У нас есть самба AD (4.3.11-Ubuntu), подключенная как к клиентам Windows, так и к Linux (Ubuntu 14 и Ubuntu 18)
Если я исследую LDAP для пользователя, его Параметр loginShell
- / bin / zsh
. Это работало для Ubuntu 14, но при чистой установке Ubuntu 18 его логин пытается использовать bash
.
Я подтвердил, что zsh
установлен на компьютерах Ubuntu 18.
Если я добавлю запись / etc / passwd
для пользователя на локальном компьютере Ubuntu 18, zsh
будет использоваться правильно.
Как я могу определить источник проблемы?
РЕДАКТИРОВАТЬ:
Активный каталог Samba был настроен на клиентах, использующих Puppet для загрузки файлов конфигурации и выполнения любых необходимых команд. Это был процесс:
puppet init.pp
class samba {
package {'mycustompackage-samba':
ensure => present,
require => Exec['apt-get-update'],
}
file {"/etc/resolv.conf.local":
ensure => file,
source => "puppet:///modules/samba/resolv.conf",
before => File['/etc/resolv.conf'],
}
file {"/etc/resolv.conf":
ensure => link,
target => "/etc/resolv.conf.local",
}
service {"systemd-resolved":
ensure => false,
enable => false
}
file {'/etc/nsswitch.conf':
source => [
"puppet:///modules/samba/nsswitch.conf.${hostname}",
"puppet:///modules/samba/nsswitch.conf.${role}",
"puppet:///modules/samba/nsswitch.conf",
],
owner => root,
group => root,
mode => "0644",
ensure => present
}
file {'/etc/NetworkManager/NetworkManager.conf':
source => "puppet:///modules/samba/NetworkManager.conf",
owner => root,
group => root,
mode => "644",
ensure => present,
before => File['/etc/resolv.conf'],
}
file {'/etc/krb5.conf':
source => [
"puppet:///modules/samba/krb5.conf.${hostname}",
"puppet:///modules/samba/krb5.conf.${role}",
"puppet:///modules/samba/krb5.conf",
],
owner => root,
group => root,
mode => "0600",
ensure => present
}
file {'/etc/samba/smb.conf':
source => [
"puppet:///modules/samba/smb.conf.${hostname}",
"puppet:///modules/samba/smb.conf.${role}",
"puppet:///modules/samba/smb.conf",
],
ensure => present,
owner => root,
group => root,
mode => "0644",
require => Package['h2t-samba']
}
host {'Servername.redacted.de':
ip => 'xxx.yyy.zzz.9',
host_aliases => ["Servername"]
}
}
smb.conf
[global]
workgroup = RedactedDomainName
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = RedactedDomainName.redacted.de
security = ads
preferred master = no
encrypt passwords = true
log level = 3
log file = /var/log/samba/log.%m
max log size = 50
printcap name = cups
printing = cups
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
winbind refresh tickets = Yes
winbind nss info = rfc2307
idmap config * : backend = tdb
idmap config * : range = 1000-999999
idmap config RedactedDomainName : backend = rid
idmap config RedactedDomainName : range=1000-999999
idmap config RedactedDomainName : base_rid = 0
;template primary group = "redactedPrimaryGroup"
winbind rpc only = no
template homedir = /share/homes/all/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
restrict anonymous = 2
socket options = IPTOS_LOWDELAY TCP_NODELAY
NetworkManager.conf
[main]
plugins=ifupdown,keyfile
dns=none
[ifupdown]
managed=false
[device]
wifi.scan-rand-mac-address=no
krb5.conf
[libdefaults]
default_realm = RedactedDomainName.redacted.de
ticket_lifetime = 24h #
renew_lifetime = 7d
# The following krb5.conf variables are only for MIT Kerberos.
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
[realms]
RedactedDomainName.redacted.de = {
kdc = Servrname.redacted.de
admin_server = Servername.redacted.de
default_domain = RedactedDomainName.redacted.de
}
[domain_realm]
.RedactedDomainName.redacted.de = RedactedDomainName.redacted.de
RedactedDomainName.redacted.de = RedactedDomainName.redacted.de
nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat systemd winbind
group: compat systemd winbind
shadow: compat
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver xxx.yyy.zzz.9
nameserver xxx.yyy.zzz.90
nameserver xxx.yyy.zzz.91
search redacted.de
sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = RedactedDomainName.redacted.de
[domain/RedactedDomainName.redacted.de]
id_provider = ad
access_provider = ad
# Use this if users are being logged in at /.
# This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so
override_homedir = /home/%g/%u
# Uncomment if the client machine hostname doesn't match the computer object on the DC.
# ad_hostname = mymachine.myubuntu.example.com
# Uncomment if DNS SRV resolution is not working
# ad_server = dc.mydomain.example.com
# Uncomment if the AD domain is named differently than the Samba domain
# ad_domain = MYUBUNTU.EXAMPLE.COM
# Enumeration is discouraged for performance reasons.
enumerate = true
Не могли бы вы воспроизвести шаги, предпринятые для интеграции клиентов Ubuntu в AD?
Если вы используете sssd
, вы можете проверить, что значение sss
установлено для passwd в вашем nsswitch.conf
, например passwd: files sss
редактировать: Я вижу два возможных момента:
замените template shell = / bin / bash
на template shell = / bin / zsh
внутри smb.conf , чтобы установить его глобально
измените запись passwd
в nsswitch.conf на passwd: compat systemd winbind sss
, чтобы sssd разрешал атрибуты passwd
Похоже, что winbind не может сопоставить атрибут LDAP с локальным паролем nsswitch. Nsswitch, Winbind и sssd - это области, в которых вы, возможно, захотите продолжить изучение.