domain found for [test.linux],fail!@H_502_9@
相信我,我已经研究了很多(这个网站上的一些问题来自我),sssd就是答案.它甚至适用于笔记本电脑,因为凭据被缓存,您可以确定缓存的特征.
# SSSD configuration generated using /usr/lib/sssd/generate-config [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss,pam domains = your.domain [nss] filter_groups = root filter_users = root reconnection_retries = 3 debug_level = 8 [pam] reconnection_retries = 3 debug_level = 8 [domain/<your.domain>] ; Using enumerate = true leads to high load and slow response enumerate = false cache_credentials = true #entry_cache_timeout = 60 id_provider = ldap auth_provider = krb5 chpass_provider = krb5 #access_provider = ldap ldap_uri = ldap://you.domain.controller ldap_search_base = CN=Users,DC=your,DC=domain ldap_tls_reqcert = demand ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt ldap_defaulT_Bind_dn = cn=LDAPsearch,CN=Users,dc=your,dc=domain ldap_default_authtok_type = password ldap_default_authtok = <password for LDAPsearch> ldap_pwd_policy = none ldap_user_object_class = user ldap_group_object_class = group ldap_user_home_directory = unixHomeDirectory krb5_kdcip = your.domain.controller krb5_realm = <kerberos realm name> krb5_changepw_principle = kadmin/changepw krb5_auth_timeout = 15@H_502_9@这是基于在Windows Server 2008中使用UNIX服务(现在它是其中不可或缺的一部分,曾经是2k3及更早版本中的加载项).
与其他LDAP系统不同,AD需要经过身份验证的会话才能检索到任何数据.我们已经创建了一个名为LDAPsearch的特殊用户来实现这一目标,但也可以使用实际的域用户来完成.
以上是大佬教程为你收集整理的linux – Debian 6.0 AD集成全部内容,希望文章能够帮你解决linux – Debian 6.0 AD集成所遇到的程序开发问题。
如果觉得大佬教程网站内容还不错,欢迎将大佬教程推荐给程序员好友。
本图文内容来源于网友网络收集整理提供,作为学习参考使用,版权属于原作者。
如您有任何意见或建议可联系处理。小编QQ:384754419,请注明来意。