Назад | Перейти на главную страницу

PowerBroker (PBIS) Ограниченный список входа в систему - не удалось разрешить srv \ DomainUsers [40071]

Я хочу присоединиться к домену с машиной Ubuntu 16.04. Сервер - Windows Server 2012 R2. Я установил PowerBroker Identity Services (PBIS) 8.5.2.265

Я получаю эту ошибку в / var / log / syslog:

Restricted login list - couldn't resolve srv\DomainUsers [40071]

Вот пара ошибок: / var / log / auth:

Dec 30 08:56:47 srv3 login[1713]: PAM (login) illegal module type: sessions
Dec 30 08:56:47 srv3 login[1713]: PAM (other) illegal module type: sessions
Dec 30 08:56:50 srv3 login[1713]: [lsass-pam] [module:pam_lsass]User user12 is denied access because they are not in the 'require membership of' list
Dec 30 08:56:50 srv3 login[1713]: [lsass-pam] [module:pam_lsass]pam_sm_authenticate error [login:user12][error code:40158]
Dec 30 08:56:50 srv3 login[1713]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost=  user=user12
Dec 30 08:56:50 srv3 login[1713]: pam_sss(login:auth): Request to sssd failed. Connection refused
Dec 30 08:56:53 srv3 login[1713]: FAILED LOGIN (1) on '/dev/tty1' FOR 'user12', Authentication failure

/ opt / pbis / bin / config --dump:

 root@srv3:~# /opt/pbis/bin/config --dump
AllowDeleteTo ""
AllowReadTo ""
AllowWriteTo ""
MaxDiskUsage 104857600
MaxEventLifespan 90
MaxNumEvents 100000
DomainSeparator "\\"
SpaceReplacement "^"
EnableEventlog false
SaslMaxBufSize 16777215
Providers "ActiveDirectory"
DisplayMotd false
PAMLogLevel "verbose"
UserNotAllowedError "Access denied"
AssumeDefaultDomain true
CreateHomeDir true
CreateK5Login true
SyncSystemTime true
TrimUserMembership true
LdapSignAndSeal false
LogADNetworkConnectionEvents true
NssEnumerationEnabled true
NssGroupMembersQueryCacheOnly true
NssUserMembershipQueryCacheOnly false
RefreshUserCredentials true
CacheEntryExpiry 14400
DomainManagerCheckDomainOnlineInterval 300
DomainManagerUnknownDomainCacheTimeout 3600
MachinePasswordLifespan 2592000
MemoryCacheSizeCap 0
HomeDirPrefix "/home"
HomeDirTemplate "%H/%U"
RemoteHomeDirTemplate ""
HomeDirUmask "022"
LoginShellTemplate "/bin/bash"
SkeletonDirs "/etc/skel"
UserDomainPrefix "srv"
DomainManagerIgnoreAllTrusts false
DomainManagerIncludeTrustsList
DomainManagerExcludeTrustsList
RequireMembershipOf "srv\\DomainUsers"
Local_AcceptNTLMv1 true
Local_HomeDirTemplate "%H/local/%D/%U"
Local_HomeDirUmask "022"
Local_LoginShellTemplate "/bin/sh"
Local_SkeletonDirs "/etc/skel"
UserMonitorCheckInterval 1800
LsassAutostart true
EventlogAutostart true
BlacklistDC

корень @ srv3: ~ # / opt / pbis / bin / get-status

LSA Server Status:

Compiled daemon version: 8.5.2.265
Packaged product version: 8.5.265.1
Uptime:        0 days 0 hours 14 minutes 5 seconds

[Authentication provider: lsa-activedirectory-provider]

        Status:        Online
        Mode:          Un-provisioned
        Domain:        SRV.LOCAL
        Domain SID:    S-1-5-21-2727847642-148432537-1030246457
        Forest:        srv.local
        Site:          Default-First-Site-Name
        Online check interval:  300 seconds
        [Trusted Domains: 1]


        [Domain: SRV]

                DNS Domain:       srv.local
                Netbios name:     SRV
                Forest name:      srv.local
                Trustee DNS name:
                Client site name: Default-First-Site-Name
                Domain SID:       S-1-5-21-2727847642-148432537-1030246457
                Domain GUID:      8ac2ba85-7313-6746-abfe-d44f9856708e
                Trust Flags:      [0x001d]
                                  [0x0001 - In forest]
                                  [0x0004 - Tree root]
                                  [0x0008 - Primary]
                                  [0x0010 - Native]
                Trust type:       Up Level
                Trust Attributes: [0x0000]
                Trust Direction:  Primary Domain
                Trust Mode:       In my forest Trust (MFT)
                Domain flags:     [0x0001]
                                  [0x0001 - Primary]

                [Domain Controller (DC) Information]

                        DC Name:              dc1.srv.local
                        DC Address:           192.168.253.200
                        DC Site:              Default-First-Site-Name
                        DC Flags:             [0x0000f1fd]
                        DC Is PDC:            yes
                        DC is time server:    yes
                        DC has writeable DS:  yes
                        DC is Global Catalog: yes
                        DC is running KDC:    yes

                [Global Catalog (GC) Information]

                        GC Name:              dc1.srv.local
                        GC Address:           192.168.253.200
                        GC Site:              Default-First-Site-Name
                        GC Flags:             [0x0000f1fd]
                        GC Is PDC:            yes
                        GC is time server:    yes
                        GC has writeable DS:  yes
                        GC is running KDC:    yes

/opt/pbis/share/pbis.pam-auth-update

Name: PowerBroker Identity Services (PBIS)
Default: yes
Priority: 260
Conflicts: winbind
Auth-Type: Primary
Auth:
        [success=end default=ignore]    pam_lsass.so try_first_pass
Auth-Initial:
        [success=end default=ignore]    pam_lsass.so
Account-Type: Primary
Account:
        [success=ok new_authtok_reqd=ok default=ignore]         pam_lsass.so unknown_ok
        [success=end new_authtok_reqd=done default=ignore]      pam_lsass.so
Session-Type: Additional
Session:
        optional        pam_lsass.so
Password-Type: Primary
Password:
        [success=end default=ignore]    pam_lsass.so use_authtok try_first_pass
Password-Initial:
        [success=end default=ignore]    pam_lsass.so

/etc/pam.d/common-account

#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system.  The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.
#

# here are the per-package modules (the "Primary" block)
account [success=ok new_authtok_reqd=ok default=ignore]     pam_lsass.so unknown_ok
account [success=2 new_authtok_reqd=done default=ignore]    pam_lsass.so 
account [success=1 new_authtok_reqd=done default=ignore]    pam_unix.so 
# here's the fallback if no module succeeds
account requisite           pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required            pam_permit.so
# and here are more per-package modules (the "Additional" block)
account sufficient          pam_localuser.so 
account [default=bad success=ok user_unknown=ignore]    pam_sss.so 
# end of pam-auth-update config

/etc/pam.d/common-session:

#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
session [default=1]         pam_permit.so
# here's the fallback if no module succeeds
session requisite           pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required            pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional            pam_umask.so
# and here are more per-package modules (the "Additional" block)
#session    optional    pam_lsass.so 
sessions [success=ok default=ignore] pam_lsass.so
session required    pam_unix.so 
session optional            pam_sss.so 
session optional    pam_systemd.so 
# end of pam-auth-update config
session    required    pam_mkhomedir.so skel=/etc/skel/ umask=0022

/etc/pam.d/common-auth:

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
auth    [success=3 default=ignore]      pam_lsass.so
auth    [success=2 default=ignore]      pam_unix.so nullok_secure try_first_pass
auth    [success=1 default=ignore]      pam_sss.so use_first_pass
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
~
~

/etc/pbis/pbis-krb5-ad.conf:

[libdefaults]
    default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
    default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
    preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
    dns_lookup_kdc = true
    pkinit_kdc_hostname = <DNS>
    pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
    pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
    pkinit_eku_checking = kpServerAuth
    pkinit_win2k_require_binding = false
    pkinit_identities = PKCS11:/opt/pbis/lib/libpkcs11.so

Список пользователей с ограниченным доступом - не удалось разрешить srv \ DomainUsers [40071]

Вы должны проверить, что название группы Пользователи домена в настройках PBIS соответствует тому, как видит PBIS. Для этого выполните следующую команду:

/opt/pbis/bin/enum-groups | grep -i Domain

Найти тебя Пользователи домена имя группы, как оно отображается, и введите имя группы в конфигурацию в той же форме.