我们即将转向使用 Active Directory 向 Jira 和 Confluence 验证我们的用户。目前,Confluence 使用 Jira 用户目录。我只能看到一个问题。一个用户的用户名不匹配 - 在 Jira 上,他们是 firstname.l,其中 l 是最后一个首字母。在 AD 上,他们只是名字。将他们的用户名更改为(或将他们所有的东西转移到一个名为的新用户)名字的最简单方法是什么?
我已经为此奋斗了大约一个星期。我正在尝试让 RADIUS 服务器对我们基于 Samba 的 Active Directory 进行身份验证,但我无法让它工作。由于我们的基础设施,PAP 将无法工作。因为 AD 不提供已知良好的明文密码,所以 CHAP 将不起作用。所以这就离开了 MSCHAP。
RADIUS 服务器位于其自己的 VM 上。所述VM通过Winbind链接到域。我有以下内容/etc/raddb/mods-available/mschap:
$ cat /etc/raddb/mods-available/mschap|grep -Ev '^\s*(#|$)'
mschap {
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
winbind_username = "%{mschap:User-Name}"
winbind_domain = "[domain]"
winbind_retry_with_normalised_username = yes
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 86400
cleanup_interval = 300
idle_timeout = 600
}
}
当我有客户端尝试进行身份验证时,相关radiusd -X输出是:
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Ready to process requests
(0) Received Access-Request Id 22 from 192.168.6.179:43922 to 192.168.6.192:1812 length 180
(0) Service-Type = Framed-User
(0) Framed-Protocol = PPP
(0) NAS-Port = 15728668
(0) NAS-Port-Type = Virtual
(0) User-Name = "duncan"
(0) Calling-Station-Id = "192.168.6.100"
(0) Called-Station-Id = "192.168.6.179"
(0) MS-CHAP-Challenge = 0x7fd91ada13b38b1800f2f5c1b9a107e4
(0) MS-CHAP2-Response = 0x01000ff84b43a7f4d54b20da108b5f6a76480000000000000000b366008c649fc36a4a9bfb044f65dc8daf3aee10ad679141
(0) NAS-Identifier = "MikroTik"
(0) NAS-IP-Address = 192.168.6.179
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(0) [mschap] = ok
(0) [digest] = noop
(0) files: users: Matched entry DEFAULT at line 181
(0) [files] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = mschap
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) authenticate {
(0) mschap: Creating challenge hash with username: duncan
(0) mschap: Client is using MS-CHAPv2
(0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
(0) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(0) mschap: --> --username=duncan
(0) mschap: Creating challenge hash with username: duncan
(0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(0) mschap: --> --challenge=6c2a06548de859d5
(0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(0) mschap: --> --nt-response=b366008c649fc36a4a9bfb044f65dc8daf3aee10ad679141
(0) mschap: ERROR: Program returned code (1) and output 'Logon failure (0xc000006d)'
(0) mschap: External script failed
(0) mschap: ERROR: External script says: Logon failure (0xc000006d)
(0) mschap: ERROR: MS-CHAP2-Response is incorrect
(0) [mschap] = reject
(0) } # authenticate = reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> duncan
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.6 seconds.
Waking up in 0.3 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 22 from 192.168.6.192:1812 to 192.168.6.179:43922 length 103
(0) MS-CHAP-Error = "\001E=691 R=1 C=06f7ce6fa5be464d72e8def2f9634910 V=3 M=Authentication rejected"
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 22 with timestamp +8
Ready to process requests
以及 samba 日志级别 5 输出:
[2018/03/19 11:13:13.166062, 3] ../libcli/auth/schannel_state_tdb.c:190(schannel_fetch_session_key_tdb)
schannel_fetch_session_key_tdb: restored schannel info key SECRETS/SCHANNEL/GS-RADIUS
[2018/03/19 11:13:13.166160, 3] ../source4/auth/ntlm/auth.c:271(auth_check_password_send)
auth_check_password_send: Checking password for unmapped user [AD]\[duncan]@[\\GS-RADIUS]
[2018/03/19 11:13:13.166171, 5] ../source4/auth/ntlm/auth_util.c:57(map_user_info_cracknames)
map_user_info_cracknames: Mapping user [AD]\[duncan] from workstation [\\GS-RADIUS]
auth_check_password_send: mapped user is: [AD]\[duncan]@[\\GS-RADIUS]
[2018/03/19 11:13:13.166994, 5] ../source4/auth/ntlm/auth.c:67(auth_get_challenge)
auth_get_challenge: returning previous challenge by module netr_LogonSamLogonWithFlags (normal)
[2018/03/19 11:13:13.167006, 5] ../lib/util/util.c:555(dump_data)
[0000] 2D F2 C3 E3 15 05 ED 58 -......X
[2018/03/19 11:13:13.167502, 2] ../libcli/auth/ntlm_check.c:424(ntlm_password_check)
ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user duncan
[2018/03/19 11:13:13.167518, 3] ../libcli/auth/ntlm_check.c:431(ntlm_password_check)
ntlm_password_check: NEITHER LanMan nor NT password supplied for user duncan
[2018/03/19 11:13:13.167630, 5] ../source4/dsdb/common/util.c:5252(dsdb_update_bad_pwd_count)
Not updating badPwdCount on CN=duncan,CN=Users,DC=ad,DC=goldblattsystems,DC=com after wrong password
[2018/03/19 11:13:13.167656, 2] ../source4/auth/ntlm/auth.c:430(auth_check_password_recv)
auth_check_password_recv: sam_ignoredomain authentication for user [AD\duncan] FAILED with error NT_STATUS_WRONG_PASSWORD
[2018/03/19 11:13:13.348906, 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2018/03/19 11:13:13.348929, 3] ../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
这是什么原因造成的?我该如何解决?
我正在尝试使用 LDAP 模块针对活动目录对半径客户端进行身份验证,因此我需要让它实际使用 LDAP 作为身份验证器。但是,似乎没有设置用户密码。首先,用户密码应该由客户端还是后端服务器发送?我的主要问题是,我做错了什么?
是的,我知道日志在向我尖叫“不要这样做”,但阅读自述文件似乎通常是个好建议,但 AD 需要这样做。
我正在尝试设置一个半径服务器来针对 LDAP 进行身份验证,但我遇到了一个奇怪的问题:
rlm_ldap (ldap): Bind with radiusd@[domain] to ldaps://localhost:636 failed: Strong(er) authentication required
rlm_ldap (ldap): Server said: BindSimple: Transport encryption required..
如您所见ldaps://,它使用了传输安全性。这里发生了什么?我怎样才能解决这个问题?
编辑:我想我会尝试使用 starttls。没有解决任何问题:
rlm_ldap (ldap): Bind with radiusd@[domain] to ldap://localhost:389 failed: Strong(er) authentication required
rlm_ldap (ldap): Server said: BindSimple: Transport encryption required..
编辑2:见鬼?当我通过通道管道时,它甚至可以做到。
rlm_ldap (ldap): Bind with radiusd@[domain] to ldap://localhost:3636 failed: Strong(er) authentication required
rlm_ldap (ldap): Server said: BindSimple: Transport encryption required..
我刚刚将我的 Arch Linux 工作站连接到我为我们公司设置的 Samba AD。我测试了它,它起作用了,或者我是这么认为的。它接受了我的密码,创建了我的 homedir 和所有内容,然后让我登录。我忘记测试的是它不接受的内容。事实证明,只要用户名有效(AD 或本地,无所谓),它就会接受任何密码。有人可以指出我做错了什么吗?
我正在使用 SSSD 来管理 AD 连接。这是我的/etc/pam.d/system-auth:
#%PAM-1.0
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_env.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
我正在尝试在两个 MariaDB 数据库之间设置复制,但在 phpMyAdmin 中出现以下错误:
Error 'Character set '#610' is not a compiled character set and is not specified in the '/usr/share/mysql/charsets/Index.xml' file'
我检查了一下mysqld --verbose --help,两者都将 UTF-8 作为默认字符集。
这看起来应该很简单,但我找不到任何实际信息:是否可以有两台单独的服务器,一台运行 dnsmasq 执行 DHCP,而 TFTP(或 HTTP)服务器在另一台机器上运行?