Eu quero usar minhas credenciais do Windows AD para acessar a máquina Ubuntu 16.04. Eu uso ponte AD PBIS (PowerBroker Identity Services) da Beyondtrust versão 8.5.2.265. A versão do Windows é o Windows Server 2012 R2.
Estes erros aparecem em /var/log/auth.log:
Jan 16 08:34:51 [HOSTNAME] lightdm: PAM adding faulty module: pam_kwallet5.so
Jan 16 08:34:59 [HOSTNAME] lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "[email protected]"
Jan 16 08:35:01 [HOSTNAME] CRON[12249]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 16 08:35:01 [HOSTNAME] CRON[12249]: pam_unix(cron:session): session closed for user root
Jan 16 08:35:03 [HOSTNAME] lightdm: [lsass-pam] [module:pam_lsass]User [email protected] is denied access because they are not in the 'require membership of' list
Jan 16 08:35:03 [HOSTNAME] lightdm: [lsass-pam] [module:pam_lsass]pam_sm_authenticate error [login:[email protected]][error code:40158]
Jan 16 08:35:07 [HOSTNAME] systemd-logind[1050]: Removed session c2.
Alterei a opção de configuração RequireMembershipOf para corresponder ao grupo de segurança "domain ^ users" que copiei de / opt / pbis / bin / enum-groups
As opções de / opt / pbis / bin / config --dump:
AllowDeleteTo ""
AllowReadTo ""
AllowWriteTo ""
MaxDiskUsage 104857600
MaxEventLifespan 90
MaxNumEvents 100000
DomainSeparator "\"
SpaceReplacement "^"
EnableEventlog false
SaslMaxBufSize 16777215
Providers "ActiveDirectory"
DisplayMotd false
PAMLogLevel "error"
UserNotAllowedError "Access denied"
AssumeDefaultDomain true
CreateHomeDir true
CreateK5Login true
SyncSystemTime true
TrimUserMembership true
LdapSignAndSeal false
LogADNetworkConnectionEvents true
NssEnumerationEnabled true
NssGroupMembersQueryCacheOnly true
NssUserMembershipQueryCacheOnly false
RefreshUserCredentials true
CacheEntryExpiry 14400
DomainManagerCheckDomainOnlineInterval 300
DomainManagerUnknownDomainCacheTimeout 3600
MachinePasswordLifespan 2592000
MemoryCacheSizeCap 0
HomeDirPrefix "/home"
HomeDirTemplate "%H/%U"
RemoteHomeDirTemplate ""
HomeDirUmask "022"
LoginShellTemplate "/bin/bash"
SkeletonDirs "/etc/skel"
UserDomainPrefix "winsrv.local"
DomainManagerIgnoreAllTrusts false
DomainManagerIncludeTrustsList
DomainManagerExcludeTrustsList
RequireMembershipOf "domain^users"
Local_AcceptNTLMv1 true
Local_HomeDirTemplate "%H/local/%D/%U"
Local_HomeDirUmask "022"
Local_LoginShellTemplate "/bin/sh"
Local_SkeletonDirs "/etc/skel"
UserMonitorCheckInterval 1800
LsassAutostart true
EventlogAutostart true
BlacklistDC
/etc/pam.d/common-session file:
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional pam_umask.so
# and here are more per-package modules (the "Additional" block)
session optional pam_lsass.so
session required pam_unix.so
session optional pam_systemd.so
session optional pam_ecryptfs.so unwrap
# end of pam-auth-update config
Arquivo /etc/pam.d/common-auth:
# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_lsass.so
auth [success=1 default=ignore] pam_unix.so nullok_secure
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_ecryptfs.so unwrap
# end of pam-auth-update config
/etc/pam.d/common-account file:
# here are the per-package modules (the "Primary" block)
account [success=ok new_authtok_reqd=ok default=ignore] pam_lsass.so unknown_ok
account [success=2 new_authtok_reqd=done default=ignore] pam_lsass.so
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
Eu resolvi o mesmo problema. Eu tive
pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "xxxxxxx"
em um ambiente com Autenticação AD, Windows 2016, ubuntu 16.04.
Edite /etc/pam.d/lightdm e remova nopasswdlogin desta linha:
auth sufficient pam_succeed_if.so user ingroup nopasswdlogin