我们部门有一个小型网络
我的 predecssor 尝试将网络服务器添加到我们的域中,以便使用我们域中的用户帐户登录(主要用于将文件传输到网络服务器上)。我工作了一段时间,但由于时间不明,它不再起作用。
所以我阅读了一些关于 samba 的教程并查看了配置文件但找不到问题。现在我正在寻求你的帮助。
auth.log 尝试使用“域用户”登录后:
Mar 13 17:04:33 linuxwebserver login[22754]: pam_winbind(login:auth): getting password (0x00000000)
Mar 13 17:04:35 linuxwebserver login[22754]: pam_winbind(login:auth): user '<domain-username>' granted access
Mar 13 17:04:35 linuxwebserver login[22754]: pam_unix(login:account): could not identify user (from getpwnam(<domain-username>))
Mar 13 17:04:35 linuxwebserver login[22754]: User not known to the underlying authentication module
auth.log 尝试使用“域”\“域用户”登录后:
Mar 13 17:06:29 linuxwebserver login[22762]: pam_winbind(login:auth): getting password (0x00000000)
Mar 13 17:06:32 linuxwebserver login[22762]: pam_winbind(login:auth): request failed: No such user, PAM error was Benutzer bei zu Grunde liegendem Authentifizierungsmodul nicht bekannt (10), NT error was NT_STATUS_NO_SUCH_USER
Mar 13 17:06:32 linuxwebserver login[22762]: pam_unix(login:auth): check pass; user unknown
Mar 13 17:06:32 linuxwebserver login[22762]: pam_unix(login:auth): authentication failure; logname=root uid=0 euid=0 tty=pts/3 ruser= rhost=
Mar 13 17:06:34 linuxwebserver login[22762]: FAILED LOGIN (1) on 'pts/3' FOR `UNKNOWN', User not known to the underlying authentication module
在我看来,网络服务器在域中是正确的,但是 linux 如何检查帐户的有效性存在一些问题。
smb.conf : http://pastebin.com/nXdZUEbn
nsswitch.conf :
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat winbind
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
wbinfo -u 给我一个我们域中所有帐户的正确列表(名称前没有“DOMAIN\”)
wbinfo -g 给我一个我们域中组的正确列表(名称前没有“DOMAIN\”)
getent passwd给我一个我们网络服务器上的本地(unix-)帐户列表(没有域用户)
getent group给我一个我们网络服务器上的本地(unix-)组列表(没有域用户)
# wbinfo -p
Ping to winbindd succeeded
我的想法:Linux 使用来自 passwd 的信息来检查帐户是否有效,但它不会检查从 wbinfo 到它的信息。我以为我通过添加 winbind 解决了这个nsswitch.conf问题,但问题仍然存在。
编辑:
/etc/pam.d/common-auth
auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure use_first_pass
/etc/pam.d/common-account
account sufficient pam_winbind.so
account required pam_unix.so
/etc/pam.d/common-password
password required pam_unix.so nullok obscure md5
EDIT2: /etc/krb5.conf
[libdefaults]
default_realm = <DOMAIN>.LOCAL
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
<DOMAIN>.LOCAL = {
kdc = <WIN DOMAIN CONTROLLER>.<DOMAIN>.local
admin_server = <WIN DOMAIN CONTROLLER>.<DOMAIN>.local
}
[domain_realm]
.<DOMAIN>.local = <DOMAIN>.LOCAL
[login]
krb4_convert = true
krb4_get_tickets = false
小智 0
我没有足够的评级来发表评论,但我似乎记得在登录 Windows 域时需要使用两个斜杠。我相信这是 BeyondTrust 的事,我知道在 Quest 中我不需要使用两个斜杠......
DOMAIN\\user
| 归档时间: |
|
| 查看次数: |
6509 次 |
| 最近记录: |