Active-Directory
如何將 pam 配置為僅使用 winbind 身份驗證掛載
我正在嘗試使用以下請求配置 pam:
- 您可以使用本地帳戶(root,本地使用者)登錄
- 您可以使用 AD 帳戶登錄,如果這樣做,則 pam mount home share
- 如果 AD 不可訪問,您可以通過記憶體憑據 (ccreds) 使用 AD 帳戶登錄,如果這樣做,pam 不要嘗試掛載主共享
到目前為止,我幾乎設法以這種方式配置 pam,但是當我登錄 AD 帳戶時,它無法訪問時,pam 正在嘗試掛載也無法訪問的家庭共享。
我想我知道了 pam 配置文件是如何工作的,並且我測試了很多不同的東西,所以如果 pam 專家願意幫助我將非常感激
以下是 pam 配置文件:
/etc/pam.d/common-auth
# here are the per-package modules (the "Primary" block) auth [success=4 default=ignore] pam_unix.so nullok_secure auth [success=2 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass auth [success=2 default=ignore] pam_ccreds.so minimum_uid=1000 action=validate use_first_pass # auth [success=2 default=ignore] pam_ccreds.so minimum_uid=1000 action=update # here's the fallback if no module succeeds auth requisite pam_deny.so auth optional pam_mount.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) auth optional pam_ccreds.so minimum_uid=1000 action=store # end of pam-auth-update config
/etc/pam.d/common-session
# here are the per-package modules (the "Primary" block) session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # and here are more per-package modules (the "Additional" block) session required pam_unix.so session [success=ok default=1] pam_winbind.so session [success=done default=ignore] pam_mount.so session sufficient pam_ccreds.so # end of pam-auth-update config
/etc/pam.d/common-session-noninterractive
session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # and here are more per-package modules (the "Additional" block) session required pam_unix.so session sufficient pam_ccreds.so
如果您需要更多資訊,請隨時詢問。先感謝您。
我設法使用 pam_exec.so 模組來檢查 ActiveDirectory 伺服器是否可以加入。這是 pam 文件:
/etc/pam.d/common-auth
auth optional pam_exec.so log=/var/tmp/pam.log /bin/echo "-----AUTH------" auth [success=5 default=ignore] pam_unix.so nullok_secure auth [success=3 authinfo_unavail=ignore default=1] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass auth [success=4 default=ignore] pam_ccreds.so minimum_uid=1000 action=validate use_first_pass auth [success=die default=die] pam_ccreds.so minimum_uid=1000 action=update # here's the fallback if no module succeeds auth requisite pam_deny.so auth [success=1 default=die] pam_ccreds.so minimum_uid=1000 action=store auth [success=4 default=die] pam_exec.so log=/var/tmp/pam.log /bin/echo "sucessfully log with unix" session [success=ok default=2] pam_exec.so log=/var/tmp/script.log /bin/ping -c 1 ipaddress.to.AD.server auth optional pam_mount.so auth [success=1 default=die] pam_exec.so log=/var/tmp/pam.log /bin/echo "sucessfully log with winbind" auth [default=die] pam_exec.so log=/var/tmp/pam.log /bin/echo "sucessfully log with ccreds" auth required pam_permit.so
/etc/pam.d/common-account
account optional pam_exec.so log=/var/tmp/pam.log /bin/echo "-----ACCOUNT------" account [success=ok new_authtok_reqd=done default=1] pam_unix.so account [success=3] pam_exec.so log=/var/tmp/pam.log /bin/echo "Logged with Unix account" account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so account requisite pam_deny.so account optional pam_exec.so log=/var/tmp/pam.log /bin/echo "Logged with winbind account" account required pam_permit.so
/etc/pam.d/common-session
session optional pam_exec.so log=/var/tmp/pam.log /bin/echo "-----SESSION------" session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session [success=ok default=1] pam_unix.so session [success=ok] pam_exec.so log=/var/tmp/pam.log /bin/echo "unix session started" session [success=ok default=die] pam_winbind.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 session [success=ok default=2] pam_exec.so log=/var/tmp/script.log /bin/ping -c 1 ipaddress.to.AD.server session optional pam_mount.so session [success=done] pam_exec.so log=/var/tmp/pam.log /bin/echo "winbind session started + homedir mounted" session optional pam_exec.so log=/var/tmp/pam.log /bin/echo "ccreds session started"
您只需更改身份驗證和會話文件中的 IP 地址即可使其正常工作。您將有個性化的登錄 /var/tmp/ 用於 ping 和 echo。我認為有比我更好的解決方案來解決這個問題,但我沒有找到。
希望這些 conf 文件能幫助一些人!