ユーザー「[email protected]」は、PBIS auth.log 要件「user ingroup nopasswdlogin」を満たしていません。

ユーザー「[email protected]」は、PBIS auth.log 要件「user ingroup nopasswdlogin」を満たしていません。

Windows AD資格情報を使用してUbuntu 16.04システムにログインしたいと思います。私はPowerBroker Identity Services(PBIS)AD-bridgeのBeyondtrustバージョン8.5.2.265を使用しています。 WindowsのバージョンはWindows Server 2012 R2です。

これらのエラーは/var/log/auth.logに表示されます。

Jan 16 08:34:51 [HOSTNAME] lightdm: PAM adding faulty module: pam_kwallet5.so
Jan 16 08:34:59 [HOSTNAME] lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "[email protected]"
Jan 16 08:35:01 [HOSTNAME] CRON[12249]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 16 08:35:01 [HOSTNAME] CRON[12249]: pam_unix(cron:session): session closed for user root
Jan 16 08:35:03 [HOSTNAME] lightdm: [lsass-pam] [module:pam_lsass]User [email protected] is denied access because they are not in the 'require membership of' list
Jan 16 08:35:03 [HOSTNAME] lightdm: [lsass-pam] [module:pam_lsass]pam_sm_authenticate error [login:[email protected]][error code:40158]
Jan 16 08:35:07 [HOSTNAME] systemd-logind[1050]: Removed session c2.

/opt/pbis/bin/enum-groupsからコピーしたセキュリティグループ "domain^users"と一致するように設定オプションRequireMembershipOfを変更しました。

/opt/pbis/bin/config --dumpのオプション:

AllowDeleteTo ""
AllowReadTo ""
AllowWriteTo ""
MaxDiskUsage 104857600
MaxEventLifespan 90
MaxNumEvents 100000
DomainSeparator "\\"
SpaceReplacement "^"
EnableEventlog false
SaslMaxBufSize 16777215
Providers "ActiveDirectory"
DisplayMotd false
PAMLogLevel "error"
UserNotAllowedError "Access denied"
AssumeDefaultDomain true
CreateHomeDir true
CreateK5Login true
SyncSystemTime true
TrimUserMembership true
LdapSignAndSeal false
LogADNetworkConnectionEvents true
NssEnumerationEnabled true
NssGroupMembersQueryCacheOnly true
NssUserMembershipQueryCacheOnly false
RefreshUserCredentials true
CacheEntryExpiry 14400
DomainManagerCheckDomainOnlineInterval 300
DomainManagerUnknownDomainCacheTimeout 3600
MachinePasswordLifespan 2592000
MemoryCacheSizeCap 0
HomeDirPrefix "/home"
HomeDirTemplate "%H/%U"
RemoteHomeDirTemplate ""
HomeDirUmask "022"
LoginShellTemplate "/bin/bash"
SkeletonDirs "/etc/skel"
UserDomainPrefix "winsrv.local"
DomainManagerIgnoreAllTrusts false
DomainManagerIncludeTrustsList
DomainManagerExcludeTrustsList
RequireMembershipOf "domain^users"
Local_AcceptNTLMv1 true
Local_HomeDirTemplate "%H/local/%D/%U"
Local_HomeDirUmask "022"
Local_LoginShellTemplate "/bin/sh"
Local_SkeletonDirs "/etc/skel"
UserMonitorCheckInterval 1800
LsassAutostart true
EventlogAutostart true
BlacklistDC

/etc/pam.d/common-session ファイル:

# here are the per-package modules (the "Primary" block)
session [default=1]                     pam_permit.so
# here's the fallback if no module succeeds
session requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required                        pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional                        pam_umask.so
# and here are more per-package modules (the "Additional" block)
session optional        pam_lsass.so
session required        pam_unix.so
session optional        pam_systemd.so
session optional        pam_ecryptfs.so unwrap
# end of pam-auth-update config

/etc/pam.d/common-auth ファイル:

# here are the per-package modules (the "Primary" block)
auth    [success=2 default=ignore]      pam_lsass.so
auth    [success=1 default=ignore]      pam_unix.so nullok_secure
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth    optional        pam_ecryptfs.so unwrap
# end of pam-auth-update config

/etc/pam.d/common-account ファイル:

# here are the per-package modules (the "Primary" block)
account [success=ok new_authtok_reqd=ok default=ignore]         pam_lsass.so unknown_ok
account [success=2 new_authtok_reqd=done default=ignore]        pam_lsass.so
account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so
# here's the fallback if no module succeeds
account requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

ベストアンサー1

私は同じ問題を解決しました。私は持っています

pam_succeed_if(lightdm:auth): ユーザー「xxxxxxx」は、「ユーザー・グループ内の nopasswdlogin」の要件を満たしていません。

環境はAD認証、Windows 2016、Ubuntu 16.04です。

解決策

次の行を編集し/etc/pam.d/lightdmnopasswdlogin削除します。

auth    sufficient      pam_succeed_if.so user ingroup nopasswdlogin

おすすめ記事