C'est nécessaire manuellement `kinit` Ticket personnalisé avant PAM sera capable de monter le répertoire de base SMB En entrant dans le système

Serveur de fichiers Ubuntu 14.04

Serveur Ubuntu 14 Active Directory (AD) Lancé

Samba 4

Client Ubuntu 18 (Installation fraîche)

J'ai mis en place des annuaires d'utilisateurs à domicile Ubuntu Pour monter à travers

PAM

et

SMB/CIFS

.

Catalogue test sera monté à travers CIFS manuellement, mais pas quand appeler PAM En entrant dans le système. Erreur

-13

Il semble, indique une erreur d'autorisation, mais l'ajout de certaines autorisations au fichier n'aide pas. De plus, les autorisations doivent être obtenues à partir de

AD User

Entré dans le système (Par conséquent, le mot de passe n'est pas demandé).

APT

libmount1/bionic-updates,now 2.31.1-0.4ubuntu3.3 amd64 [installed]
libpam-mount/bionic-updates,now 2.16-3ubuntu0.1 amd64 [installed]
mount/bionic-updates,now 2.31.1-0.4ubuntu3.3 amd64 [installed]
cifs-utils/bionic,now 2:6.8-1 amd64 [installed]
libsmbclient/bionic-updates,bionic-security,now 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 [installed]
python-samba/bionic-updates,bionic-security,now 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 [installed,automatic]
samba/bionic-updates,bionic-security,now 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 [installed,automatic]
samba-common/bionic-updates,bionic-updates,bionic-security,bionic-security,now 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 all [installed,automatic]
samba-common-bin/bionic-updates,bionic-security,now 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 [installed,automatic]
samba-dsdb-modules/bionic-updates,bionic-security,now 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 [installed,automatic]
samba-libs/bionic-updates,bionic-security,now 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 [installed]

/etc/security/pam_mount.conf.xml

xml version="1.0" encoding="utf-8" ?
pam_mount SYSTEM "pam_mount.conf.xml.dtd"
<pam_mount>
<debug enable="0"></debug>
<!-- Volume definitions -->
<volume fstype="cifs" gid="1234" mountpoint="/mnt/AD-User" options="user=AD-User,domain=SAMBA-AD,exec,vers=3.0" path="//SMB-Server.SAMBA-AD.de/testshare"></volume>
<!-- pam_mount parameters: General tunables -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other"></mntoptions>
<mntoptions require="nosuid,nodev"></mntoptions>
<!-- requires ofl from hxtools to be present -->
<logout hup="no" kill="no" term="no" wait="0"></logout>
<mkmountpoint enable="1" remove="true"></mkmountpoint>
</pam_mount>

/etc/pam.d/common-auth

auth    [success=3 default=ignore]      pam_krb5.so minimum_uid=1000
auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_mount.so
auth optional pam_cap.so
auth optional pam_mount.so
# end of pam-auth-update config

/etc/pam.d/common-session

session [default=1]                     pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session optional pam_krb5.so minimum_uid=1000
session required pam_unix.so
session optional pam_winbind.so
session optional pam_mount.so
session optional pam_systemd.so
session optional pam_mount.so
# end of pam-auth-update config

Fixation manuelle

root@logToComputerName:/#mount -t cifs -o rw,user=AD-User,domain=SAMBA-AD  \\\\SMB-Server\\testshare /mnt/AD-User
Password for AD-User@\SMB-Server\testshare: ********

root@logToComputerName:/# df -h
Filesystem Size Used Avail Use% Mounted on
udev 7,9G 0 7,9G 0% /dev
tmpfs 1,6G 2,9M 1,6G 1% /run
/dev/sda1 458G 29G 406G 7% /
(...snip...)
\\SMB-Server\testshare 23T 0 23T 0% /mnt/AD-User

Fixation PAM

AD-User@localTerm:~$ ssh AD-User@logToComputerName
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.18.0-20-generic x86_64)
(...snip...)
Your Hardware Enablement Stack (HWE) is supported until April 2023.
Last login: Tue May 28 14:42:45 2019 from xxx.xxx.x8.149
AD-User@logToComputerName:~$ df -h
Filesystem Size Used Avail Use% Mounted on
udev 7,9G 0 7,9G 0% /dev
tmpfs 1,6G 2,9M 1,6G 1% /run
/dev/sda1 458G 29G 406G 7% /
(...snip...)
(No mount)

/ var / log / syslog (en raison du montage infructueux de l'entrée de PAM

May 28 14:51:56 logToComputerName kernel: [14958.849509] Status code returned 0xc000006d STATUS_LOGON_FAILURE
May 28 14:51:56 logToComputerName kernel: [14958.849518] CIFS VFS: Send error in SessSetup = -13
May 28 14:51:56 logToComputerName kernel: [14958.849527] CIFS VFS: cifs_mount failed w/return code = -13
May 28 14:51:56 logToComputerName systemd[1]: Created slice User Slice of AD-User.
May 28 14:51:56 logToComputerName systemd[1]: Starting User Manager for UID 123456...
May 28 14:51:56 logToComputerName systemd[1]: Started Session 59 of user AD-User.
May 28 14:51:57 logToComputerName systemd[16601]: Listening on GnuPG network certificate management daemon.
May 28 14:51:57 logToComputerName systemd[16601]: Started Pending report trigger for Ubuntu Report.
May 28 14:51:57 logToComputerName systemd[16601]: Reached target Paths.
May 28 14:51:57 logToComputerName systemd[16601]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
May 28 14:51:57 logToComputerName systemd[16601]: Reached target Timers.
May 28 14:51:57 logToComputerName systemd[16601]: Listening on GnuPG cryptographic agent and passphrase cache (access for web browsers).
May 28 14:51:57 logToComputerName systemd[16601]: Listening on GnuPG cryptographic agent and passphrase cache.
May 28 14:51:57 logToComputerName systemd[16601]: Starting D-Bus User Message Bus Socket.
May 28 14:51:57 logToComputerName systemd[16601]: Listening on GnuPG cryptographic agent and passphrase cache (restricted).
May 28 14:51:57 logToComputerName systemd[16601]: Listening on D-Bus User Message Bus Socket.
May 28 14:51:57 logToComputerName systemd[16601]: Reached target Sockets.
May 28 14:51:57 logToComputerName systemd[16601]: Reached target Basic System.
May 28 14:51:57 logToComputerName systemd[1]: Started User Manager for UID 123456.
May 28 14:51:57 logToComputerName systemd[16601]: Reached target Default.
May 28 14:51:57 logToComputerName systemd[16601]: Startup finished in 504ms.
May 28 14:51:57 logToComputerName kernel: [14959.422369] FS-Cache: Duplicate cookie detected
May 28 14:51:57 logToComputerName kernel: [14959.422376] FS-Cache: O-cookie c=00000000439a062a [p=00000000aec79842 fl=222 nc=1 na=1]
May 28 14:51:57 logToComputerName kernel: [14959.422378] FS-Cache: O-cookie d=00000000ddea9b97 n=000000000ee78c37
May 28 14:51:57 logToComputerName kernel: [14959.422381] FS-Cache: O-key=[8] '020001bd8d03590a'
May 28 14:51:57 logToComputerName kernel: [14959.422389] FS-Cache: N-cookie c=000000005644be78 [p=00000000aec79842 fl=2 nc=0 na=1]
May 28 14:51:57 logToComputerName kernel: [14959.422392] FS-Cache: N-cookie d=00000000ddea9b97 n=00000000c3c538f7
May 28 14:51:57 logToComputerName kernel: [14959.422393] FS-Cache: N-key=[8] '020001bd8d03590a'
May 28 14:51:57 logToComputerName kernel: [14959.485780] Status code returned 0xc000006d STATUS_LOGON_FAILURE
May 28 14:51:57 logToComputerName kernel: [14959.485788] CIFS VFS: Send error in SessSetup = -13
May 28 14:51:57 logToComputerName kernel: [14959.485798] CIFS VFS: cifs_mount failed w/return code = -13

==============

=== Mettre à jour ===

==============

j'ai changé

pam_mount.conf.xml

Volume avant ...

<volume fstype="cifs" mountpoint="/mnt/AD-User" options="credentials=/etc/creds,exec" path="testshare" server="SMB-Server.SAMBA-AD.de" user="*"></volume>

... de

/etc/creds

Stockage de fichiers ...

username=AD-User
domain=SAMBA-AD
password=*********

... et il est monté au besoin pour l'utilisateur

AD-User

. Cependant, si je le change ...

<volume fstype="cifs" mountpoint="/mnt/AD-User" options="sec=krb5,exec" path="testshare" server="SMB-Server.SAMBA-AD.de" user="*"></volume>

... Essayer de l'installer en utilisant un existant

active directory

Les données de compte échouent avec l'erreur suivante.

Je ne peux pas trouver une solution à ce problème.

Jun  3 14:08:07 logToComputerName cifs.upcall: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
Jun 3 14:08:07 logToComputerName cifs.upcall: get_tgt_time: unable to get principal
Jun 3 14:08:07 logToComputerName cifs.upcall: krb5_get_init_creds_keytab: -1765328203
Jun 3 14:08:07 logToComputerName cifs.upcall: Exit status 1
Jun 3 14:08:07 logToComputerName kernel: [39762.177414] CIFS VFS: Send error in SessSetup = -126
Jun 3 14:08:07 logToComputerName kernel: [39762.177429] CIFS VFS: cifs_mount failed w/return code = -126

Cependant, si je suis lancé manuellement

kinit

comme root sur l'ordinateur client, puis connectez-vous au client comme

AD-User

Dans une autre fenêtre fonctionne.

root@logToComputerName:/etc/pam.d# kinit -l 10h -r 5d AD-User
Password for AD-User@SAMBA-AD.de: *********

root@logToComputerName:/etc/pam.d# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: AD-User@SAMBA-AD.de

Valid starting Expires Service principal
03.06.2019 14:41:45 04.06.2019 00:41:40 krbtgt/SAMBA-AD.de@SAMBA-AD.de
renew until 08.06.2019 14:41:40

Du magazine système

  Jun  3 15:07:17 logToComputerName cifs.upcall: get_cachename_from_process_env: pid == 0
Jun 3 15:07:17 logToComputerName cifs.upcall: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
Jun 3 15:07:17 logToComputerName cifs.upcall: handle_krb5_mech: getting service ticket for SMB-Server.SAMBA-AD.de
Jun 3 15:07:17 logToComputerName cifs.upcall: handle_krb5_mech: obtained service ticket
Jun 3 15:07:17 logToComputerName cifs.upcall: Exit status 0

Dois-je faire quelque chose pour configurer correctement le cache sur le client avant que les utilisateurs puissent l'utiliser?
Invité:

Pour répondre aux questions, connectez-vous ou registre