我已经join到使用PowerBroker IS的zentyal域(AD域),我希望它在远程用户login时挂载我的远程主目录。这是PBIS的configuration:
AllowDeleteTo "" AllowReadTo "" AllowWriteTo "" MaxDiskUsage 104857600 MaxEventLifespan 90 MaxNumEvents 100000 DomainSeparator "\\" SpaceReplacement "^" EnableEventlog false Providers "ActiveDirectory" DisplayMotd false PAMLogLevel "error" UserNotAllowedError "Access denied" AssumeDefaultDomain true CreateHomeDir true CreateK5Login true SyncSystemTime true TrimUserMembership true LdapSignAndSeal false LogADNetworkConnectionEvents true NssEnumerationEnabled true NssGroupMembersQueryCacheOnly true NssUserMembershipQueryCacheOnly false RefreshUserCredentials true CacheEntryExpiry 14400 DomainManagerCheckDomainOnlineInterval 300 DomainManagerUnknownDomainCacheTimeout 3600 MachinePasswordLifespan 2592000 MemoryCacheSizeCap 0 HomeDirPrefix "/home" HomeDirTemplate "%H/%U" RemoteHomeDirTemplate "%H/%U" HomeDirUmask "022" LoginShellTemplate "/bin/bash" SkeletonDirs "/etc/skel" UserDomainPrefix "mosek.zentyal" DomainManagerIgnoreAllTrusts false DomainManagerIncludeTrustsList DomainManagerExcludeTrustsList RequireMembershipOf Local_AcceptNTLMv1 true Local_HomeDirTemplate "%H/%U" Local_HomeDirUmask "022" Local_LoginShellTemplate "/bin/sh" Local_SkeletonDirs "/etc/skel" UserMonitorCheckInterval 1800 LsassAutostart true EventlogAutostart true 据我了解,这么长的RemoteHomeDirTemplate设置,它应该挂载,但问题是,它没有。
所以我想到了试图find一个用户,看看它是如何显示主目录path,如果它是根本:
# /opt/pbis/bin/find-objects --user tomas User object [1 of 1] (S-1-5-21-755094111-53741902-1678977104-1108) ============ Enabled: yes Distinguished name: CN=Tomas Nielsen,CN=Users,DC=mosek,DC=zentyal SAM account name: tomas NetBIOS domain name: MOSEK UPN: [email protected] Display Name: Tomas Nielsen Alias: <null> UNIX name: MOSEK\tomas GECOS: Tomas Nielsen Shell: /bin/bash Home directory: /home/tomas Windows home directory: \\nyborg.MOSEK.ZENTYAL\tomas Local windows home directory: /home/tomas UID: 1588593748 Primary group SID: S-1-5-21-755094111-53741902-1678977104-513 Primary GID: 1588593153 Password expired: no Password never expires: no Change password on next logon: no User can change password: yes Account disabled: no Account expired: no Account locked: no
所以它有一个家庭目录path,unix和窗口,所以我不知道可能是什么问题。
在我的/var/log/messages我发现了一些错误:
Dec 4 12:55:30 winbind lsass: [lsass] Failed mount of //nyborg.MOSEK.ZENTYAL/tomas on /home/tomas with data sec=krb5i,[email protected],uid=1588593748,gid=1588593153,cruid=1588593748,ip=172.16.0.5, error 40188 (errno 126) Dec 4 12:55:30 winbind lsass: [lsass] Failed mount of //nyborg.MOSEK.ZENTYAL/tomas on /home/tomas, error 3690996880 (errno 40188) Dec 4 12:55:30 winbind lsass: [lsass] Failed to mount directory for user (tomas), actual error 40188 Dec 4 12:55:30 winbind lsass: [lsass] Failed to open session for user (name = 'tomas') -> error = 40188, symbol = LW_ERROR_UNKNOWN, client pid = 2329 Dec 4 12:55:30 winbind kernel: CIFS VFS: Send error in SessSetup = -126 Dec 4 12:55:30 winbind kernel: CIFS VFS: cifs_mount failed w/return code = -126
我试着手动运行命令,并得到错误126的正确的错误信息:
#mount -t cifs -o sec=krb5i,[email protected],uid=1588593748,gid=1588592152,cruid=1588593748,ip=172.16.0.5 //nyborg.MOSEK.ZENTYAL/tomas /home/tomas mount error(126): Required key not available Refer to the mount.cifs(8) manual page (eg man mount.cifs)
我检查了我有一张krb票:
#klist Ticket cache: KEYRING:persistent:0:0 Default principal: [email protected] Valid starting Expires Service principal 12/09/2014 12:20:36 12/09/2014 22:20:36 krbtgt/[email protected] renew until 12/16/2014 12:20:33
好吧,我发现,如果我与用户签了票,我可以手动安装它。 如果我在kinit [email protected]用户进入和kinit [email protected] ,PBIS得到cifs error 16
那么当然可以解决这个问题呢?
编辑:
我尝试安装新版本的pbis(PBIS打开8.2.1),现在我得到的错误是不同的:
[root@centosy tomas]# tail /var/log/messages Jan 22 12:43:36 centosy lsass: [lsass] Failed mount of //nyborg.MOSEK.ZENTYAL/tomas on /home/tomas with data sec=krb5i,[email protected],uid=1588593748,gid=1588593153,cruid=1588593748,ip=172.16.0.5, error 40158 (errno 13) Jan 22 12:43:36 centosy lsass: [lsass] Failed mount of //nyborg.MOSEK.ZENTYAL/tomas on /home/tomas, error 1879066032 (errno 40158) Jan 22 12:43:36 centosy lsass: [lsass] Failed to mount directory for user (tomas), actual error 40158 Jan 22 12:43:36 centosy lsass: [lsass] Failed to open session for user (name = 'tomas') -> error = 40158, symbol = LW_ERROR_ACCESS_DENIED, client pid = 2353 Jan 22 12:43:36 centosy lsass: [lsass] Failed mount of //nyborg.MOSEK.ZENTYAL/tomas on /home/tomas with data sec=krb5,[email protected],uid=1588593748,gid=1588593153,cruid=1588593748,ip=172.16.0.5, error 40158 (errno 13) Jan 22 12:43:36 centosy lsass: [lsass] Failed mount of //nyborg.MOSEK.ZENTYAL/tomas on /home/tomas with data sec=krb5i,[email protected],uid=1588593748,gid=1588593153,cruid=1588593748,ip=172.16.0.5, error 40158 (errno 13) Jan 22 12:43:36 centosy lsass: [lsass] Failed mount of //nyborg.MOSEK.ZENTYAL/tomas on /home/tomas, error 1879066032 (errno 40158) Jan 22 12:43:36 centosy lsass: [lsass] Failed to mount directory for user (tomas), actual error 40158 Jan 22 12:43:36 centosy lsass: [lsass] Failed to open session for user (name = 'tomas') -> error = 40158, symbol = LW_ERROR_ACCESS_DENIED, client pid = 2353 Jan 22 12:44:11 centosy su: (to root) tomas on pts/0
我想我find了你的问题的答案,在这里看到我自己的问题:
Powerbroker Open:无法自动挂载CIFS共享,kerberos票证在哪里?
CentOS 7使用systemd,PBIS服务configuration为使用专用的“tmp”文件夹。 不幸的是,这会导致在错误的目录中创build一个Kerberos票据(它在/ tmp / systemd-private-xxx而不是/ tmp中生成)。 我编辑了服务configurationlwsmd.service并设置PrivateTmp=no 。 现在一切正常…