4

我一直致力于为我们的开发人员构建一个连接到我们的 Active Directory 服务器的 linux 服务器。使用 Realm 和 SSSD 的组合,我可以让所有用户都能正常使用 SSH,但是尝试将远程桌面连接到 xrdp 却失败了

Nov  7 04:54:49 ip-10-10-100-177 xrdp-sesman: pam_unix(xrdp-sesman:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=ricktbaker
Nov  7 04:54:49 ip-10-10-100-177 xrdp-sesman: pam_sss(xrdp-sesman:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=ricktbaker
Nov  7 04:54:49 ip-10-10-100-177 xrdp-sesman: pam_sss(xrdp-sesman:account): Access denied for user ricktbaker: 6 (Permission denied)

我的 /etc/sssd/sssd.conf

[sssd]
domains = my.domain.com
config_file_version = 2
services = nss, pam

[domain/my.domain.com]
ad_domain = my.domain.com
krb5_realm = MY.DOMAIN.COM
realmd_tags = joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
simple_allow_users = $
access_provider = ad

我尝试将 access_provider 切换为简单,但我也无法 ssh。不太确定我缺少什么,但会提供任何可能有帮助的日志或信息。

- - 编辑 - - -

将以下行添加到 sssd.conf 的域部分似乎可以修复它,但我不确定这是否是正确的修复:

ad_gpo_access_control = permissive
4

3 回答 3

3

男人,我只是爱你。我与这个问题斗争了一天,没有解决办法。

作为补充,当我使用您的配置时,我仍然遇到 X11 不允许连接的问题。只需将 /etc/X11/Xwrapper.config 编辑为 allowed_users=anybody

现在,它起作用了!

非常感谢您的更新!

于 2017-11-08T08:31:32.033 回答
0

在运行此设置一年多之后,我在原始问题中提到的修复肯定有效。因此添加为官方答案。在我的 /etc/sssd/sssd.conf 中只需要以下内容

ad_gpo_access_control = permissive

还有一篇关于它的博客文章:

http://ricktbaker.com/2017/11/08/ubuntu-16-with-active-directory-connectivity/

于 2019-07-25T13:26:50.707 回答
0

从 sssd-ad 手册页:

       ad_gpo_map_interactive (string)
       A comma-separated list of PAM service names for which GPO-based access control is evaluated based on the InteractiveLogonRight and DenyInteractiveLogonRight policy settings.

       Note: Using the Group Policy Management Editor this value is called "Allow log on locally" and "Deny log on locally".

       It is possible to add another PAM service name to the default set by using “+service_name” or to explicitly remove a PAM service name from the default set by using “-service_name”. For example,
       in order to replace a default PAM service name for this logon right (e.g.  “login”) with a custom pam service name (e.g.  “my_pam_service”), you would use the following configuration:

           ad_gpo_map_interactive = +my_pam_service, -login

      ....

因此,您只需添加:

           ad_gpo_map_interactive = +xrdp-sesman

到您的 sssd.conf 文件。

于 2019-12-11T06:12:36.353 回答