加入新服务器后,加入Linux服务器的AD上的PAM身份验证间歇性地起作用

1

我们正在使用Winbind将RHEL 7.3服务器加入Windows Active Directory服务器(Windows 2012 R2 DC)。我们能够100%地成功将Linux服务器加入域。服务器显示在Windows活动目录中,我们可以查询该目录。

问题是大多数情况下域凭据不会立即生效,SSH会向我们显示“访问被拒绝”错误。我们必须等待10分钟到4-5个小时,然后域凭据才能起作用。在某些情况下,我们将重新启动winbind,这将立即解决问题,但这并不能始终解决身份验证问题。我们还尝试了完全重启。

为安全起见,混淆了域值。

[root@acmeprodweb01 ~]# realm list
domain.com
  type: kerberos
  realm-name: DOMAIN.COM
  domain-name: domain.com
  configured: kerberos-member
  server-software: active-directory
  client-software: winbind
  required-package: oddjob-mkhomedir
  required-package: oddjob
  required-package: samba-winbind-clients
  required-package: samba-winbind
  required-package: samba-common-tools
  login-formats: DOMAIN+%U
  login-policy: allow-any-login

域用户:

[root@acmeprodweb01 ~]# id DOMAIN+user
uid=201604(DOMAIN+user) gid=200513(DOMAIN+domain users) groups=200513(DOMAIN+domain users),201604(DOMAIN+user),214118(DOMAIN+linux-sysadmin-tools),214138(DOMAIN+usr_localadmin)

值得的是,在以本地帐户登录后,我可以使用域控制器制作票证:

Default principal: user@DOMAIN.COM

Valid starting       Expires              Service principal
02/17/2017 21:35:25  02/18/2017 07:35:25  krbtgt/DOMAIN.COM@DOMAIN.COM
    renew until 02/23/2017 21:35:25

这是我们在尝试登录拒绝域凭据的服务器时收到的错误:

Feb 17 20:47:55 acmeprodweb01 sshd[2218]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.46.129.254  user=DOMAIN+user
Feb 17 20:47:55 acmeprodweb01 sshd[2218]: pam_winbind(sshd:auth): getting password (0x00000390)
Feb 17 20:47:55 acmeprodweb01 sshd[2218]: pam_winbind(sshd:auth): pam_get_item returned a password
Feb 17 20:47:55 acmeprodweb01 sshd[2218]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), NTSTATUS: NT_STATUS_ACCESS_DENIED, Error message was: Access denied
Feb 17 20:47:55 acmeprodweb01 sshd[2218]: pam_winbind(sshd:auth): internal module error (retval = PAM_SYSTEM_ERR(4), user = 'DOMAIN+user')

这是我们的配置文件:

[global]
workgroup = DOMAIN
security = ads

    passdb backend = tdbsam

    printing = cups
    printcap name = cups
    load printers = yes
    cups options = raw
kerberos method = system keytab
template homedir = /home/%D/%U
template shell = /bin/bash
realm = DOMAIN.COM
#idmap backend = tdb
#idmap gid = 10000-2000000
#idmap uid = 10000-2000000
winbind use default domain = no
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = no
winbind enum users = no
winbind separator = +
idmap config * : backend = rid
idmap config * : range = 200000-299999
idmap config * : rangesize = 10000
idmap config INTMGMT : backend = rid
idmap config INTMGMT : range = 100000-199999
idmap config INTMGMT : rangesize = 10000
password server = domain.com
allow trusted domains = yes
log level = 10
debug pid = true
max log size = 0

[homes]
    comment = Home Directories
    valid users = %S, %D%w%S
    browseable = No
    read only = No
    inherit acls = Yes

[printers]
    comment = All Printers
    path = /var/tmp
    printable = Yes
    create mask = 0600
    browseable = No

[print$]
    comment = Printer Drivers
    path = /var/lib/samba/drivers
    write list = root
    create mask = 0664
    directory mask = 0775

还有我们的pam.d system-auth配置:

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_winbind.so cached_login use_first_pass
auth required pam_faillock.so preauth audit silent deny=3 unlock_time=900
auth [success=1 default=bad] pam_unix.so
auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=900
auth sufficient pam_faillock.so authsucc audit deny=3 unlock_time=900
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
account     required      pam_permit.so

# implements CIS 5.3.1, GISOD-PR Retry Rule
password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=

# implement CIS 5.3.3, GISOD-PR History Rule, CIS 5.3.4
password    sufficient    pam_unix.so shadow nullok try_first_pass use_authtok remember=24 sha512
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_winbind.so cached_login warn_pwd_expire=7

希望这是足够的信息,否则请随时询问。

linux  ssh  domain  authentication 
阿瓦隆
source

Answers:

0

事实证明,问题出在域控制器本身,而不是我们的Winbind配置上。

我们的辅助域控制器没有共享netlogon或sysvol。因此,当请求命中主域控制器时,身份验证成功,但是如果请求命中辅助域控制器,则没有响应。

一旦我们在辅助DC上启用了netlogon和sysvol域共享,此问题就解决了。

阿瓦隆
source
By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.