Windows-Server-2008-R2
儘管成功 wbinfo -u,但 centos 6.4 上的 AD 帳戶未顯示
我有一個帶有 samba 3.6.9 的 centos 6.4 盒子,我已連接到 MS server 2008 R2。這部分似乎工作正常,因為我可以使用 和 看到我的 AD 使用者和
wbinfo -u
組wbinfo -g
。什麼不起作用是在 centos 盒子上使用 AD 使用者。我已經在 AD 上啟動了“Identity Management for UNIX”,這樣使用者就有了 UID、GID、homdir 和 shell。不幸的是,centos 上仍然只有本地使用者。
id mytestuser
給我“沒有這樣的使用者”。更遠:myhost someone:~ $ wbinfo -i mytestuser failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user mytestuser myhost someone:~ $ wbinfo -a mytestuser Enter mytestuser's password: plaintext password authentication succeeded Enter mytestuser's password: challenge/response password authentication failed Could not authenticate user mytestuser with challenge/response
似乎有一個類似於我的問題的錯誤,但據我所知,我已經在我的 samba 配置中合併了語法更改。
這是我的配置:
/etc/krb5.conf
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = ACME.ORG dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true default_keytab_name = FILE:/etc/krb5.keytab [realms] ACME.ORG= { kdc = myadserver.acme.org admin_server = myadserver.acme.org default_domain = acme.org } [domain_realm] .acme.org = ACME.ORG acme.org = ACME.ORG [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
klist
列出一個有效的票據授予票據。我的 /etc/samba/smb.cnf
[global] workgroup = ACME server string = my super suerver log level = 3 log file = /var/log/samba/log.%m max log size = 50 security = ADS encrypt passwords = yes passdb backend = tdbsam realm = ACME.ORG preferred master = no load printers = yes cups options = raw printcap name = cups printing = cups winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nested groups = Yes winbind separator = + template shell = /bin/bash winbind nss info = rfc2307 kerberos method = system keytab dedicated keytab file = /etc/krb5.keytab idmap config ACME:backend = rid idmap config ACME:base_rid = 10036 idmap config ACME:range = 10036-1000000 [homes] comment = Home Directories browseable = no writable = yes valid users = %S valid users = ACME\%S
我的 /etc/nsswitch.conf 的一部分
passwd: files winbind shadow: files winbind group: files winbind
還有我的 /etc/pam.d/system-auth
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_krb5.so auth sufficient pam_winbind.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_succeed_if.so uid < 500 quiet account sufficient pam_winbind.so use_first_pass account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_winbind.so use_first_pass password required pam_krb5.so password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session required pam_mkhomedir.so session required pam_krb5.so session required pam_winbind.so use_first_pass
對我來說,它看起來有點像這個錯誤。我怎麼能證明它是這個?有什麼提示嗎?
感謝sssd,我終於讓它工作了。它不使用 winbind(這可能是它起作用的原因:))。這篇博文很好地描述了整個設置。