我正在尝试设置一个 Linux 盒子(特别是 Centos 6)来通过我们的 Windows AD 对用户进行身份验证。身份验证工作正常。问题是:我们的密码锁定政策是 3 次,您就被锁定了。如果登录 Linux 主机的用户仅输入错误一次密码,其帐户就会被锁定。
这是我的/etc/pam.d/system-auth 文件:
%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_access.so
account required pam_unix.so broken_shadow
account [default=ignore success=1] pam_succeed_if.so uid < 16777216 quiet
# only allow login if user is in group serveradmins
account [default=bad success=ignore] pam_succeed_if.so user ingroup serveradmins quiet
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
以下是当用户尝试登录并在第一次尝试时输入错误密码时在/var/log/secure 中捕获的日志条目。为了简洁起见,我从日志条目的开头删除了日期时间和主机名:
sshd[1589]: Connection from 22.33.44.55 port 49532
sshd[1589]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host0001.foo.bar user=gumby
sshd[1589]: pam_krb5[1589]: authentication fails for 'gumby' (gumby@FOO.BAR): Authentication failure (Preauthentication failed)
sshd[1589]: pam_winbind(sshd:auth): getting password (0x00000010)
sshd[1589]: pam_winbind(sshd:auth): pam_get_item returned a password
sshd[1589]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password
sshd[1589]: pam_winbind(sshd:auth): user 'gumby' denied access (incorrect password or invalid membership)
sshd[1589]: pam_krb5[1589]: authentication fails for 'gumby' (gumby@FOO.BAR): Authentication failure (Preauthentication failed)
sshd[1589]: pam_winbind(sshd:auth): getting password (0x00000010)
sshd[1589]: pam_winbind(sshd:auth): pam_get_item returned a password
sshd[1589]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password
sshd[1589]: pam_winbind(sshd:auth): user 'gumby' denied access (incorrect password or invalid membership)
sshd[1589]: Failed password for gumby from 22.33.44.55 port 49532 ssh2
sshd[1589]: pam_krb5[1589]: authentication fails for 'gumby' (gumby@FOO.BAR): User not known to the underlying authentication module (Clients credentials have been revoked)
sshd[1589]: pam_winbind(sshd:auth): getting password (0x00000010)
sshd[1589]: pam_winbind(sshd:auth): pam_get_item returned a password
sshd[1589]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_MAXTRIES (11), NTSTATUS: NT_STATUS_ACCOUNT_LOCKED_OUT, Error message was: Account locked out
sshd[1589]: pam_winbind(sshd:auth): internal module error (retval = PAM_MAXTRIES(11), user = 'gumby')
sshd[1589]: pam_krb5[1589]: authentication fails for 'gumby' (gumby@FOO.BAR): User not known to the underlying authentication module (Clients credentials have been revoked)
sshd[1589]: pam_winbind(sshd:auth): getting password (0x00000010)
sshd[1589]: pam_winbind(sshd:auth): pam_get_item returned a password
sshd[1589]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_MAXTRIES (11), NTSTATUS: NT_STATUS_ACCOUNT_LOCKED_OUT, Error message was: Account locked out
sshd[1589]: pam_winbind(sshd:auth): internal module error (retval = PAM_MAXTRIES(11), user = 'gumby')
sshd[1589]: Failed password for gumby from 22.33.44.55 port 49532 ssh2
此配置中的什么原因导致身份验证模块尝试多次,我们如何更改它以使其不这样做?
谢谢。
最佳答案
所以这是一篇旧文章,但可能会为一些人节省几天的故障排除时间。
虽然有时最简单的答案通常是正确的答案,但在迁移的情况下,您应该始终检查路由、防火墙和 DNS 条目是否相同以及 ntp 是否同步。
简短的背景: 当决定将旧 DC 迁移到新版本(Windows Server 2008 -> Windows Server 2016)时,问题就开始了。 我们的Linux环境由通过Samba、Winbind加入AD的Rhel 5、6和7系统组成。
默认情况下,Windows Server 2016 已禁用 SMBv1,这意味着所有 Rhel 5 和 6 系统都无法与新 DC 通信,仅供引用:https://access.redhat.com/articles/3164551
这可以通过在 DC 上启用此角色来解决(并且您了解启用 30 年前的协议(protocol)的后果):
如果图片不再可用(在 DC 上操作):添加角色和功能 -> 功能 -> SMB 1.0/CIFS 文件共享支持 -> 检查。
注意:启用此功能后需要重新启动。
这次更改之后,一切都运行得很顺利,至少看起来是这样。
我还从服务器(Rhel 5)日志中偶然发现了这个特定的错误:
Oct 27 09:06:58 dummy sshd[22520]: Failed password for some_user from x.x.x.x port 53207 ssh2
Oct 27 09:07:07 dummy sshd[22520]: pam_winbind(sshd:auth): getting password (0x00000050)
Oct 27 09:07:07 dummy sshd[22520]: pam_winbind(sshd:auth): pam_get_item returned a password
Oct 27 09:07:07 dummy sshd[22520]: pam_winbind(sshd:auth): request failed: Wrong Password, PAM error was Authentication failure (7), NT error was NT_STATUS_WRONG_PASSWORD
Oct 27 09:07:07 dummy sshd[22520]: pam_winbind(sshd:auth): user 'some_user' denied access (incorrect password or invalid membership)
Oct 27 09:07:09 dummy sshd[22520]: Failed password for some_user from x.x.x.x port 53207 ssh2
而且我也无法使用自己的帐户进行身份验证,因此我迁移到 samba3x,引用(我没有执行所有步骤):https://access.redhat.com/solutions/42635
对于那些可能没有帐户的人,我采取了以下步骤:
备份原始配置文件(您将需要 smb.conf):
tar cf /root/backup_samba_migration.tar /etc/samba /var/cache/samba /var/lib/samba
停止服务:
service smb stop; service winbind stop
删除 samba 并安装 samba3x:
yum remove samba samba-common -y
yum install samba3x* -y
这是您放置旧 smb.conf 的位置:
vim /etc/samba/smb.conf
您还应该复制 pam_winbind.conf(例如我们使用 required_membership 参数):
\cp /etc/security/pam_winbind.conf.rpmsave /etc/security/pam_winbind.conf
就我而言,我需要重新加入域(您可能不需要使用 createcomputer):
net ads join -U youradminaccount createcomputer="Linux system"
重新启动服务:
service smb restart; service winbind restart
测试(在此身份验证之前将给出直接失败的密码):
wbinfo -t
wbinfo -a youradminaccount
希望对你有帮助,祝你好运!
关于Linux 对 AD 的身份验证导致单一故障锁定,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/20707663/