Ubuntu

PBIS Open AD 身份驗證在 ubuntu 上停止工作並出現錯誤:“使用者帳戶已過期”和“您的帳戶是否被鎖定?”

  • August 1, 2017

六個月以來,我們一直在使用 PowerBroker Identity Services Open 成功地對來自 ubuntu 主機的活動目錄使用者進行身份驗證。

apt-get upgrade最近,在使用者一次執行 200 多個包後,AD 身份驗證在多個工作站上停止工作。身份驗證嘗試給出錯誤“密碼無效”、“使用者帳戶已過期”或“您的帳戶是否被鎖定?”

我無法將問題與特定的軟體包升級相關聯,但使用相同軟體包版本從頭開始建構的工作站不會遇到此問題。我已經嘗試重新安裝 PBIS 並驗證了所有配置文件,但我遺漏了一些東西….我很茫然,並且希望得到任何人的建議。下次發生這種情況時,我寧願不必重建另一個盒子!

身份驗證嘗試

我首先驗證了 AD 使用者帳戶已啟用、未鎖定且未過期。本地使用者身份驗證通過 lightdm 和 ssh 工作正常。

  1. 輕量級
  • 有效憑證

    • 錯誤返回給使用者“密碼無效,請重試。”
    • auth.log:沒有
    • 系統日誌:沒有
  • 密碼錯誤

    • 錯誤返回給使用者“密碼無效,請重試。”
    • 身份驗證日誌:
    lightdm: [lsass-pam] [module:pam_lsass]pam_sm_authenticate error [login:username][error code:40022]
    
    系統日誌:
    
    ass: [LwKrb5GetTgtImpl /builder/src-buildserver/Platform-8.0/src/linux/lwadvapi/threaded/krbtgt.c:276] KRB5 Error code: -1765328360 (Message: Preauthentication failed)
    ass: [lsass] Failed to authenticate user (name = 'username') -> error = 40022, symbol = LW_ERROR_PASSWORD_MISMATCH, client pid = 17768
    
  1. SSH
  • 有效憑證

    • 使用“IP_ADDRESS 關閉連接”的 ssh 斷開連接。
    • 身份驗證日誌:
    sshd[18237]: error: PAM: User account has expired for DOMAIN\\USER from HOSTNAME
    sshd[18237]: error: Received disconnect from IP_ADDRESS: 13: Unable to authenticate [preauth]
    
    系統日誌:沒有
    
  • 密碼錯誤

    • 使用“IP_ADDRESS 關閉連接”的 ssh 斷開連接。
    • 身份驗證日誌:
    sshd[18276]: [lsass-pam] [module:pam_lsass]pam_sm_authenticate error [login:domain\username][error code:40022]
    sshd[18272]: error: PAM: Authentication failure for domain\\username from hostname
    
    系統日誌
    
    ass: [LwKrb5GetTgtImpl /builder/src-buildserver/Platform-8.0/src/linux/lwadvapi/threaded/krbtgt.c:276] KRB5 Error code: -1765328360 (Message: Preauthentication failed)
    ass: [lsass] Failed to authenticate user (name = 'domain\username') -> error = 40022, symbol = LW_ERROR_PASSWORD_MISMATCH, client pid = 18276
    
  1. 只是嘗試一些瘋狂的本地東西(不,該帳戶未鎖定在 AD 中)
       root@hostname:~# su - domain\\username
       su: Authentication failure
       (Ignored)
       reenter password for pam_mount:
       DOMAIN\username@hostname:~$ sudo cat /etc/fstab
       [sudo] password for DOMAIN\username:
       sudo: account validation failure, is your account locked?
       DOMAIN\username@hostname:~$

配置

  • Ubuntu 14.04
  • PBIS 開放 8.0.1.2029 (pbis-open-8.0.1.2029.linux.x86_64.deb.sh)
  • /opt/pbis/bin/config –dump
AllowDeleteTo ""  
AllowReadTo ""  
AllowWriteTo ""
MaxDiskUsage 104857600
MaxEventLifespan 90
MaxNumEvents 100000
DomainSeparator "\\"
SpaceReplacement "^"
EnableEventlog false
Providers "ActiveDirectory"
DisplayMotd false
PAMLogLevel "error"
UserNotAllowedError "Access denied"
AssumeDefaultDomain true
CreateHomeDir true
CreateK5Login true
SyncSystemTime true
TrimUserMembership true
LdapSignAndSeal false
LogADNetworkConnectionEvents true
NssEnumerationEnabled true
NssGroupMembersQueryCacheOnly true
NssUserMembershipQueryCacheOnly false
RefreshUserCredentials true
CacheEntryExpiry 14400
DomainManagerCheckDomainOnlineInterval 300
DomainManagerUnknownDomainCacheTimeout 3600
MachinePasswordLifespan 2592000
MemoryCacheSizeCap 0
HomeDirPrefix "/home"
HomeDirTemplate "%H/%D/%U"
RemoteHomeDirTemplate ""
HomeDirUmask "022"
LoginShellTemplate "/bin/bash"
SkeletonDirs "/etc/skel"
UserDomainPrefix "DOMAIN.COM"
DomainManagerIgnoreAllTrusts false
DomainManagerIncludeTrustsList
DomainManagerExcludeTrustsList
RequireMembershipOf "DOMAIN\\DOMAIN-GROUP"
Local_AcceptNTLMv1 true
Local_HomeDirTemplate "%H/local/%D/%U"
Local_HomeDirUmask "022"
Local_LoginShellTemplate "/bin/sh"
Local_SkeletonDirs "/etc/skel"
UserMonitorCheckInterval 1800
LsassAutostart true
EventlogAutostart true
  • /opt/pbis/bin/get-status
LSA Server Status:

Compiled daemon version: 8.0.1.2029
Packaged product version: 8.0.2029.67662
Uptime:        1 days 1 hours 4 minutes 26 seconds

[Authentication provider: lsa-activedirectory-provider]

       Status:        Online
       Mode:          Un-provisioned
       Domain:        DOMAIN.COM
       Domain SID:    S-1-5-21-3537566271-1428921453-776812789
       Forest:        domain.com
       Site:          NYC
       Online check interval:  300 seconds
       [Trusted Domains: 1]


       [Domain: DOMAIN]

               DNS Domain:       domain.com
               Netbios name:     DOMAIN
               Forest name:      domain.com
               Trustee DNS name:
               Client site name: NYC
               Domain SID:       S-1-5-21-3537566271-1428921453-776812789
               Domain GUID:      0b6b6d88-ea48-314a-8bad-a997a57bc1f4
               Trust Flags:      [0x001d]
                                 [0x0001 - In forest]
                                 [0x0004 - Tree root]
                                 [0x0008 - Primary]
                                 [0x0010 - Native]
               Trust type:       Up Level
               Trust Attributes: [0x0000]
               Trust Direction:  Primary Domain
               Trust Mode:       In my forest Trust (MFT)
               Domain flags:     [0x0001]
                                 [0x0001 - Primary]

               [Domain Controller (DC) Information]

                       DC Name:              dc2.nyc.domain.com
                       DC Address:           10.x.x.50
                       DC Site:              NYC
                       DC Flags:             [0x0000f1fc]
                       DC Is PDC:            no
                       DC is time server:    yes
                       DC has writeable DS:  yes
                       DC is Global Catalog: yes
                       DC is running KDC:    yes

               [Global Catalog (GC) Information]

                       GC Name:              dc1.nyc.domain.com
                       GC Address:           10.x.x.50
                       GC Site:              NYC
                       GC Flags:             [0x0000f3fd]
                       GC Is PDC:            yes
                       GC is time server:    yes
                       GC has writeable DS:  yes
                       GC is running KDC:    yes
  • /opt/pbis/bin/find-objects –user 使用者名
User object [1 of 1] (S-1-5-21-3537566271-1428921453-776812789-1107)
============
Enabled: yes
Distinguished name: CN=USERNAME,OU=User,OU=User Accounts,DC=domain,DC=com
SAM account name: username
NetBIOS domain name: DOMAIN
UPN: username@DOMAIN.COM
Display Name: First Last
Alias: <null>
UNIX name: DOMAIN\username
GECOS: First LAst
Shell: /bin/bash
Home directory: /home/DOMAIN/username
Windows home directory: \\domain.com\dfs\NYC\Users\username
Local windows home directory:
UID: 1023411283
Primary group SID: S-1-5-21-3537566271-1428921453-776812789-513
Primary GID: 1023410689
Password expired: no
Password never expires: yes
Change password on next logon: no
User can change password: yes
Account disabled: no
Account expired: no
Account locked: no    
  • /etc/pbis/pbis-krb5-ad.conf
[libdefaults]
   default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
   default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
   preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
   dns_lookup_kdc = true
   pkinit_kdc_hostname = <DNS>
   pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
   pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
   pkinit_eku_checking = kpServerAuth
   pkinit_win2k_require_binding = false
   pkinit_identities = PKCS11:/opt/pbis/lib/libpkcs11.so
  • /etc/pam.d/common-session
session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session optional                        pam_umask.so
session required                        pam_unix.so
session optional                        pam_mount.so
session [success=ok default=ignore]     pam_lsass.so
session optional                        pam_systemd.so
  • /etc/pam.d/common-auth
auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_lsass.so try_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so
auth    optional                        pam_cap.so
auth    optional                        pam_mount.so
  • /opt/pbis/share/pbis.pam-auth-update
Name: Likewise
Default: yes
Priority: 250
Conflicts: winbind
Auth-Type: Primary
Auth:
       [success=end default=ignore]    pam_lsass.so try_first_pass
Auth-Initial:
       [success=end default=ignore]    pam_lsass.so
Account-Type: Primary
Account:
       [success=ok new_authtok_reqd=ok default=ignore]         pam_lsass.so unknown_ok
       [success=end new_authtok_reqd=done default=ignore]      pam_lsass.so
Session-Type: Additional
Session:
       sufficient      pam_lsass.so
Password-Type: Primary
Password:
       [success=end default=ignore]    pam_lsass.so use_authtok try_first_pass
Password-Initial:
       [success=end default=ignore]    pam_lsass.so
  • /usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf
[SeatDefaults]
user-session=ubuntu
greeter-show-manual-login=true
  • /usr/share/lightdm/lightdm.conf.d/50-unity-greeter.conf
[SeatDefaults]
allow-guest=false
greeter-show-remote-login=false
greeter-show-manual-login=true
greeter-session=unity-greeter

關鍵是這樣的:

sshd[18237]: error: PAM: User account has expired for DOMAIN\\USER from HOSTNAME

這表明 PAM 模組認為帳戶已過期。我會少關注auth/session多關注account,這是專注於與身份驗證無關的帳戶屬性的工具。您的首要任務是辨識導致問題的模組。一旦知道了這一點,就應該更容易確定模組認為應該阻止使用者的原因。

account逐一查看適用的模組​​,debug如果您需要更多提示,請嘗試將標誌添加到各個條目以擴展日誌輸出。如果真的很難過並且它不會違反關鍵環境的安全性,您還可以嘗試一次註釋account一行,直到找出罪魁禍首。

至於發生了什麼變化,很可能在安裝這些軟體包時修改了您的 PAM 配置。有問題的使用者可能一直處於這種狀態,但是與行為不端的account模組相關聯的數據庫被繞過了。(跳過、評論、根本不存在等)

引用自:https://serverfault.com/questions/630746