我把我的Fedora 21工作站连接到我的AD域,工作了大约一个月,一切都很顺利,然后我在一天早上进来,无法login。 我最初的反应是指责Win2013和AD,但在事件查看器中稍微挖掘一下后,我无法find任何错误,加上我可以成功login到所有其他Linux AD成员(Fedora 19/20, CentOS 6,Debian 6/7),似乎不是问题的根源。
当我尝试通过sulogin时,我得到的是su: Authentication failure ,并且/var/log/audit/audit.log包含消息:
type=USER_AUTH msg=audit(1421174144.121:1306): pid=25524 uid=1000 auid=1000 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantor=? acct="gjohn" exe="/usr/bin/su" hostname=? addr=? terminal=pts/1 res=failed'
SELinux已启用,但我已尝试将其禁用,并获得相同的错误/消息。
值得一提的是:
getent passwd所有域用户显示正确的UID / GID 我使用Samba / Winbind设置,因为据我可以告诉你是否需要文件服务的idmap范围。 我试图使用sssd和realmd,但从来没有能够控制UID和GID范围,这对我来说很重要。
我现在处于亏损状态,因为即使增加了日志级别, /var/log/samba/*有用信息也很less。 我认为这是pam相关的,但我仍然试图找出如何监视输出为此。
相关的configuration文件:
/etc/samba/smb.conf中:
[global] workgroup = DOMAIN realm = DOMAIN.NET security = ads server string = Workstation winbind use default domain = true winbind nested groups = yes winbind enum users = yes winbind enum groups = yes winbind offline logon = true winbind refresh tickets = yes winbind cache time = 5 template shell = /bin/bash template homedir = /home/%U idmap config * : backend = rid idmap config * : range = 10000-20000 passdb backend = tdbsam encrypt passwords = yes # logging log level = 3 log file = /var/log/samba/log.%m max log size = 50
的/etc/krb5.conf:
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOMAIN.NET dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false
/etc/pam.d/password-auth&/etc/pam.d/system-auth:
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_winbind.so cached_login use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_winbind.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_winbind.so cached_login
编辑:我一开始没有看到这个,因为/var/log/messages现在是journalctl ,在每一次login尝试我得到的错误:
Jan 13 11:41:38 ws.domain.net su[27383]: pam_winbind(su-l:auth): getting password (0x00000210) Jan 13 11:41:38 ws.domain.net su[27383]: pam_winbind(su-l:auth): pam_get_item returned a password Jan 13 11:41:38 ws.domain.net su[27383]: pam_winbind(su-l:auth): internal module error (retval = PAM_SERVICE_ERR(3), user = 'gjohn') Jan 13 11:41:40 ws.domain.net su[27383]: FAILED SU (to gjohn) crdc on pts/11
事实certificate,这是join的帐户。 我正在尝试连接使用:
net ads join -U administrator
我想这是因为我的DNSparsing正确,没关系。 我需要使用[email protected]作为帐户join。