Windows AD 자격 증명을 사용하여 Ubuntu 16.04 시스템에 로그인하고 싶습니다. 저는 PBIS(PowerBroker Identity Services) AD-bridge의 Beyondtrust 버전 8.5.2.265를 사용합니다. Windows 버전은 Windows Server 2012 R2입니다.
이러한 오류는 /var/log/auth.log에 나타납니다.
Jan 16 08:34:51 [HOSTNAME] lightdm: PAM adding faulty module: pam_kwallet5.so
Jan 16 08:34:59 [HOSTNAME] lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "[email protected]"
Jan 16 08:35:01 [HOSTNAME] CRON[12249]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 16 08:35:01 [HOSTNAME] CRON[12249]: pam_unix(cron:session): session closed for user root
Jan 16 08:35:03 [HOSTNAME] lightdm: [lsass-pam] [module:pam_lsass]User [email protected] is denied access because they are not in the 'require membership of' list
Jan 16 08:35:03 [HOSTNAME] lightdm: [lsass-pam] [module:pam_lsass]pam_sm_authenticate error [login:[email protected]][error code:40158]
Jan 16 08:35:07 [HOSTNAME] systemd-logind[1050]: Removed session c2.
/opt/pbis/bin/enum-groups에서 복사한 보안 그룹 "domain^users"와 일치하도록 구성 옵션 RequireMembershipOf를 변경했습니다.
/opt/pbis/bin/config --dump의 옵션:
AllowDeleteTo ""
AllowReadTo ""
AllowWriteTo ""
MaxDiskUsage 104857600
MaxEventLifespan 90
MaxNumEvents 100000
DomainSeparator "\\"
SpaceReplacement "^"
EnableEventlog false
SaslMaxBufSize 16777215
Providers "ActiveDirectory"
DisplayMotd false
PAMLogLevel "error"
UserNotAllowedError "Access denied"
AssumeDefaultDomain true
CreateHomeDir true
CreateK5Login true
SyncSystemTime true
TrimUserMembership true
LdapSignAndSeal false
LogADNetworkConnectionEvents true
NssEnumerationEnabled true
NssGroupMembersQueryCacheOnly true
NssUserMembershipQueryCacheOnly false
RefreshUserCredentials true
CacheEntryExpiry 14400
DomainManagerCheckDomainOnlineInterval 300
DomainManagerUnknownDomainCacheTimeout 3600
MachinePasswordLifespan 2592000
MemoryCacheSizeCap 0
HomeDirPrefix "/home"
HomeDirTemplate "%H/%U"
RemoteHomeDirTemplate ""
HomeDirUmask "022"
LoginShellTemplate "/bin/bash"
SkeletonDirs "/etc/skel"
UserDomainPrefix "winsrv.local"
DomainManagerIgnoreAllTrusts false
DomainManagerIncludeTrustsList
DomainManagerExcludeTrustsList
RequireMembershipOf "domain^users"
Local_AcceptNTLMv1 true
Local_HomeDirTemplate "%H/local/%D/%U"
Local_HomeDirUmask "022"
Local_LoginShellTemplate "/bin/sh"
Local_SkeletonDirs "/etc/skel"
UserMonitorCheckInterval 1800
LsassAutostart true
EventlogAutostart true
BlacklistDC
/etc/pam.d/common-session 파일:
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional pam_umask.so
# and here are more per-package modules (the "Additional" block)
session optional pam_lsass.so
session required pam_unix.so
session optional pam_systemd.so
session optional pam_ecryptfs.so unwrap
# end of pam-auth-update config
/etc/pam.d/common-auth 파일:
# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_lsass.so
auth [success=1 default=ignore] pam_unix.so nullok_secure
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_ecryptfs.so unwrap
# end of pam-auth-update config
/etc/pam.d/common-account 파일:
# here are the per-package modules (the "Primary" block)
account [success=ok new_authtok_reqd=ok default=ignore] pam_lsass.so unknown_ok
account [success=2 new_authtok_reqd=done default=ignore] pam_lsass.so
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
답변1
나는 같은 문제를 해결했습니다. 나는 가지고있다
pam_succeed_if(lightdm:auth): 사용자 "xxxxxxx"는 "사용자 그룹 내 nopasswdlogin" 요구 사항을 충족하지 않습니다.
환경은 AD 인증, Windows 2016, Ubuntu 16.04입니다.
해결책
다음 줄을 편집 /etc/pam.d/lightdm
하고 nopasswdlogin
제거하세요.
auth sufficient pam_succeed_if.so user ingroup nopasswdlogin