Debian
為什麼安裝nis後PAM壞了?
我是一名具有一些系統管理員經驗的軟體工程師,目前正試圖在一個以前只有 Windows 基礎設施的新工作場所設置一些 Linux 基礎設施。出於政治原因,我不能簡單地與目前的 Active Directory 設置集成,而必須從頭開始。我正在使用 Debian。
我目前正在嘗試設置 kerbos、ldap、nfs 和 nis。我相信我已經正確設置了伺服器,並且一切正常,因為我已經測試了使用 kerberos 登錄並且 nis 客戶端一直在與伺服器通信,我也可以安裝 NFS 驅動器。
由於在客戶端上安裝了 nis,除非我以恢復模式啟動,否則即使使用 root 帳戶也無法登錄。
我已經嘗試解決這個問題一天半了,但我沒有想法。
這是我認為的問題,因為 pam 正在輸出到
/var/log/auth.loglightdm: PAM (other) illegal module type: passwd: lightdm: PAM pam_parse: expecting return value; [...compat] lightdm: PAM (other) illegal module type: group: lightdm: PAM pam_parse: expecting return value; [...compat] lightdm: PAM (other) illegal module type: shadow: lightdm: PAM pam_parse: expecting return value; [...compat] lightdm: PAM (other) illegal module type: gshadow: lightdm: PAM pam_parse: expecting return value; [...files] lightdm: PAM (other) no module name supplied lightdm: PAM (other) illegal module type: hosts: lightdm: PAM pam_parse: expecting return value; [...files] lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0) systemd-logind[667]: New session c1 of user lightdm. systemd: PAM (other) illegal module type: passwd: systemd: PAM pam_parse: expecting return value; [...compat] systemd: PAM (other) illegal module type: group: systemd: PAM pam_parse: expecting return value; [...compat] systemd: PAM (other) illegal module type: shadow: systemd: PAM pam_parse: expecting return value; [...compat] systemd: PAM (other) illegal module type: gshadow: systemd: PAM pam_parse: expecting return value; [...files] systemd: PAM (other) no module name supplied systemd: PAM (other) illegal module type: hosts: systemd: PAM pam_parse: expecting return value; [...files] systemd: pam_unix(systemd-user:session): session opened for user lightdm by (uid=0) lightdm: PAM (lightdm) illegal module type: passwd: lightdm: PAM pam_parse: expecting return value; [...compat] lightdm: PAM (lightdm) illegal module type: group: lightdm: PAM pam_parse: expecting return value; [...compat] lightdm: PAM (lightdm) illegal module type: shadow: lightdm: PAM pam_parse: expecting return value; [...compat] lightdm: PAM (lightdm) illegal module type: gshadow: lightdm: PAM pam_parse: expecting return value; [...files] lightdm: PAM (lightdm) no module name supplied lightdm: PAM (lightdm) illegal module type: hosts: lightdm: PAM pam_parse: expecting return value; [...files] lightdm: PAM (other) illegal module type: passwd: lightdm: PAM pam_parse: expecting return value; [...compat] lightdm: PAM (other) illegal module type: group: lightdm: PAM pam_parse: expecting return value; [...compat] lightdm: PAM (other) illegal module type: shadow: lightdm: PAM pam_parse: expecting return value; [...compat] lightdm: PAM (other) illegal module type: gshadow: lightdm: PAM pam_parse: expecting return value; [...files] lightdm: PAM (other) no module name supplied lightdm: PAM (other) illegal module type: hosts: lightdm: PAM pam_parse: expecting return value; [...files] lightdm: PAM (lightdm) illegal module type: passwd: lightdm: PAM pam_parse: expecting return value; [...compat] lightdm: PAM (lightdm) illegal module type: group: lightdm: PAM pam_parse: expecting return value; [...compat] lightdm: PAM (lightdm) illegal module type: shadow: lightdm: PAM pam_parse: expecting return value; [...compat] lightdm: PAM (lightdm) illegal module type: gshadow: lightdm: PAM pam_parse: expecting return value; [...files] lightdm: PAM (lightdm) no module name supplied lightdm: PAM (lightdm) illegal module type: hosts: lightdm: PAM pam_parse: expecting return value; [...files] lightdm: PAM (other) illegal module type: passwd: lightdm: PAM pam_parse: expecting return value; [...compat] lightdm: PAM (other) illegal module type: group: lightdm: PAM pam_parse: expecting return value; [...compat] lightdm: PAM (other) illegal module type: shadow: lightdm: PAM pam_parse: expecting return value; [...compat] lightdm: PAM (other) illegal module type: gshadow: lightdm: PAM pam_parse: expecting return value; [...files] lightdm: PAM (other) no module name supplied lightdm: PAM (other) illegal module type: hosts: lightdm: PAM pam_parse: expecting return value; [...files] lightdm: pam_krb5(lightdm:auth): user billy authenticated as billy@PROPACK lightdm: PAM (lightdm) illegal module type: passwd: lightdm: PAM pam_parse: expecting return value; [...compat] lightdm: PAM (lightdm) illegal module type: group: lightdm: PAM pam_parse: expecting return value; [...compat] lightdm: PAM (lightdm) illegal module type: shadow: lightdm: PAM pam_parse: expecting return value; [...compat] lightdm: PAM (lightdm) illegal module type: gshadow: lightdm: PAM pam_parse: expecting return value; [...files] lightdm: PAM (lightdm) no module name supplied lightdm: PAM (lightdm) illegal module type: hosts: lightdm: PAM pam_parse: expecting return value; [...files] lightdm: PAM (other) illegal module type: passwd: lightdm: PAM pam_parse: expecting return value; [...compat] lightdm: PAM (other) illegal module type: group: lightdm: PAM pam_parse: expecting return value; [...compat] lightdm: PAM (other) illegal module type: shadow: lightdm: PAM pam_parse: expecting return value; [...compat] lightdm: PAM (other) illegal module type: gshadow: lightdm: PAM pam_parse: expecting return value; [...files] lightdm: PAM (other) no module name supplied lightdm: PAM (other) illegal module type: hosts: lightdm: PAM pam_parse: expecting return value; [...files]我不太確定這是為什麼。這一切都是在客戶端上安裝 nis 包之後開始的,但是我不認為 nis 是問題,因為它正在與伺服器通信,從輸出判斷
systemctl status nissystemd[1]: Starting LSB: Start NIS client and server daemons.... nis[1348]: Setting NIS domainname to: domain. nis[1348]: Starting NIS services: ypbind. systemd[1]: Started LSB: Start NIS client and server daemons..我還解除安裝了 nis(因為安裝 nis 是在這開始時),重新啟動,問題仍然存在。
我已經檢查了 nis 的依賴關係,但我不明白為什麼它們中的任何一個都會導致這種情況發生。我相信 pam 正在解析我的
/etc/nsswitch.conf文件,如果需要,您可以在下面看到。passwd: compat files systemd nis group: compat files systemd nis shadow: files gshadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis如果您需要任何其他資訊來幫助調試此問題,請告訴我。
編輯:
/etc/pam.d/other內容:# # /etc/pam.d/other - specify the PAM fallback behaviour # # Note that this file is used for any unspecified service; for example #if /etc/pam.d/cron specifies no session modules but cron calls #pam_open_session, the session module out of /etc/pam.d/other is #used. If you really want nothing to happen then use pam_permit.so or #pam_deny.so as appropriate. # We fall back to the system default in /etc/pam.d/common-* # @include common-auth @include common-account @include common-password @include common-session
/etc/pam.d/lightdm內容:#%PAM-1.0 # Block login if they are globally disabled auth requisite pam_nologin.so # Load environment from /etc/environment and ~/.pam_environment session required pam_env.so readenv=1 session required pam_env.so readenv=1 envfile=/etc/default/locale @include common-auth -auth optional pam_gnome_keyring.so @include common-account # SELinux needs to be the first session rule. This ensures that any # lingering context has been cleared. Without out this it is possible # that a module could execute code in the wrong domain. # When the module is present, "required" would be sufficient (When SELinux # is disabled, this returns success.) session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close session required pam_limits.so session required pam_loginuid.so @include common-session # SELinux needs to intervene at login time to ensure that the process # starts in the proper default security context. Only sessions which are # intended to run in the user's context should be run after this. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open # When the module is present, "required" would be sufficient (When SELinux # is disabled, this returns success.) -session optional pam_gnome_keyring.so auto_start @include common-password
/etc/pam.d/common-session按照要求# # /etc/pam.d/common-session - session-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # non-interactive). # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # and here are more per-package modules (the "Additional" block) session optional pam_krb5.so minimum_uid=1000 session required pam_unix.so session optional pam_sss.so session optional pam_ldap.so session optional pam_systemd.so # end of pam-auth-update config passwd: compat systemd nis group: compat systemd nis shadow: compat nis gshadow: files hosts: files dns nis更新 我已按照@Michael Ströder 的建議切換到 sssd,但這並沒有改變任何東西。
在你的末尾
/etc/pam.d/common-session,似乎有一個(部分?)副本/etc/nsswitch.conf:# end of pam-auth-update config passwd: compat systemd nis <-- group: compat systemd nis <-- These lines definitely shadow: compat nis <-- don't belong here! gshadow: files <-- <-- hosts: files dns nis <--這可能是一個簡單的複制/粘貼事故,也可能是您一直關注的文件中的錯誤。
pam-auth-update, Debian 用於在安裝/刪除軟體包時更新 PAM 配置的工具使用位於 中的模板/usr/share/pam-configs,但由於錯誤的行位於# end of pam-auth-update config註釋行之後,我的賭注是手動編輯錯誤。