Active-Directory
AD 使用者無法通過 GDM/LightDM 登錄
我在我的 CentOS 7 伺服器上設置了 Winbind & Kerberos 以允許網路使用者登錄。網路使用者可以通過 SSH 正常登錄,但不能通過顯示管理器登錄。無論是使用 LightDM 還是 GDM,我都遇到過同樣的問題。
本地使用者可以正常登錄。對於網路使用者,當他們登錄時,它將接受他們的密碼,但將他們踢回登錄螢幕。
我整天都在摸索這個問題,調整 pam 設置,看看我是否可以讓它工作。我還禁用了 SELinux 並重新啟動伺服器以排除這種可能性。有誰知道這裡可能出了什麼問題?
以下是網路使用者登錄的日誌:
系統日誌:
Jul 03 16:15:01 iisfyblabetl001.incite.local lightdm[10471]: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=mmoyles Jul 03 16:15:01 iisfyblabetl001.incite.local lightdm[10471]: pam_krb5[10471]: TGT verified using key for 'host/iisfyblabetl001.incite.local@INCITE.LOCAL' Jul 03 16:15:01 iisfyblabetl001.incite.local lightdm[10471]: pam_krb5[10471]: authentication succeeds for 'mmoyles' (mmoyles@INCITE.LOCAL) Jul 03 16:15:01 iisfyblabetl001.incite.local lightdm[10471]: pam_winbind(lightdm:account): user 'mmoyles' granted access Jul 03 16:15:01 iisfyblabetl001.incite.local lightdm[9639]: pam_unix(lightdm-greeter:session): session closed for user lightdm Jul 03 16:15:01 iisfyblabetl001.incite.local systemd-logind[679]: New session 29 of user mmoyles. -- Subject: A new session 29 has been created for user mmoyles -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat -- -- A new session with the ID 29 has been created for the user mmoyles. -- -- The leading process of the session is 10471. Jul 03 16:15:01 iisfyblabetl001.incite.local systemd[1]: Started Session 29 of user mmoyles. -- Subject: Unit session-29.scope has finished start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit session-29.scope has finished starting up. -- -- The start-up result is done. Jul 03 16:15:01 iisfyblabetl001.incite.local systemd[1]: Starting Session 29 of user mmoyles. -- Subject: Unit session-29.scope has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit session-29.scope has begun starting up. Jul 03 16:15:01 iisfyblabetl001.incite.local lightdm[10471]: pam_unix(lightdm:session): session opened for user mmoyles by (uid=0) Jul 03 16:15:01 iisfyblabetl001.incite.local lightdm[10471]: pam_unix(lightdm:session): session closed for user mmoyles Jul 03 16:15:01 iisfyblabetl001.incite.local systemd-logind[679]: Removed session 29. -- Subject: Session 29 has been terminated -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat -- -- A session with the ID 29 has been terminated. Jul 03 16:15:01 iisfyblabetl001.incite.local lightdm[10517]: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0) Jul 03 16:15:01 iisfyblabetl001.incite.local systemd-logind[679]: New session c19 of user lightdm. -- Subject: A new session c19 has been created for user lightdm -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat -- -- A new session with the ID c19 has been created for the user lightdm.lightdm.log:
+1215.10s] DEBUG: Seat: Greeter stopped, running session [+1215.10s] DEBUG: Registering session with bus path /org/freedesktop/DisplayManager/Session6 [+1215.10s] DEBUG: Session pid=10471: Running command /etc/X11/xinit/Xsession mate-session [+1215.10s] DEBUG: Creating shared data directory /var/lib/lightdm-data/mmoyles [+1215.10s] DEBUG: Session pid=10471: Logging to .xsession-errors [+1215.14s] DEBUG: Activating VT 1 [+1215.14s] DEBUG: Activating login1 session 29 [+1215.17s] DEBUG: Session pid=10471: Exited with return value 0 [+1215.17s] DEBUG: Seat: Session stopped [+1215.17s] DEBUG: Seat: Stopping display server, no sessions require it [+1215.17s] DEBUG: Sending signal 15 to process 9627 [+1215.24s] DEBUG: Process 9627 exited with return value 0 [+1215.24s] DEBUG: DisplayServer x-0: X server stopped [+1215.24s] DEBUG: Releasing VT 1 [+1215.24s] DEBUG: DisplayServer x-0: Removing X server authority /var/run/lightdm/root/:0 [+1215.24s] DEBUG: Seat: Display server stopped [+1215.24s] DEBUG: Seat: Active display server stopped, starting greeter [+1215.24s] DEBUG: Seat: Creating greeter session [+1215.24s] DEBUG: Seat: Creating display server of type x [+1215.24s] DEBUG: Using VT 1 [+1215.24s] DEBUG: Seat: Starting local X display on VT 1 [+1215.24s] DEBUG: DisplayServer x-0: Logging to /var/log/lightdm/x-0.log [+1215.24s] DEBUG: DisplayServer x-0: Writing X server authority to /var/run/lightdm/root/:0 [+1215.24s] DEBUG: DisplayServer x-0: Launching X Server [+1215.24s] DEBUG: Launching process 10509: /usr/bin/X -background none :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt1 -novtswitch [+1215.24s] DEBUG: DisplayServer x-0: Waiting for ready signal from X server :0 [+1215.42s] DEBUG: Got signal 10 from process 10509 [+1215.43s] DEBUG: DisplayServer x-0: Got signal from X server :0 [+1215.43s] DEBUG: DisplayServer x-0: Connecting to XServer :0 [+1215.43s] DEBUG: Seat: Display server ready, starting session authentication [+1215.43s] DEBUG: Session pid=10517: Started with service 'lightdm-greeter', username 'lightdm' [+1215.44s] DEBUG: Session pid=10517: Authentication complete with return value 0: Success [+1215.44s] DEBUG: Seat: Session authenticated, running command [+1215.44s] DEBUG: Session pid=10517: Running command /usr/sbin/lightdm-gtk-greeter [+1215.44s] DEBUG: Creating shared data directory /var/lib/lightdm-data/lightdm [+1215.44s] DEBUG: Session pid=10517: Logging to /var/log/lightdm/x-0-greeter.log [+1215.44s] DEBUG: Activating VT 1 [+1215.44s] DEBUG: Activating login1 session c19 [+1215.46s] DEBUG: Session pid=10517: Greeter connected version=1.10.6 [+1215.69s] DEBUG: Session pid=10517: Greeter start authentication [+1215.69s] DEBUG: Session pid=10535: Started with service 'lightdm', username '(null)' [+1215.70s] DEBUG: Session pid=10535: Got 1 message(s) from PAM [+1215.70s] DEBUG: Session pid=10517: Prompt greeter with 1 message(s) [+1215.73s] DEBUG: User /org/freedesktop/Accounts/User1000 changed [+1215.74s] DEBUG: User /org/freedesktop/Accounts/User11092 changed [+1215.74s] DEBUG: User /org/freedesktop/Accounts/User1001 changedpam.d/system-auth
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass #auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_krb5.so use_first_pass auth sufficient pam_winbind.so krb5_auth krb5_ccache_type=KEYRING use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so #account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account [default=bad success=ok user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password sufficient pam_winbind.so krb5_auth krb5_ccache_type=KEYRING use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so session optional pam_winbind.so krb5_auth krb5_ccache_type=KEYRINGpam.d / lightdm
#%PAM-1.0 auth [success=done ignore=ignore default=bad] pam_selinux_permit.so auth required pam_env.so auth substack system-auth -auth optional pam_gnome_keyring.so -auth optional pam_kwallet5.so -auth optional pam_kwallet.so auth include postlogin account required pam_nologin.so account include system-auth password include system-auth session optional pam_selinux.so close session optional pam_loginuid.so session optional pam_console.so -session optional pam_ck_connector.so session optional pam_selinux.so open session optional pam_keyinit.so force revoke session optional pam_namespace.so -session optional pam_gnome_keyring.so auto_start -session optional pam_kwallet5.so -session optional pam_kwallet.so session include system-auth session optional pam_lastlog.so silent session include postlogin網路使用者主目錄中的 .xsession-errors 文件是空的,它似乎確實在主目錄中創建了一個 .Xauthority 文件。
好吧,我覺得很愚蠢……在與這個問題作鬥爭 3 天后,原因是我在 /etc/skel 中有一個 .profile 設置 SHELL=/bin/bash 所以 pam_mkhomedir 正在為新域使用者添加這個文件但是它不在我的本地帳戶上。