使用 kerberos 将 Linux 绑定到 Active Directory
我们正在尝试将 Linux 机器(debian 4.0)绑定到 W2k3 AD。 我们已经正确配置了 kerberos,以便我们可以获得 TGT。 并且用户可以正确进行身份验证。 然而,PAM 似乎是粘性三柱门。 例如,当我们尝试以 AD 用户之一的身份通过 SSH 连接到 Linux 计算机时,身份验证成功(根据 auth.log),但我从未获得 shell。 默认环境已正确配置,PAM 甚至正确创建了 Homedir。 作为参考,我们大致遵循:
We are trying to bind a Linux machine (debian 4.0) to W2k3 AD. We have configured kerberos properly so that we can get TGTs. And users authenticate properly. However, PAM seems to be the sticky wicket. For example when we try to SSH to the linux machine as one of the AD users, the authentication succeeds (as per the auth.log) but I never get shell. The default environment is configured properly and PAM even creates the Homedir properly. As a reference we were loosely following:
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
一个简单的解决方案.. pam_krb5+ldap 项目
pam_krb5 PAM 模块的一个分支,提供了非常好的易于使用的配置,用于针对现有的 Active Directory 域和/或 OpenLDAP 服务器利用 Linux 客户端身份验证。
A simple solution.. pam_krb5+ldap project
A fork of the pam_krb5 PAM module that provides a very easy to use configuration for utilizing linux client authentication against and existing Active directory domain and/or OpenLDAP server.
如果您确信除 PAM 之外的所有内容都可以正常工作,我建议将调试选项传递给 pam_krb5.so 以查看是否可以提供有关正在发生的情况的线索。
我还建议使用以下命令验证 nss-ldap 是否设置正确
If you're confident everything but PAM works correctly, I suggest passing the debug option to pam_krb5.so to see if that gives a clue to what's happening.
I'd also suggest verifying that nss-ldap is set up correctly using
我已经使用同样的方法在我们的服务器上做了类似的事情。 以下是我们配置它的过程:
同样安装:
加入域(假设域为“domain.local”)
假设您正在使用 sudo 并且希望 AD 用户能够拥有 sudoer 权限,您需要编辑 sudoers 文件。 这可以通过以下命令完成:
然后将以下内容添加到文件末尾(这假设域“DOMAIN”和所有应该具有 sudo 的用户都位于活动目录中名为“linux_admin”的组中):
I have used Likewise to do something similar on our servers. Here is the process we use to configure it:
Install Likewise:
Join the domain (Assuming the domain "domain.local")
Assuming you are using sudo AND want AD users to be able to have sudoer powers, you need to edit the sudoers file. This can be done with following command:
then add the following to the end of the file (this assumes the domain "DOMAIN" and all the users that should have sudo are in a group called "linux_admin" in active directory):
POSIX 帐户要求您在用户帐户中设置有效的 shell。 使用 LDAP 时,这由属性 loginShell 引用。 您需要使用 PAM 并将适当的属性映射到配置中的 loginShell 或 DC 上 UNIX 的活动 MS 服务,这将扩展 AD 架构以包含所需的 POSIX 属性。
请参阅 http://www.ietf.org/rfc/rfc2307.txt 作为参考 RFC2307,它为 LDAP 定义了这一点。
POSIX accounts demand that you have a vaild shell set in the user account. When using LDAP, this is referenced by the attribute loginShell. You need to use PAM and map an appropriate attribute to loginShell in your configuration, or active MS services for UNIX on the DC, which will extend the AD schema to include the needed POSIX attributes.
See http://www.ietf.org/rfc/rfc2307.txt as a reference to RFC2307, which defines this for LDAP.