Вопросы Теги

Ubuntu 18 игнорирует атрибут loginShell пользователя Samba AD (установлен в ZSH, но пользователь получает BASH после входа в систему)

У нас есть самба AD (4.3.11-Ubuntu), подключенная как к клиентам Windows, так и к Linux (Ubuntu 14 и Ubuntu 18)

Если я исследую LDAP для пользователя, его Параметр loginShell - / bin / zsh . Это работало для Ubuntu 14, но при чистой установке Ubuntu 18 его логин пытается использовать bash .

Я подтвердил, что zsh установлен на компьютерах Ubuntu 18.

Если я добавлю запись / etc / passwd для пользователя на локальном компьютере Ubuntu 18, zsh будет использоваться правильно.

Как я могу определить источник проблемы?

РЕДАКТИРОВАТЬ:

Активный каталог Samba был настроен на клиентах, использующих Puppet для загрузки файлов конфигурации и выполнения любых необходимых команд. Это был процесс:

puppet init.pp 

class samba {
    package {'mycustompackage-samba':
        ensure => present,
        require => Exec['apt-get-update'],
    }
    file {"/etc/resolv.conf.local":
        ensure  => file,
        source  => "puppet:///modules/samba/resolv.conf",
        before  => File['/etc/resolv.conf'],
    }
    file {"/etc/resolv.conf":
        ensure  => link,
        target  => "/etc/resolv.conf.local",
    }
    service {"systemd-resolved":
        ensure => false,
        enable => false
    }
    file {'/etc/nsswitch.conf':
        source => [
                "puppet:///modules/samba/nsswitch.conf.${hostname}",
                "puppet:///modules/samba/nsswitch.conf.${role}",
                "puppet:///modules/samba/nsswitch.conf",
            ],
        owner => root,
        group => root,
        mode => "0644",
        ensure => present
    }
    file {'/etc/NetworkManager/NetworkManager.conf':
        source  => "puppet:///modules/samba/NetworkManager.conf",
        owner   => root,
        group   => root,
        mode    => "644",
        ensure  => present,
        before  => File['/etc/resolv.conf'],
    }
    file {'/etc/krb5.conf':
        source => [
                "puppet:///modules/samba/krb5.conf.${hostname}",
                "puppet:///modules/samba/krb5.conf.${role}",
                "puppet:///modules/samba/krb5.conf",
            ],
        owner => root,
        group => root,
        mode => "0600",
        ensure => present
    }
    file {'/etc/samba/smb.conf':
        source => [
                "puppet:///modules/samba/smb.conf.${hostname}",
                "puppet:///modules/samba/smb.conf.${role}",
                "puppet:///modules/samba/smb.conf",
            ],
        ensure => present,
        owner => root,
        group => root,
        mode => "0644",
        require => Package['h2t-samba']
    }
    host {'Servername.redacted.de':
        ip => 'xxx.yyy.zzz.9',
        host_aliases => ["Servername"]
    }
}

smb.conf 

[global]
    workgroup = RedactedDomainName
    client signing = yes
    client use spnego = yes
    kerberos method = secrets and keytab
    realm = RedactedDomainName.redacted.de
    security = ads
    preferred master = no
    encrypt passwords = true
    log level = 3
    log file = /var/log/samba/log.%m
    max log size = 50
    printcap name = cups
    printing = cups
    winbind enum users = Yes
    winbind enum groups = Yes
    winbind use default domain = Yes
    winbind nested groups = Yes
    winbind separator = +
    winbind refresh tickets = Yes
    winbind nss info = rfc2307
    idmap config * : backend = tdb
    idmap config * : range = 1000-999999
    idmap config RedactedDomainName : backend = rid
    idmap config RedactedDomainName : range=1000-999999
    idmap config RedactedDomainName : base_rid = 0
    ;template primary group = "redactedPrimaryGroup"
    winbind rpc only = no
    template homedir = /share/homes/all/%U
    template shell = /bin/bash
    client use spnego = yes
    client ntlmv2 auth = yes
    restrict anonymous = 2
    socket options = IPTOS_LOWDELAY TCP_NODELAY

NetworkManager.conf 

[main]
plugins=ifupdown,keyfile
dns=none
[ifupdown]
managed=false
[device]
wifi.scan-rand-mac-address=no

krb5.conf 

[libdefaults]
    default_realm = RedactedDomainName.redacted.de
    ticket_lifetime = 24h #
    renew_lifetime = 7d
# The following krb5.conf variables are only for MIT Kerberos.
# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
#   default_tgs_enctypes = des3-hmac-sha1
#   default_tkt_enctypes = des3-hmac-sha1
#   permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
[realms]
    RedactedDomainName.redacted.de = {
        kdc = Servrname.redacted.de
        admin_server = Servername.redacted.de
        default_domain = RedactedDomainName.redacted.de
        }
[domain_realm]
    .RedactedDomainName.redacted.de = RedactedDomainName.redacted.de
    RedactedDomainName.redacted.de = RedactedDomainName.redacted.de

nsswitch.conf 

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd:         compat systemd winbind
group:          compat systemd winbind
shadow:         compat
gshadow:        files
hosts:          files mdns4_minimal [NOTFOUND=return] dns myhostname
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis

resolv.conf 

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver xxx.yyy.zzz.9
nameserver xxx.yyy.zzz.90
nameserver xxx.yyy.zzz.91
search redacted.de

sssd.conf 

[sssd]
services = nss, pam
config_file_version = 2
domains = RedactedDomainName.redacted.de
[domain/RedactedDomainName.redacted.de]
id_provider = ad
access_provider = ad
# Use this if users are being logged in at /.
# This example specifies /home/DOMAIN-FQDN/user as $HOME.  Use with pam_mkhomedir.so
override_homedir = /home/%g/%u
# Uncomment if the client machine hostname doesn't match the computer object on the DC.
# ad_hostname = mymachine.myubuntu.example.com
# Uncomment if DNS SRV resolution is not working
# ad_server = dc.mydomain.example.com
# Uncomment if the AD domain is named differently than the Samba domain
# ad_domain = MYUBUNTU.EXAMPLE.COM
# Enumeration is discouraged for performance reasons.
enumerate = true
1
задан 8 May 2019 в 17:58
1 ответ

Не могли бы вы воспроизвести шаги, предпринятые для интеграции клиентов Ubuntu в AD? Если вы используете sssd , вы можете проверить, что значение sss установлено для passwd в вашем nsswitch.conf , например passwd: files sss

редактировать: Я вижу два возможных момента:

  • замените template shell = / bin / bash на template shell = / bin / zsh внутри smb.conf , чтобы установить его глобально

  • измените запись passwd в nsswitch.conf на passwd: compat systemd winbind sss , чтобы sssd разрешал атрибуты passwd

Похоже, что winbind не может сопоставить атрибут LDAP с локальным паролем nsswitch. Nsswitch, Winbind и sssd - это области, в которых вы, возможно, захотите продолжить изучение.

0
ответ дан 4 December 2019 в 03:03

Теги

Похожие вопросы