我们在我们的部门有一个小networking
我的预先设法试图将networking服务器添加到我们的域名,以便从我们的域名用户帐户login(主要用于文件传输到networking服务器上)。 我工作了一段时间,但自从一个不明的时间点,它不再工作了。
所以我读过一些关于samba的教程,并查看了configuration文件,但是找不到问题。 现在我正在寻求你的帮助。
尝试使用“域用户”login后的auth.log :
Mar 13 17:04:33 linuxwebserver login[22754]: pam_winbind(login:auth): getting password (0x00000000) Mar 13 17:04:35 linuxwebserver login[22754]: pam_winbind(login:auth): user '<domain-username>' granted access Mar 13 17:04:35 linuxwebserver login[22754]: pam_unix(login:account): could not identify user (from getpwnam(<domain-username>)) Mar 13 17:04:35 linuxwebserver login[22754]: User not known to the underlying authentication module
尝试使用“域名”\“域用户”login后的auth.log :
Mar 13 17:06:29 linuxwebserver login[22762]: pam_winbind(login:auth): getting password (0x00000000) Mar 13 17:06:32 linuxwebserver login[22762]: pam_winbind(login:auth): request failed: No such user, PAM error was Benutzer bei zu Grunde liegendem Authentifizierungsmodul nicht bekannt (10), NT error was NT_STATUS_NO_SUCH_USER Mar 13 17:06:32 linuxwebserver login[22762]: pam_unix(login:auth): check pass; user unknown Mar 13 17:06:32 linuxwebserver login[22762]: pam_unix(login:auth): authentication failure; logname=root uid=0 euid=0 tty=pts/3 ruser= rhost= Mar 13 17:06:34 linuxwebserver login[22762]: FAILED LOGIN (1) on 'pts/3' FOR `UNKNOWN', User not known to the underlying authentication module
在我看来,networking服务器在域中是正确的,但是linux如何检查帐户的有效性还是有一些问题。
smb.conf : http : //pastebin.com/nXdZUEbn
nsswitch.conf :
# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: compat winbind hosts: files dns wins networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
wbinfo -u给了我一个我们域中所有帐户的正确列表(没有名称前的“DOMAIN”)
wbinfo -g为我提供了一个正确的我们域中的组列表(在名称前没有“DOMAIN”)
getent passwd给我一个我们web服务器上的本地(unix)帐户列表(没有域用户)
getent group给我列出了我们web服务器上的本地(unix-)组(没有域用户)
# wbinfo -p Ping to winbindd succeeded
我的想法是:Linux使用passwd中的信息来检查帐户是否有效,但是它不检查wbinfo的信息。 我想我解决了这个问题,增加了winbind到nsswitch.conf但问题依然存在。
编辑:
将/etc/pam.d/common-auth
auth sufficient pam_winbind.so auth required pam_unix.so nullok_secure use_first_pass
将/etc/pam.d/common-account
account sufficient pam_winbind.so account required pam_unix.so
/etc/pam.d/common-password
password required pam_unix.so nullok obscure md5
编辑2: /etc/krb5.conf
[libdefaults] default_realm = <DOMAIN>.LOCAL # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # The following encryption type specification will be used by MIT Kerberos # if uncommented. In general, the defaults in the MIT Kerberos code are # correct and overriding these specifications only serves to disable new # encryption types as they are added, creating interoperability problems. # # Thie only time when you might need to uncomment these lines and change # the enctypes is if you have local software that will break on ticket # caches containing ticket encryption types it doesn't know about (such as # old versions of Sun Java). # default_tgs_enctypes = des3-hmac-sha1 # default_tkt_enctypes = des3-hmac-sha1 # permitted_enctypes = des3-hmac-sha1 # The following libdefaults parameters are only for Heimdal Kerberos. v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [realms] <DOMAIN>.LOCAL = { kdc = <WIN DOMAIN CONTROLLER>.<DOMAIN>.local admin_server = <WIN DOMAIN CONTROLLER>.<DOMAIN>.local } [domain_realm] .<DOMAIN>.local = <DOMAIN>.LOCAL [login] krb4_convert = true krb4_get_tickets = false
尝试改变你的smb.conf:
idmap backend = ad
对于:
idmap backend = rid
并重新启动您的桑巴服务(主要是winbind)。 如果还是不行,试试这个:
你使用哪个版本的samba?
我没有足够的评级发表评论,但我似乎记得在login到Windows域时需要使用两个斜线。 我相信那是BeyondTrust,我知道在追求中我不需要使用两个斜线…
DOMAIN\\user