加域之后切换到域用户登录时失败

Web、Mail、Ftp、DNS、Proxy、VPN、Samba、LDAP 等基础网络服务
回复
liuyuhui
帖子: 1
注册时间: 2025-04-21 21:37

加域之后切换到域用户登录时失败

#1

帖子 liuyuhui » 2025-04-21 22:18

我的系统是麒麟桌面版V10,这几天测试加域到最后一步出问题了,简要过程如下:
配置计算机名,IP地址,搜索域(kylinipa.com)
ping kylinipa.com能得到域服务器回应。

apt-get install realmd sssd sssd-tools libnss-sss libpam-sss adcli

root@client1:~# realm discover kylinipa.com
kylinipa.com
type: kerberos
realm-name: KYLINIPA.COM
domain-name: kylinipa.com
configured: no
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin

配置允许用户输入用户名登录
vi /usr/share/lightdm/lightdm.conf.d/95-ukui-greeter.conf
在末尾添加greeter-show-manual-login=true

设置用户登录时自动创建用户主目录:
pam-auth-update --add mkhomedir
弹出的界面中勾选"Create home directory on login"

加域:
adcli join kylinipa.com -U administrator

vi /etc/nsswitch.conf,在下面两行后面添加sss
passwd: files kim sss
group: files kim sss

vi /etc/sssd/sssd.conf

[sssd]
domains = kylinipa.com
config_file_version = 2
services = nss, pam

[domain/kylinipa.com]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
ad_domain = KYLINIPA.COM
krb5_realm = KYLINIPA.COM
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u
use_fully_qualified_names = False
ldap_id_mapping = True
ldap_min_id = 10000
ldap_max_id = 100000
ldap_idmap_range_min = 10000
ldap_idmap_range_max = 100000
ldap_idmap_range_size = 1000
access_provider = ad

保存后将文件权限改为600: chmod 600 /etc/sssd/sssd.conf

重启sssd服务:systemctl restart sssd

再查询AD域信息就有了变化:
root@client1:~# realm list
KYLINIPA.COM
type: kerberos
realm-name: KYLINIPA.COM
domain-name: kylinipa.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %U
login-policy: allow-realm-logins

root@client1:~# id user
uid=45105(user) gid=27513(domain users) 组=27513(domain users),121(lpadmin)
root@client1:~# getent passwd user
user:*:45105:27513:user:/home/user:/bin/bash
能查到域控上的user用户了。

root@client1:~# kinit user
Password for [email protected]:
root@client1:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

但最后使用user登录时失败:
root@client1:~# su user
拒绝访问。
su: 拒绝权限

清空/var/log/auth.log后,su user得到如下内容:
Apr 21 15:33:09 client1 su: FAILED SU (to user) lyh on pts/1



本人初学者,求各位老哥指教!
页首
回复

回到 “服务器运维”