Pet*_*r M 7 ubuntu active-directory authentication pam likewise-open
六个月以来,我们一直在使用 PowerBroker Identity Services Open 成功验证来自 ubuntu 主机的活动目录用户。
最近,在用户一次执行了apt-get upgrade200 多个包之后,AD 身份验证在多个工作站上停止工作。身份验证尝试给出错误,“密码无效”、“用户帐户已过期”或“您的帐户是否被锁定?”
我无法将问题与特定的软件包升级相关联,但使用相同软件包版本从头开始构建的工作站不会遇到此问题。我试过重新安装 PBIS 并验证所有配置文件,但我遗漏了一些东西......我不知所措,希望得到任何人的建议。下次发生这种情况时,我宁愿不必重建另一个盒子!
我首先验证 AD 用户帐户已启用、未锁定且未过期。本地用户身份验证通过 lightdm 和 ssh 工作正常。
轻量级
密码错误
身份验证日志:
lightdm: [lsass-pam] [module:pam_lsass]pam_sm_authenticate error [login:username][error code:40022]
系统日志:
lsass: [LwKrb5GetTgtImpl /builder/src-buildserver/Platform-8.0/src/linux/lwadvapi/threaded/krbtgt.c:276] KRB5 Error code: -1765328360 (Message: Preauthentication failed)
lsass: [lsass] Failed to authenticate user (name = 'username') -> error = 40022, symbol = LW_ERROR_PASSWORD_MISMATCH, client pid = 17768
ssh
有效凭证
身份验证日志:
sshd[18237]: error: PAM: User account has expired for DOMAIN\\USER from HOSTNAME
sshd[18237]: error: Received disconnect from IP_ADDRESS: 13: Unable to authenticate [preauth]
密码错误
身份验证日志:
sshd[18276]: [lsass-pam] [module:pam_lsass]pam_sm_authenticate error [login:domain\username][error code:40022]
sshd[18272]: error: PAM: Authentication failure for domain\\username from hostname
系统日志
lsass: [LwKrb5GetTgtImpl /builder/src-buildserver/Platform-8.0/src/linux/lwadvapi/threaded/krbtgt.c:276] KRB5 Error code: -1765328360 (Message: Preauthentication failed)
lsass: [lsass] Failed to authenticate user (name = 'domain\username') -> error = 40022, symbol = LW_ERROR_PASSWORD_MISMATCH, client pid = 18276
只是尝试一些疯狂的本地东西(不,该帐户未锁定在 AD 中)
root@hostname:~# su - domain\\username
su: Authentication failure
(Ignored)
reenter password for pam_mount:
DOMAIN\username@hostname:~$ sudo cat /etc/fstab
[sudo] password for DOMAIN\username:
sudo: account validation failure, is your account locked?
DOMAIN\username@hostname:~$
/opt/pbis/bin/config --dump
AllowDeleteTo ""
AllowReadTo ""
AllowWriteTo ""
MaxDiskUsage 104857600
MaxEventLifespan 90
MaxNumEvents 100000
DomainSeparator "\\"
SpaceReplacement "^"
EnableEventlog false
Providers "ActiveDirectory"
DisplayMotd false
PAMLogLevel "error"
UserNotAllowedError "Access denied"
AssumeDefaultDomain true
CreateHomeDir true
CreateK5Login true
SyncSystemTime true
TrimUserMembership true
LdapSignAndSeal false
LogADNetworkConnectionEvents true
NssEnumerationEnabled true
NssGroupMembersQueryCacheOnly true
NssUserMembershipQueryCacheOnly false
RefreshUserCredentials true
CacheEntryExpiry 14400
DomainManagerCheckDomainOnlineInterval 300
DomainManagerUnknownDomainCacheTimeout 3600
MachinePasswordLifespan 2592000
MemoryCacheSizeCap 0
HomeDirPrefix "/home"
HomeDirTemplate "%H/%D/%U"
RemoteHomeDirTemplate ""
HomeDirUmask "022"
LoginShellTemplate "/bin/bash"
SkeletonDirs "/etc/skel"
UserDomainPrefix "DOMAIN.COM"
DomainManagerIgnoreAllTrusts false
DomainManagerIncludeTrustsList
DomainManagerExcludeTrustsList
RequireMembershipOf "DOMAIN\\DOMAIN-GROUP"
Local_AcceptNTLMv1 true
Local_HomeDirTemplate "%H/local/%D/%U"
Local_HomeDirUmask "022"
Local_LoginShellTemplate "/bin/sh"
Local_SkeletonDirs "/etc/skel"
UserMonitorCheckInterval 1800
LsassAutostart true
EventlogAutostart true
/opt/pbis/bin/get-status
LSA Server Status:
Compiled daemon version: 8.0.1.2029
Packaged product version: 8.0.2029.67662
Uptime: 1 days 1 hours 4 minutes 26 seconds
[Authentication provider: lsa-activedirectory-provider]
Status: Online
Mode: Un-provisioned
Domain: DOMAIN.COM
Domain SID: S-1-5-21-3537566271-1428921453-776812789
Forest: domain.com
Site: NYC
Online check interval: 300 seconds
[Trusted Domains: 1]
[Domain: DOMAIN]
DNS Domain: domain.com
Netbios name: DOMAIN
Forest name: domain.com
Trustee DNS name:
Client site name: NYC
Domain SID: S-1-5-21-3537566271-1428921453-776812789
Domain GUID: 0b6b6d88-ea48-314a-8bad-a997a57bc1f4
Trust Flags: [0x001d]
[0x0001 - In forest]
[0x0004 - Tree root]
[0x0008 - Primary]
[0x0010 - Native]
Trust type: Up Level
Trust Attributes: [0x0000]
Trust Direction: Primary Domain
Trust Mode: In my forest Trust (MFT)
Domain flags: [0x0001]
[0x0001 - Primary]
[Domain Controller (DC) Information]
DC Name: dc2.nyc.domain.com
DC Address: 10.x.x.50
DC Site: NYC
DC Flags: [0x0000f1fc]
DC Is PDC: no
DC is time server: yes
DC has writeable DS: yes
DC is Global Catalog: yes
DC is running KDC: yes
[Global Catalog (GC) Information]
GC Name: dc1.nyc.domain.com
GC Address: 10.x.x.50
GC Site: NYC
GC Flags: [0x0000f3fd]
GC Is PDC: yes
GC is time server: yes
GC has writeable DS: yes
GC is running KDC: yes
/opt/pbis/bin/find-objects --user 用户名
User object [1 of 1] (S-1-5-21-3537566271-1428921453-776812789-1107)
============
Enabled: yes
Distinguished name: CN=USERNAME,OU=User,OU=User Accounts,DC=domain,DC=com
SAM account name: username
NetBIOS domain name: DOMAIN
UPN: username@DOMAIN.COM
Display Name: First Last
Alias: <null>
UNIX name: DOMAIN\username
GECOS: First LAst
Shell: /bin/bash
Home directory: /home/DOMAIN/username
Windows home directory: \\domain.com\dfs\NYC\Users\username
Local windows home directory:
UID: 1023411283
Primary group SID: S-1-5-21-3537566271-1428921453-776812789-513
Primary GID: 1023410689
Password expired: no
Password never expires: yes
Change password on next logon: no
User can change password: yes
Account disabled: no
Account expired: no
Account locked: no
/etc/pbis/pbis-krb5-ad.conf
[libdefaults]
default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
dns_lookup_kdc = true
pkinit_kdc_hostname = <DNS>
pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
pkinit_eku_checking = kpServerAuth
pkinit_win2k_require_binding = false
pkinit_identities = PKCS11:/opt/pbis/lib/libpkcs11.so
/etc/pam.d/common-session
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session optional pam_mount.so
session [success=ok default=ignore] pam_lsass.so
session optional pam_systemd.so
/etc/pam.d/common-auth
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_lsass.so try_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
auth optional pam_mount.so
/opt/pbis/share/pbis.pam-auth-update
Name: Likewise
Default: yes
Priority: 250
Conflicts: winbind
Auth-Type: Primary
Auth:
[success=end default=ignore] pam_lsass.so try_first_pass
Auth-Initial:
[success=end default=ignore] pam_lsass.so
Account-Type: Primary
Account:
[success=ok new_authtok_reqd=ok default=ignore] pam_lsass.so unknown_ok
[success=end new_authtok_reqd=done default=ignore] pam_lsass.so
Session-Type: Additional
Session:
sufficient pam_lsass.so
Password-Type: Primary
Password:
[success=end default=ignore] pam_lsass.so use_authtok try_first_pass
Password-Initial:
[success=end default=ignore] pam_lsass.so
/usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf
[SeatDefaults]
user-session=ubuntu
greeter-show-manual-login=true
/usr/share/lightdm/lightdm.conf.d/50-unity-greeter.conf
[SeatDefaults]
allow-guest=false
greeter-show-remote-login=false
greeter-show-manual-login=true
greeter-session=unity-greeter
关键行是这样的:
sshd[18237]: error: PAM: User account has expired for DOMAIN\\USER from HOSTNAME
这表明 PAM 模块认为该帐户已过期。我会更少关注auth/ ,session而更多关注account,这是专注于与身份验证无关的帐户属性的工具。您的首要任务是确定导致问题的模块。一旦了解了这一点,就应该更容易确定模块为什么认为应该阻止用户。
account一一查看适用的模块,debug如果需要更多提示,请尝试将标志添加到各个条目以扩展日志输出。如果确实被难住了,并且它不会违反关键环境的安全性,您也可以尝试account一次注释一行,直到找出罪魁祸首。
至于发生了什么变化,很可能是在安装这些软件包时修改了您的 PAM 配置。有可能的是,有问题的用户一直处于这种状态,但与行为不当的account模块关联的数据库被绕过。(跳过、评论、根本不存在等)
| 归档时间: |
|
| 查看次数: |
58790 次 |
| 最近记录: |