SDB:Gnyers/InteropDemo/SambaAsMemeberServer
将 Active Directory 集成为身份验证和授权源是混合 Linux 和 Windows 环境中的常见用例。Winbind 是 Samba 的一个组件,它不仅提供了与 AD 集成的必要功能,还提供了一个 PAM 模块来验证和授权 Linux 用户
本 HOWTO 使用 Samba 3.6
正在进行中
本文尚未完成
使用 Active Directory 和 Winbind 进行身份验证
在 SLES 上配置 Winbind
限制对特定组的 shell 访问
YaST 的 *Windows 域成员资格* 模块尚未能够配置基于 Active Directory 组的 shell 访问限制。要实现此目的,必须手动在 ``/etc/security/pam_winbind.conf`` 中设置 ``require_membership_of`` 参数。
仅允许 "SLES Shell Users" 组的成员:
# egrep -v "^[;#]|^$" /etc/security/pam_winbind.conf [global] cached_login = yes krb5_auth = yes krb5_ccache_type = FILE debug = yes cached_login = yes require_membership_of = "SLES Shell Users"
测试 pam_winbind 身份验证
在没有 shell 访问限制的情况下:
Oct 28 21:08:18 interop02 login[7814]: pam_winbind(login:auth): getting password (0x00000390) Oct 28 21:08:18 interop02 login[7814]: pam_winbind(login:auth): pam_get_item returned a password Oct 28 21:08:18 interop02 login[7814]: pam_winbind(login:auth): user 'interop\demo' granted access Oct 28 21:08:18 interop02 login[7814]: pam_winbind(login:account): user 'demo' granted access
激活限制以仅允许 "SLES Shell Users" AD 组的成员访问 shell 后:
Oct 28 21:11:48 interop02 login[7887]: pam_winbind(login:auth): [pamh: 0x60b020] ENTER: pam_sm_authenticate (flags: 0x0000) Oct 28 21:11:48 interop02 login[7887]: pam_winbind(login:auth): getting password (0x000003d1) Oct 28 21:11:48 interop02 login[7887]: pam_winbind(login:auth): pam_get_item returned a password Oct 28 21:11:48 interop02 login[7887]: pam_winbind(login:auth): Verify user 'interop\demo' Oct 28 21:11:48 interop02 login[7887]: pam_winbind(login:auth): CONFIG file: require_membership_of 'SLES Shell Users' Oct 28 21:11:48 interop02 login[7887]: pam_winbind(login:auth): CONFIG file: krb5_ccache_type 'FILE' Oct 28 21:11:48 interop02 login[7887]: pam_winbind(login:auth): enabling krb5 login flag Oct 28 21:11:48 interop02 login[7887]: pam_winbind(login:auth): enabling cached login flag Oct 28 21:11:48 interop02 login[7887]: pam_winbind(login:auth): enabling request for a FILE krb5 ccache Oct 28 21:11:48 interop02 login[7887]: pam_winbind(login:auth): no sid given, looking up: SLES Shell Users Oct 28 21:11:48 interop02 login[7887]: pam_winbind(login:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_LOGON_FAILURE, Error message was: Logon failure Oct 28 21:11:48 interop02 login[7887]: pam_winbind(login:auth): user 'interop\demo' denied access (incorrect password or invalid membership) Oct 28 21:11:48 interop02 login[7887]: pam_winbind(login:auth): [pamh: 0x60b020] LEAVE: pam_sm_authenticate returning 7 (PAM_AUTH_ERR)
限制访问的确认:使用 AD 组 "SLES Shell Users" 的成员登录:
Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:auth): [pamh: 0x60b020] ENTER: pam_sm_authenticate (flags: 0x0000) Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:auth): getting password (0x000003d1) Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:auth): pam_get_item returned a password Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:auth): Verify user 'interop\administrator' Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:auth): CONFIG file: require_membership_of 'SLES Shell Users' Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:auth): CONFIG file: krb5_ccache_type 'FILE' Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:auth): enabling krb5 login flag Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:auth): enabling cached login flag Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:auth): enabling request for a FILE krb5 ccache Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:auth): no sid given, looking up: SLES Shell Users Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:auth): request wbcLogonUser succeeded Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:auth): user 'interop\administrator' granted access Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:auth): request returned KRB5CCNAME: FILE:/tmp/krb5cc_10001 Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:auth): Returned user was 'administrator' Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:auth): [pamh: 0x60b020] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS) Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:account): [pamh: 0x60b020] ENTER: pam_sm_acct_mgmt (flags: 0x0000) Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:account): user 'administrator' granted access Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:account): [pamh: 0x60b020] LEAVE: pam_sm_acct_mgmt returning 0 (PAM_SUCCESS) Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:setcred): [pamh: 0x60b020] ENTER: pam_sm_setcred (flags: 0x0002) Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:setcred): PAM_ESTABLISH_CRED not implemented Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:setcred): [pamh: 0x60b020] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS) Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:session): [pamh: 0x60b020] ENTER: pam_sm_open_session (flags: 0x0000) Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:session): [pamh: 0x60b020] LEAVE: pam_sm_open_session returning 0 (PAM_SUCCESS)
Winbind 的通用测试
获取 INTEROP 域的域控制器:
# wbinfo --getdcname=interop WIN200864
测试域控制器的可用性:
# wbinfo --ping-dc checking the NETLOGON dc connection succeeded
成功的登录尝试:
# wbinfo --pam-logon=Administrator%Suse123. plaintext password authentication succeeded
使用未知用户登录尝试:
# wbinfo --pam-logon=Admin%Suse123. plaintext password authentication failed error code was NT_STATUS_NO_SUCH_USER (0xc0000064) error message was: No such user pam_logon failed for gnyers%asdfsadf
使用错误的密码登录尝试:
# wbinfo --pam-logon=Administrator%Suse123. plaintext password authentication failed error code was NT_STATUS_WRONG_PASSWORD (0xc000006a) error message was: Wrong Password pam_logon failed for Administrator%asdfsadf