it-swarm-ja.com

PBIS auth.log要件「user ingroup nopasswdlogin」がユーザー「[email protected]」によって満たされていません

Windows AD資格情報を使用してUbuntu 16.04マシンにログインしたいのですが。 Beyondtrustバージョン8.5.2.265のPBIS(PowerBroker Identity Services)ADブリッジを使用しています。 Windows版はWindows Server 2012 R2です。

これらのエラーは、/ var/log/auth.logにポップアップ表示されます。

Jan 16 08:34:51 [HOSTNAME] lightdm: PAM adding faulty module: pam_kwallet5.so
Jan 16 08:34:59 [HOSTNAME] lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "[email protected]"
Jan 16 08:35:01 [HOSTNAME] CRON[12249]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 16 08:35:01 [HOSTNAME] CRON[12249]: pam_unix(cron:session): session closed for user root
Jan 16 08:35:03 [HOSTNAME] lightdm: [lsass-pam] [module:pam_lsass]User [email protected] is denied access because they are not in the 'require membership of' list
Jan 16 08:35:03 [HOSTNAME] lightdm: [lsass-pam] [module:pam_lsass]pam_sm_authenticate error [login:[email protected]][error code:40158]
Jan 16 08:35:07 [HOSTNAME] systemd-logind[1050]: Removed session c2.

/ opt/pbis/bin/enum-groupsからコピーしたセキュリティグループ "domain ^ users"と一致するように構成オプションRequireMembershipOfを変更しました

/ opt/pbis/bin/config --dumpのオプション:

AllowDeleteTo ""
AllowReadTo ""
AllowWriteTo ""
MaxDiskUsage 104857600
MaxEventLifespan 90
MaxNumEvents 100000
DomainSeparator "\\"
SpaceReplacement "^"
EnableEventlog false
SaslMaxBufSize 16777215
Providers "ActiveDirectory"
DisplayMotd false
PAMLogLevel "error"
UserNotAllowedError "Access denied"
AssumeDefaultDomain true
CreateHomeDir true
CreateK5Login true
SyncSystemTime true
TrimUserMembership true
LdapSignAndSeal false
LogADNetworkConnectionEvents true
NssEnumerationEnabled true
NssGroupMembersQueryCacheOnly true
NssUserMembershipQueryCacheOnly false
RefreshUserCredentials true
CacheEntryExpiry 14400
DomainManagerCheckDomainOnlineInterval 300
DomainManagerUnknownDomainCacheTimeout 3600
MachinePasswordLifespan 2592000
MemoryCacheSizeCap 0
HomeDirPrefix "/home"
HomeDirTemplate "%H/%U"
RemoteHomeDirTemplate ""
HomeDirUmask "022"
LoginShellTemplate "/bin/bash"
SkeletonDirs "/etc/skel"
UserDomainPrefix "winsrv.local"
DomainManagerIgnoreAllTrusts false
DomainManagerIncludeTrustsList
DomainManagerExcludeTrustsList
RequireMembershipOf "domain^users"
Local_AcceptNTLMv1 true
Local_HomeDirTemplate "%H/local/%D/%U"
Local_HomeDirUmask "022"
Local_LoginShellTemplate "/bin/sh"
Local_SkeletonDirs "/etc/skel"
UserMonitorCheckInterval 1800
LsassAutostart true
EventlogAutostart true
BlacklistDC

/etc/pam.d/common-sessionファイル:

# here are the per-package modules (the "Primary" block)
session [default=1]                     pam_permit.so
# here's the fallback if no module succeeds
session requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required                        pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional                        pam_umask.so
# and here are more per-package modules (the "Additional" block)
session optional        pam_lsass.so
session required        pam_unix.so
session optional        pam_systemd.so
session optional        pam_ecryptfs.so unwrap
# end of pam-auth-update config

/etc/pam.d/common-authファイル:

# here are the per-package modules (the "Primary" block)
auth    [success=2 default=ignore]      pam_lsass.so
auth    [success=1 default=ignore]      pam_unix.so nullok_secure
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth    optional        pam_ecryptfs.so unwrap
# end of pam-auth-update config

/etc/pam.d/common-accountファイル:

# here are the per-package modules (the "Primary" block)
account [success=ok new_authtok_reqd=ok default=ignore]         pam_lsass.so unknown_ok
account [success=2 new_authtok_reqd=done default=ignore]        pam_lsass.so
account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so
# here's the fallback if no module succeeds
account requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
2
Xenioz

同じ問題を解決しました。持っていた

pam_succeed_if(lightdm:auth):要件「user ingroup nopasswdlogin」がユーザー「xxxxxxx」で満たされていません

aD認証のある環境では、Windows 2016、ubuntu 16.04。

ソリューション

編集/etc/pam.d/lightdmおよびnopasswdloginをこの行から削除します。

auth    sufficient      pam_succeed_if.so user ingroup nopasswdlogin
2
Hugo