Debian 6.0 AD 集成
儘管已經有多個問題,例如Windows AD 域上的 Linux,我想知道如何使用開源或其他免費的方式將 Debian 6.0 Squeeze 與 AD 集成,僅用於商業用途工具
編輯:只有通過 apt 提供(安全)更新的工具才可接受。
到目前為止,我已經能夠通過 kerberos 獲得實際的使用者身份驗證工作,例如日誌顯示使用者名/密碼檢查成功,但使用者無法登錄,請參閱下面的日誌摘錄;
編輯:使用 pam 調試更新日誌:
May 12 10:06:33 debian-6-master login[10601]: pam_krb5(login:auth): pam_sm_authenticate: entry (0x0) May 12 10:06:33 debian-6-master login[10601]: pam_krb5(login:auth): (user test.linux) attempting authentication as test.linux@AD.DOMAIN May 12 10:06:36 debian-6-master login[10601]: pam_krb5(login:auth): user test.linux authenticated as test.linux@AD.DOMAIN May 12 10:06:36 debian-6-master login[10601]: pam_krb5(login:auth): pam_sm_authenticate: exit (success) May 12 10:06:36 debian-6-master login[10601]: pam_unix(login:account): could not identify user (from getpwnam(test.linux)) May 12 10:06:36 debian-6-master login[10601]: pam_krb5(login:account): pam_sm_acct_mgmt: entry (0x0) May 12 10:06:36 debian-6-master login[10601]: pam_krb5(login:account): (user test.linux) retrieving principal from cache May 12 10:06:36 debian-6-master login[10601]: pam_krb5(login:account): pam_sm_acct_mgmt: exit (success) May 12 10:06:36 debian-6-master login[10601]: pam_env(login:session): No such user!? May 12 10:06:36 debian-6-master login[10601]: pam_env(login:session): No such user!? May 12 10:06:36 debian-6-master login[10601]: pam_krb5(login:session): pam_sm_open_session: entry (0x0) May 12 10:06:36 debian-6-master login[10601]: pam_krb5(login:session): (user test.linux) getpwnam failed for test.linux May 12 10:06:36 debian-6-master login[10601]: pam_krb5(login:session): pam_sm_open_session: exit (failure) May 12 10:06:36 debian-6-master login[10601]: pam_unix(login:session): session opened for user test.linux by LOGIN(uid=0) May 12 10:06:36 debian-6-master login[10601]: User not known to the underlying authentication module May 12 10:06:36 debian-6-master login[10601]: PAM 1 more authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty3 ruser= rhost=
我的
ldap.conf
樣子是這樣的:base dc=ad,dc=domain uri ldap://10.10.10.10 ldap_version 3 binddn test.linux@ad.domain bindpw password scope sub pam_password ad nss_base_passwd dc=ad,dc=domain?sub nss_base_shadow dc=ad,dc=domain?sub nss_base_group dc=ad,dc=domain?sub? &(objectCategory=group)(gidnumber=*) nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_objectclass posixGroup group nss_map_attribute gecos cn nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute uniqueMember member pam_sasl_mech DIGEST-MD5
nsswitch.conf
:# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat group: compat shadow: compat hosts: files dns ldap networks: files ldap protocols: db files services: db files ethers: db files rpc: db files netgroup: nis ldap passwd_compat: files ldap group_compat: files ldap shadow_compat: files ldap
all
/etc/pam.d
are as created bypam-auth-update
,選擇所有三種(Kerberos、Unix 和 LDAP)身份驗證方法。
ldapsearch
我可以從數據包擷取中確認 LDAP 搜尋結果更正了使用者資訊,與手動結果如下所示相同:dn: CN=Linux\, test,OU=SpecialAccounts,OU=FI1-Helsinki,OU=EMEA,OU=_Managed Are as,DC=ad,DC=domain objectClass: top objectClass: person objectClass: domainanizationalPerson objectClass: user cn: Linux, test sn: Linux givenName: test distinguishedName: CN=Linux\, test,OU=SpecialAccounts,OU=FI1-Helsinki,OU=EMEA, OU=_Managed Areas,DC=ad,DC=domain instanceType: 4 whenCreated: 20110407131914.0Z whenChanged: 20110511125854.0Z displayName: Linux, test uSNCreated: 4144737 uSNChanged: 4638378 name: Linux, test objectGUID:: wwZt/MX/K0S36BL4bS2w+g== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 129489044965699903 lastLogoff: 0 lastLogon: 129495915807176914 pwdLastSet: 129466559550934238 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAzXxBZqg31mUH5TsrkisAAA== accountExpires: 9223372036854775807 logonCount: 35 sAMAccountName: test.linux sAMAccountType: 805306368 userPrincipalName: test.linux@ad.domain lockoutTime: 0 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ad,DC=domain dSCorePropagationData: 20110407131916.0Z dSCorePropagationData: 16010101000000.0Z lastLogonTimestamp: 129488989872488561 uid: test.linux msSFU30Name: test.linux msSFU30NisDomain: ad uidNumber: 10002 gidNumber: 10000 unixHomeDirectory: /home/test.linux loginShell: /bin/sh # refldap://DomainDnsZones.ad.domain/DC=DomainDnsZones,DC=ad,DC=domain # refldap://ForestDnsZones.ad.domain/DC=ForestDnsZones,DC=ad,DC=domain # refldap://ad.domain/CN=Configuration,DC=ad,DC=domain # pagedresultscookie=
- 使用正確的使用者名和密碼,我會收到 MOTD 和一條消息
User not known to the underlying authentication module
- 我得到了錯誤的使用者名
Login incorrect
- 使用正確的使用者名,但錯誤的密碼,我被
SASL/DIGEST-MD5 authentication started
跟踪Login incorrect
AD 執行 Windows 2k8(r2) 伺服器,所有的 debian 包都是你從 apt 得到的。
非常歡迎任何想法。
編輯2:如下所示,我嘗試了
sssd
類似的結果,現在兩次詢問密碼,日誌顯示:May 12 14:53:06 debian-6-master login[11389]: pam_sss(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty3 ruser= rhost= user=test.linux May 12 14:53:06 debian-6-master login[11389]: pam_sss(login:auth): received for user test.linux: 10 (User not known to the underlying authentication module) May 12 14:53:14 debian-6-master login[11389]: pam_krb5(login:auth): user test.linux authenticated as test.linux@AD.DOMAIN May 12 14:53:14 debian-6-master login[11389]: pam_unix(login:account): could not identify user (from getpwnam(test.linux)) May 12 14:53:15 debian-6-master login[11389]: pam_sss(login:account): Access denied for user test.linux: 10 (User not known to the underlying authentication module) May 12 14:53:15 debian-6-master login[11389]: pam_env(login:session): No such user!? May 12 14:53:15 debian-6-master login[11389]: pam_env(login:session): No such user!? May 12 14:53:15 debian-6-master login[11389]: pam_krb5(login:session): (user test.linux) getpwnam failed for test.linux May 12 14:53:15 debian-6-master login[11389]: pam_unix(login:session): session opened for user test.linux by LOGIN(uid=0) May 12 14:53:15 debian-6-master login[11389]: User not known to the underlying authentication module
編輯 3:
如果我
sssd
在調試級別設置為 5 的情況下在前台執行,則日誌顯示:(Fri May 13 13:50:33 2011) [sssd[nss]] [nss_cmd_endpwent] (4): Terminating request info for all accounts (Fri May 13 13:50:33 2011) [sssd[nss]] [nss_cmd_getpwnam] (4): Requesting info for [test.linux] from [<ALL>] (Fri May 13 13:50:33 2011) [sssd[nss]] [nss_cmd_getpwnam] (2): No matching domain found for [test.linux], fail! (Fri May 13 13:50:34 2011) [sssd[pam]] [pam_cmd_authenticate] (4): entering pam_cmd_authenticate (Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): command: PAM_AUTHENTICATE (Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): domain: (null) (Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): user: test.linux (Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): service: login (Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): tty: /dev/tty3 (Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): ruser: (null) (Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): rhost: (null) (Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): authtok type: 1 (Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): authtok size: 8 (Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): newauthtok type: 0 (Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): newauthtok size: 0 (Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): priv: 1 (Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): cli_pid: 12507 (Fri May 13 13:50:34 2011) [sssd[pam]] [pam_reply] (4): pam_reply get called. (Fri May 13 13:50:34 2011) [sssd[pam]] [pam_reply] (4): blen: 8 (Fri May 13 13:50:34 2011) [sssd[nss]] [nss_cmd_endpwent] (4): Terminating request info for all accounts (Fri May 13 13:50:34 2011) [sssd[nss]] [nss_cmd_getpwnam] (4): Requesting info for [test.linux] from [<ALL>] (Fri May 13 13:50:34 2011) [sssd[nss]] [nss_cmd_getpwnam] (2): No matching domain found for [test.linux], fail!
我建議使用 sssd。這是 Debian 擠壓中的標準軟體包,讓生活變得更輕鬆。當您安裝 sssd 時,它應該會詢問您應該使用哪種身份驗證方法。在此處進行選擇,nsswitch.conf 和 pam.d 腳本將自動更新。您需要掌握一些關於您的 AD 域的詳細資訊,但是無論如何您都應該知道它們(例如,要使用哪個 DC 以及 kerberos 領域名稱是什麼等)。
相信我,我對此進行了很多研究(並且在本網站上提出的一些這方面的問題來自我),而 sssd 就是答案。它甚至可以很好地用於筆記型電腦,因為憑據已記憶體,您可以確定記憶體的特徵。
這是我們的 sssd.conf 文件,其中包含一些註釋:
# SSSD configuration generated using /usr/lib/sssd/generate-config [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = your.domain [nss] filter_groups = root filter_users = root reconnection_retries = 3 debug_level = 8 [pam] reconnection_retries = 3 debug_level = 8 [domain/<your.domain>] ; Using enumerate = true leads to high load and slow response enumerate = false cache_credentials = true #entry_cache_timeout = 60 id_provider = ldap auth_provider = krb5 chpass_provider = krb5 #access_provider = ldap ldap_uri = ldap://you.domain.controller ldap_search_base = CN=Users,DC=your,DC=domain ldap_tls_reqcert = demand ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt ldap_default_bind_dn = cn=LDAPsearch,CN=Users,dc=your,dc=domain ldap_default_authtok_type = password ldap_default_authtok = <password for LDAPsearch> ldap_pwd_policy = none ldap_user_object_class = user ldap_group_object_class = group ldap_user_home_directory = unixHomeDirectory krb5_kdcip = your.domain.controller krb5_realm = <kerberos realm name> krb5_changepw_principle = kadmin/changepw krb5_auth_timeout = 15
這是基於使用 Windows Server 2008 中的 UNIX 服務(現在是它的一個組成部分,曾經是 2k3 和更早版本中的外掛)。
與其他 LDAP 系統不同,AD 在檢索任何數據之前需要經過身份驗證的會話。我們創建了一個名為 LDAPsearch 的特殊使用者來促進這一點,但也可以使用實際的域使用者來完成。
配置使用者時,您必須設置他們的 UNIX 服務詳細資訊(主目錄、使用者 ID 和主要組成員身份),但這非常簡單。
顯然,您可以使用不同的搜尋庫,還可以添加過濾器以確保使用者是特定組的成員等。只需閱讀 sssd 的手冊頁。