Ubuntu 16 - Active Directory - 可以 ssh - 不能 rdp

Ubuntu 16 - Active Directory - Can ssh - cannot rdp

我一直在努力为我们的开发人员构建一个 linux 服务器,该服务器已加入我们的 Active Directory 服务器。使用 Realm 和 SSSD 的组合,我的 SSH 可以与所有用户一起正常工作,但是尝试远程桌面进入 xrdp 失败并显示

Nov  7 04:54:49 ip-10-10-100-177 xrdp-sesman: pam_unix(xrdp-sesman:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=ricktbaker
Nov  7 04:54:49 ip-10-10-100-177 xrdp-sesman: pam_sss(xrdp-sesman:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=ricktbaker
Nov  7 04:54:49 ip-10-10-100-177 xrdp-sesman: pam_sss(xrdp-sesman:account): Access denied for user ricktbaker: 6 (Permission denied)

我的/etc/sssd/sssd.conf

[sssd]
domains = my.domain.com
config_file_version = 2
services = nss, pam

[domain/my.domain.com]
ad_domain = my.domain.com
krb5_realm = MY.DOMAIN.COM
realmd_tags = joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
simple_allow_users = $
access_provider = ad

我已经尝试将 access_provider 切换为简单,但我也无法使用 ssh。不太确定我遗漏了什么,但会提供任何可能有帮助的日志或信息。

---- 编辑 -----

将以下行添加到 sssd.conf 的域部分似乎可以解决问题,但我不确定这是否是正确的解决方法:

ad_gpo_access_control = permissive

伙计,我就是爱你。这个问题我纠结了一天没有解决。

作为补充,当我使用你的配置时,我仍然遇到 X11 不允许连接的问题。只需编辑 /etc/X11/Xwrapper.config 即可 allowed_users=任何人

现在,它起作用了!

非常感谢更新!

在 运行 这个设置一年多之后,我在最初的问题中提到的修复肯定有效。所以添加为官方答案。我的 /etc/sssd/sssd.conf

中只需要以下内容
ad_gpo_access_control = permissive

还有一个关于它的博客post:

http://ricktbaker.com/2017/11/08/ubuntu-16-with-active-directory-connectivity/

来自 sssd-ad 手册页:

       ad_gpo_map_interactive (string)
       A comma-separated list of PAM service names for which GPO-based access control is evaluated based on the InteractiveLogonRight and DenyInteractiveLogonRight policy settings.

       Note: Using the Group Policy Management Editor this value is called "Allow log on locally" and "Deny log on locally".

       It is possible to add another PAM service name to the default set by using “+service_name” or to explicitly remove a PAM service name from the default set by using “-service_name”. For example,
       in order to replace a default PAM service name for this logon right (e.g.  “login”) with a custom pam service name (e.g.  “my_pam_service”), you would use the following configuration:

           ad_gpo_map_interactive = +my_pam_service, -login

      ....

因此,您只需添加:

           ad_gpo_map_interactive = +xrdp-sesman

到您的 sssd.conf 文件。