Я хочу войти с учетной записью AD на виртуальную машину Linux, которая является членом домена. Я сильно не справился с этой проблемой. Я установил новый контроллер домена 2019 без изменений. Загрузите новый Ubuntu 18.04, я также тестировал Centos 7 с той же проблемой.
Войти с учетной записью AD через ssh и консоль невозможно.
Я использовал эти пакеты
apt-get -y install realmd sssd sssd-tools samba-common krb5-user packagekit samba-common-bin samba-libs adcli
ntp
Из auth.log
Jan 21 13:26:12 iitkorbi sshd[22085]: fatal: initgroups: hans: Invalid argument
Jan 21 13:38:05 iitkorbi sshd[30751]: fatal: initgroups: hans: Invalid argument
nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files systemd sss
group: files systemd sss
shadow: files sss
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis sss
sudoers: files sss
кот /etc/realmd.conf
root@iitkorbi:/var/log#
[users]
default-home = /home/%U
default-shell = /bin/bash
[active-directory]
default-client = sssd
os-name = Ubuntu Server Linux
os-version = 18.04
[service]
automatic-install = no
[narf.lokal]
fully-qualified-names = no
automatic-id-mapping = no
user-principal = yes
manage-system = no
кот /etc/krb5.conf
root@iitkorbi:/var/log#
[libdefaults]
default_realm = NARF.LOKAL
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
dns_lookup_kdc = true
dns_lookup_realm = true
klist -ke
root@iitkorbi:/var/log#
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 IITKORBI$@NARF.LOKAL (aes256-cts-hmac-sha1-96)
2 IITKORBI$@NARF.LOKAL (aes128-cts-hmac-sha1-96)
2 IITKORBI$@NARF.LOKAL (des3-cbc-sha1)
2 IITKORBI$@NARF.LOKAL (arcfour-hmac)
2 IITKORBI$@NARF.LOKAL (des-cbc-md5)
2 IITKORBI$@NARF.LOKAL (des-cbc-crc)
2 host/iitkorbi@NARF.LOKAL (aes256-cts-hmac-sha1-96)
2 host/iitkorbi@NARF.LOKAL (aes128-cts-hmac-sha1-96)
2 host/iitkorbi@NARF.LOKAL (des3-cbc-sha1)
2 host/iitkorbi@NARF.LOKAL (arcfour-hmac)
2 host/iitkorbi@NARF.LOKAL (des-cbc-md5)
2 host/iitkorbi@NARF.LOKAL (des-cbc-crc)
2 host/IITKORBI@NARF.LOKAL (aes256-cts-hmac-sha1-96)
2 host/IITKORBI@NARF.LOKAL (aes128-cts-hmac-sha1-96)
2 host/IITKORBI@NARF.LOKAL (des3-cbc-sha1)
2 host/IITKORBI@NARF.LOKAL (arcfour-hmac)
2 host/IITKORBI@NARF.LOKAL (des-cbc-md5)
2 host/IITKORBI@NARF.LOKAL (des-cbc-crc)
2 RestrictedKrbHost/IITKORBI@NARF.LOKAL (aes256-cts-hmac-sha1-96)
2 RestrictedKrbHost/IITKORBI@NARF.LOKAL (aes128-cts-hmac-sha1-96)
2 RestrictedKrbHost/IITKORBI@NARF.LOKAL (des3-cbc-sha1)
2 RestrictedKrbHost/IITKORBI@NARF.LOKAL (arcfour-hmac)
2 RestrictedKrbHost/IITKORBI@NARF.LOKAL (des-cbc-md5)
2 RestrictedKrbHost/IITKORBI@NARF.LOKAL (des-cbc-crc)
2 RestrictedKrbHost/iitkorbi@NARF.LOKAL (aes256-cts-hmac-sha1-96)
2 RestrictedKrbHost/iitkorbi@NARF.LOKAL (aes128-cts-hmac-sha1-96)
2 RestrictedKrbHost/iitkorbi@NARF.LOKAL (des3-cbc-sha1)
2 RestrictedKrbHost/iitkorbi@NARF.LOKAL (arcfour-hmac)
2 RestrictedKrbHost/iitkorbi@NARF.LOKAL (des-cbc-md5)
2 RestrictedKrbHost/iitkorbi@NARF.LOKAL (des-cbc-crc)
запрос с идентификатором и getent работает без проблем.
root@iitkorbi:/var/log# id hans@narf.lokal
uid=649201106(hans) gid=649200513(domain users) groups=649200513(domain users)
root@iitkorbi:/var/log# getent passwd hans
hans:*:649201106:649200513:hans:/home/hans:/bin/bash
Realm Discover также отлично работает
root@iitkorbi:/var/log# realm -v discover narf.lokal
* Resolving: _ldap._tcp.narf.lokal
* Performing LDAP DSE lookup on: 10.10.100.59
* Successfully discovered: narf.lokal
narf.lokal
type: kerberos
realm-name: NARF.LOKAL
domain-name: narf.lokal
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %U
login-policy: allow-realm-logins
Мои файлы конфигурации PAM
кошка общий счет
# here are the per-package modules (the "Primary" block)
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
account sufficient pam_localuser.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
# end of pam-auth-update config
кот обыкновенный
# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_sss.so use_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
общий пароль кота
# here are the per-package modules (the "Primary" block)
password requisite pam_pwquality.so retry=3
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password sufficient pam_sss.so use_authtok
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
кошка общая сессия
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session optional pam_sss.so
session optional pam_systemd.so
session optional pam_mkhomedir.so
# end of pam-auth-update config