服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 无法使用passwd更改Kerberos密码
Intereting Posts
Linux的 – 如何列出特定types的分区? 创build子域的logging; DNS不更新/传播? 通过计算机redirectSSH 什么杀毒软件,你推荐开发盒 Apache正在响应一个空白的白页 我所有的硬盘都是10MB / s左右的读/写 我想买一些IP 可以使用HTTP头来判断页面是否通过代理? 128GB内存的页面错误 使用FTP删除文件夹 OCS 2007 R2 A / V NAT – 尝试内部IP的外部客户端 无法通过SSHlogin到GCE实例,而gcloud计算完美 如果最初的完整使用robocopy完成,rsync可以执行增量备份吗? 在Linux上绘制数据包大小分布的工具? 加载balacing场景 – 我是对的吗?

无法使用passwd更改Kerberos密码

我为我的域名build立了一个通用的Kerberosauthentication。 之后,它工作正常,没有任何问题。 但是用户不能使用Linux命令更改密码。 在这个分析上,我在/var/log/auth.log得到了下面的错误:

bharathi passwd [3715]:pam_unix(passwd:chauthtok):authentication失败; logname = test uid = 1000 euid = 0 tty = ruser = rhost = user = test

来自Kerberospipe理服务器的响应。 

 May 11 16:44:48 bharathi krb5kdc[28795](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.27.50: NEEDED_PREAUTH: [email protected] for kadmin/[email protected], Additional pre-authentication required May 11 16:44:48 bharathi krb5kdc[28795](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.27.50: ISSUE: authtime 1368270888, etypes {rep=18 tkt=18 ses=18}, [email protected] for kadmin/[email protected] May 11 16:45:07 bharathi krb5kdc[28795](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.27.50: NEEDED_PREAUTH: [email protected] for kadmin/[email protected], Additional pre-authentication required May 11 16:45:07 bharathi krb5kdc[28795](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.27.50: ISSUE: authtime 1368270907, etypes {rep=18 tkt=18 ses=18}, [email protected] for kadmin/[email protected]

来自kerberospipe理服务器的响应似乎没问题。 我怀疑这个问题可能在pam.dconfiguration中。

共AUTH 

 # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (eg, /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. auth sufficient pam_krb5.so minimum_uid=1000 # here are the per-package modules (the "Primary" block) auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000 auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass auth [success=1 default=ignore] pam_lsass.so try_first_pass # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config

共同账户 

  # # /etc/pam.d/common-account - authorization settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authorization modules that define # the central access policy for use on the system. The default is to # only deny service to users whose accounts are expired in /etc/shadow. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # account required pam_krb5.so minimum_uid=1000 # here are the per-package modules (the "Primary" block) account [success=3 new_authtok_reqd=done default=ignore] pam_unix.so account [success=ok new_authtok_reqd=ok default=ignore] pam_lsass.so unknown_ok account [success=1 new_authtok_reqd=done default=ignore] pam_lsass.so # here's the fallback if no module succeeds account requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around account required pam_permit.so # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config

常见的密码 

  # # /etc/pam.d/common-password - password-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define the services to be # used to change user passwords. The default is pam_unix. # Explanation of pam_unix options: # # The "sha512" option enables salted SHA512 passwords. Without this option, # the default is Unix crypt. Prior releases used the option "md5". # # The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in # login.defs. # # See the pam_unix manpage for other options. # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) password requisite pam_krb5.so minimum_uid=1000 password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 password [success=1 default=ignore] pam_lsass.so use_authtok try_first_pass # here's the fallback if no module succeeds password requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around password required pam_permit.so # and here are more per-package modules (the "Additional" block) password optional pam_gnome_keyring.so # end of pam-auth-update config

我在这里做错了什么?

您的auth.log包含以下提示:

bharathi passwd [3715]: pam_unix (passwd:chauthtok):authentication失败; logname = test uid = 1000 euid = 0 tty = ruser = rhost = user = test

查看通用密码的相关行是:

密码必需 pam_krb5.so minimum_uid = 1000

Kerberos-PAM模块只能处理uid> = 1000的用户,即使在networking出现故障的情况下,也可以保持root这样的本地帐户正常工作。

必要条件是这个模块总是被要求的,所以在这种情况下成功被存储为结果,但是下面的模块仍然被执行。

密码[成功= 2默认= 忽略 ] pam_unix.so obscure use_authtok try_first_pass sha512

下一个模块是失败的unix模块,现在尝试更改/etc/shadow的密码。 但是由于这是一个Kerberos用户,因此/etc/shadow可能没有条目。 由于忽略,这个失败将被忽略:错误仍然被logging下来,但是PAM堆栈的结果没有改变。

但接下来的模块如下:

密码必需pam_deny.so

这将最终用deny覆盖以前的结果代码,从而拒绝更改密码的请求。

如果仅更改Kerbers密码就足够了,则将Kerberos的必要条件更改为[success = 3 default = ignore] ,这将在成功时跳过接下来的3个模块(unix,lsass,deny),从而继续执行pam_permit.so ,这迫使堆栈最终返回成功。

另一方面,如果您的用户在/ etc / shadow和Kerberos中都有这两个条目,并且您希望保持这两个密码同步,那么获得正确的结果会变得复杂得多。 下面的东西应该工作:

  1. 首先尝试更改Kerberos密码。
  2. 如果成功,请尝试在/etc/shadow更改本地Unix密码。

  3. 否则require Unix密码更改成功。 

     password [success=3 user_unknown=ignore default=ignore] pam_krb5.so minimum_uid=1000 password [success=3 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 password [success=2 default=ignore] pam_lsass.so use_authtok try_first_pass password requisite pam_deny.so password [success=ok default=ignore] pam_unix.so obscure use_authtok use_first_pass sha512 password required pam_permit.so