LINUX.ORG.RU

После добавления Linux машины в домен, команда id не показывает доменных пользователей

 , ,


0

1

Добрый день Настраивал для нескольких на RHEL6.0 аутентификацию в домене Windows 2008 R2. Для всех серверов кроме одного все нормально работает. А вот на одном - как бабка приворожила:). Не могу понять, в чем дело и куда смотреть. В домен добавил, wbinfo -a domainuser, wbinfo -g, wbinfo -t - все работает. А id domainuser работает на всех серверах, кроме того, о котором я пишу. Соответсвенно pam_winbind не находит такого пользователя и пишет отбой.

Куда можно смотреть? (даже уже просто копировал конфиги с рабочих серверов, чтобы исключить ошибки)

Для всех серверов пользовался этим мануалом

Getting started When making this work the biggest hurdle I had to overcome is described in this bug report. Basically the standard samba version in CentOS 5.x and RHEL 5.x does not work with Windows 2008 R2. To work around this you have to install the samba3x packages which of this writing are version 3.5.4 that does support Windows 2008 R2. Installation of the samba3x-swat is not necessary but is helpful for those who prefer a GUI interface (web-based) to configure Linux. I won’t go into how to configure SWAT as there is already plenty of documentation for that. Below we install the necessary items for Samba. $ yum install samba3x samba3x-client samba3x-common samba3x-swat samba3x-winbind Now install the following to give you the necessary Kerberos libraries and tools $ yum install krb5-libs krb5-workstation

Now let’s move on to the configuration of necessary services. Configure Kerberos In order to do authentication with AD you must have a working Kerberos with that AD’s domain. Below is the /etc/krb5.conf file I used with hostnames taken out for security reasons. Note the highlighted lines. Those encryption types are required to successfully communicate with Windows 2008 R2. [libdefaults] default_realm = DOMAIN.COM

default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1

default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1

clockskew = 300

[realms]

DOMAIN.COM = { kdc = kdc1.domain.com kdc = kdc2.domain.com kdc = kdc3.domain.com default_domain = domain.com }

[domain_realm] domain.com = DOMAIN.COM .domain.com = DOMAIN.COM [appdefaults] pam = { debug = false ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 500 try_first_pass = true } Once this file is in place you can begin testing this portion of your configuration. Below I outline the method for testing. (in next command type domain with CAPITAL letters!) $ kinit domainuser@DOMAIN.COM Now we verify the created ticket. Run klist and you should see something similar as the output below

$ klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: domainuser@DOMAIN.COM

Valid starting Expires Service principal 05/25/11 09:52:57 05/25/11 19:53:00 krbtgt/DOMAIN.COM@DOMAIN.COM renew until 05/26/11 09:52:57

Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached If these tests succeed then move on to configuration of Samba. Configure Samba ¶ Below is the exact /etc/samba/smb.conf file I used minus sensative information. See the smb.conf man page for details on available options.

#======================= Global Settings =====================================

[global]

workgroup = DOMAIN server string = Samba Server Version %v

netbios name = CLIENTHOSTNAME

# --------------------------- Logging Options -----------------------------

log level = 3 # logs split per machine log file = /var/log/samba/%m.log # max 50KB per log file, then rotate max log size = 50

# ----------------------- Domain Members Options ------------------------ #

security = ADS realm = DOMAIN.COM encrypt passwords = yes

winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nested groups = Yes winbind separator = + idmap uid = 600-20000 idmap gid = 600-20000 template primary group = «Domain Users» template shell = /sbin/nologin

allow trusted domains = Yes server signing = mandatory client signing = mandatory client use spnego = Yes ntlm auth = Yes lanman auth = No

# ----------------------- Browser Control Options ---------------------------- preferred master = no

# --------------------------- Printing Options -----------------------------

load printers = no

printcap name = /etc/printcap

#============================ Share Definitions ==============================

[homes] comment = Home Directories browseable = no writable = yes

;[test] ; available = yes ; comment = Test Share ; path = /var/www/test ; writeable = yes ; browseable = yes ; invalid users = root ; create mask = 0660 ; directory mask = 0770 ; valid users = @DOMAIN+Group-Name Configure nsswitch.conf ¶ Below is the /etc/nsswitch.conf file I used. It’s important that the file directive be infront of winbind so the system doesn’t have to check with AD to verify and lookup local system accounts.

passwd: files winbind shadow: files winbind group: files winbind

hosts: files dns wins

bootparams: nisplus [NOTFOUND=return] files

ethers: files netmasks: files networks: files protocols: files rpc: files services: files

netgroup: nisplus

publickey: nisplus

automount: files nisplus aliases: files nisplus Configure PAM ¶ Below is the /etc/pam.d/system-auth-ac file for my system. This is the default provided in CentOS 5.6 with the addition of the pam_krb5 and pam_winbind lines. For AD authentication you only need to add the pam_winbind lines.

auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth sufficient pam_winbind.so use_first_pass auth required pam_deny.so

account required pam_unix.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account sufficient pam_winbind.so use_first_pass account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password sufficient pam_winbind.so use_first_pass password required pam_deny.so

session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so session optional pam_winbind.so use_first_pass Join Samba to Active Directory ¶ Now we actually join the Linux client to the Windows 2008 R2 domain. The following command will do the join. Depending on your AD you may need to create this Linux client’s computer record in AD before running this command. Be sure to replace domainadminuser with the actual username of an account with the ability to add computers to the AD. $ net ads join -U domainadminuser Enter domainadminuser's password: Using short domain name — DOMAIN Joined 'CLIENTHOSTNAME' to realm 'domain.com' DNS update failed! Notice the last line “DNS update failed!”. I have yet to get rid of this error, but so far has seemed not to effect things. From what I’ve read it has something to do with Dynamic DNS. Next restart both the smb and winbind services and set them to run at boot.

$ /etc/init.d/smb start $ /etc/init.d/winbind start $ chkconfig smb on $ chkconfig winbind on Once we are joined to AD we need to create our keytab file for use with Kerberos. Below is the command to create the keytab followed by the command to verify the keytab.

$ net ads keytab create -U domainadminuser

$ klist -ke

$ /etc/init.d/smb restart $ /etc/init.d/winbind restart Testing the domain join ¶ The next few commands are ways to verify you successfully joined the AD. The output below the commands is an example of what you should see.

$ net ads info LDAP server: 10.1.0.1 LDAP server name: kdc1.domain.com Realm: DOMAIN.COM Bind Path: dc=DOMAIN,dc=COM LDAP port: 389 Server time: Wed, 25 May 2011 12:05:17 CDT KDC server: 10.1.0.1 Server time offset: 0

$ net ads testjoin Join is OK Some additional tests to run. Comments above the command describe its purpose.

# Check the secret between client and AD $ wbinfo -t checking the trust secret for domain DOMAIN via RPC calls succeeded

# This is like kinit but testing that winbind authentication is working # You will be prompted for password twice # Replace domainuser with a valid domain user's account name $ wbinfo -a domainuser Enter domainuser's password: plaintext password authentication succeeded Enter domainuser's password: challenge/response password authentication succeeded

# An additional test to verify user accounts function # Replace domainuser with a valid domain user's name $ id domainuser If the above goes without incident then you have successfully joined your Linux Samba client to a Windows 2008 R2 domain. If you refer to the provided smb.conf you’ll notice I setup a test share. For shares that will be hosting content for Windows AD users I have enabled ACL permissions for the filesystem. The ACL option has to be specified at mount of the filesystem, and can be made permanent by adding the entry to your /etc/fstab. See below for an example.

# An example line from my /etc/fstab file /dev/VolGroup00/LogVol00 / ext3 defaults,acl 1 1 Additionally you need to install acl package, and set the ACL to a domain group by running the following.

# Replace group-name with the name of a valid domain user group setfacl -m g:group-name:rwx /var/www/test Now from any machine with a smb client you should be able to connect to the test share as a user who is a member of the AD group group-name.

Restrict login by groupname Add to file /etc/pam.d/system-auth-ac in appropriate section: account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_succeed_if.so user ingroup UNIXAdmins account [default=bad success=ok user_unknown=ignore] pam_krb5.so account sufficient pam_winbind.so use_first_pass account required pam_permit.so

for RHEL6 /etc/pam.d/password-auth

Заранее спасибо за ответ

[root@uatstifobsdb01 ~]# id A10014 id: A10014: No such user [root@uatstifobsdb01 ~]# wbinfo -a A10014 Enter A10014's password: plaintext password authentication succeeded Enter A10014's password: challenge/response password authentication succeeded

[root@uatstifobsdb01 ~]# wbinfo -u|grep a10014 a10014

[root@uatstifobsdb01 ~]# tail /var/log/secure Sep 6 09:17:53 uatstifobsdb01 sshd[26178]: pam_unix(sshd:auth): check pass; user unknown Sep 6 09:17:53 uatstifobsdb01 sshd[26178]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.5.64.40 Sep 6 09:17:53 uatstifobsdb01 sshd[26178]: pam_succeed_if(sshd:auth): error retrieving information about user A10014 Sep 6 09:17:54 uatstifobsdb01 sshd[26178]: Failed password for invalid user A10014 from 10.5.64.40 port 3997 ssh2

Т.е. до pam_winbind даже не доходит, хотя

[root@uatstifobsdb01 ~]# cat /etc/pam.d/password-auth-ac #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_winbind.so cached_login use_first_pass auth required pam_deny.so

account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login account required pam_permit.so

password requisite pam_cracklib.so retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_winbind.so cached_login use_authtok password required pam_deny.so

session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so

и на других серверах та же конфигурация нормально работает.

[root@uatstifobsdb01 ~]# cat /etc/nsswitch.conf

passwd: files winbind shadow: files winbind group: files winbind

#hosts: db files nisplus nis dns hosts: files dns wins ....

Kievsash ()
Ответ на: комментарий от fbiagent

Поробовал, не помагает

Вообщем, в кратце - почему не происходит образения к pam_winbind ? Логин проверяется только в локальной базе. Хотя и pam и nsswitch.conf настроены, чтобы проверять пользователя и среди локальных и среди доменных.

Вот лог. pam_winbind вообще не фигурирует, а должен.

Sep 6 14:51:22 uatstifobsdb01 sshd[2468]: Address 10.5.64.40 maps to ceb-uan089.ms.fbhua, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! Sep 6 14:51:22 uatstifobsdb01 sshd[2468]: Invalid user A10014 from 10.5.64.40 Sep 6 14:51:22 uatstifobsdb01 sshd[2469]: input_userauth_request: invalid user A10014 Sep 6 14:51:24 uatstifobsdb01 sshd[2468]: pam_unix(sshd:auth): check pass; user unknown Sep 6 14:51:24 uatstifobsdb01 sshd[2468]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.5.64.40 Sep 6 14:51:24 uatstifobsdb01 sshd[2468]: pam_succeed_if(sshd:auth): error retrieving information about user A10014 Sep 6 14:51:26 uatstifobsdb01 sshd[2468]: Failed password for invalid user A10014 from 10.5.64.40 port 1573 ssh2

Kievsash ()
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.