Windows-Server-2008-R2

儘管成功 wbinfo -u,但 centos 6.4 上的 AD 帳戶未顯示

  • June 21, 2013

我有一個帶有 samba 3.6.9 的 centos 6.4 盒子,我已連接到 MS server 2008 R2。這部分似乎工作正常,因為我可以使用 和 看到我的 AD 使用者和wbinfo -uwbinfo -g。什麼不起作用是在 centos 盒子上使用 AD 使用者。我已經在 AD 上啟動了“Identity Management for UNIX”,這樣使用者就有了 UID、GID、homdir 和 shell。不幸的是,centos 上仍然只有本地使用者。

id mytestuser給我“沒有這樣的使用者”。更遠:

   myhost someone:~ $ wbinfo -i mytestuser
   failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
   Could not get info for user mytestuser

   myhost someone:~ $ wbinfo -a mytestuser
   Enter mytestuser's password:
   plaintext password authentication succeeded
   Enter mytestuser's password:
   challenge/response password authentication failed
   Could not authenticate user mytestuser with challenge/response

似乎有一個類似於我的問題的錯誤,但據我所知,我已經在我的 samba 配置中合併了語法更改。

這是我的配置:

/etc/krb5.conf

   [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

   [libdefaults]
    default_realm = ACME.ORG
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    default_keytab_name = FILE:/etc/krb5.keytab

   [realms]
    ACME.ORG= {
     kdc = myadserver.acme.org
     admin_server = myadserver.acme.org
     default_domain = acme.org
    }

   [domain_realm]
    .acme.org = ACME.ORG
    acme.org = ACME.ORG

   [appdefaults]
    pam = {
      debug = false
      ticket_lifetime = 36000
      renew_lifetime = 36000
      forwardable = true
      krb4_convert = false
    }

klist列出一個有效的票據授予票據。

我的 /etc/samba/smb.cnf

  [global]
           workgroup = ACME
           server string = my super suerver
           log level = 3
           log file = /var/log/samba/log.%m
           max log size = 50
           security = ADS
           encrypt passwords = yes
           passdb backend = tdbsam
           realm = ACME.ORG
           preferred master = no
           load printers = yes
           cups options = raw
           printcap name = cups
           printing = cups
           winbind enum users = Yes
           winbind enum groups = Yes
           winbind use default domain = Yes
           winbind nested groups = Yes
           winbind separator = +
           template shell = /bin/bash
           winbind nss info = rfc2307
           kerberos method = system keytab
           dedicated keytab file = /etc/krb5.keytab
           idmap config ACME:backend = rid
           idmap config ACME:base_rid = 10036
           idmap config ACME:range = 10036-1000000
   [homes]
           comment = Home Directories
           browseable = no
           writable = yes
           valid users = %S
           valid users = ACME\%S

我的 /etc/nsswitch.conf 的一部分

passwd:     files winbind
shadow:     files winbind
group:      files winbind

還有我的 /etc/pam.d/system-auth

   auth        required      pam_env.so
   auth        sufficient    pam_unix.so nullok try_first_pass
   auth        requisite     pam_succeed_if.so uid >= 500 quiet
   auth        required      pam_krb5.so
   auth        sufficient    pam_winbind.so use_first_pass
   auth        required      pam_deny.so

   account     required      pam_unix.so
   account     sufficient    pam_succeed_if.so uid < 500 quiet
   account     sufficient    pam_winbind.so use_first_pass
   account     required      pam_permit.so

   password    requisite     pam_cracklib.so try_first_pass retry=3
   password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
   password    sufficient    pam_winbind.so use_first_pass
   password    required      pam_krb5.so
   password    required      pam_deny.so

   session     optional      pam_keyinit.so revoke
   session     required      pam_limits.so
   session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
   session     required      pam_unix.so
   session     required      pam_mkhomedir.so
   session     required      pam_krb5.so
   session     required      pam_winbind.so use_first_pass

對我來說,它看起來有點像這個錯誤。我怎麼能證明它是這個?有什麼提示嗎?

感謝sssd,我終於讓它工作了。它不使用 winbind(這可能是它起作用的原因:))。這篇博文很好地描述了整個設置。

引用自:https://serverfault.com/questions/515572