linux – 使用sssd和Active Directory集成的麻烦

发布时间：2020-12-14 03:03:14 所属栏目：Linux 来源：网络整理

导读：我安装了Debian Squeeze和sssd.当我尝试通过ssh用户’alexwinner’登录服务器时,我在日志中看到： (Fri May 11 18:56:03 2012) [[sssd[krb5_child[26281]]]] [get_and_save_tgt] (1): 523: [-1765328360][Preauthentication failed] 但是当我执行kinit alexw

我安装了Debian Squeeze和sssd.当我尝试通过ssh用户’alexwinner’登录服务器时,我在日志中看到：

(Fri May 11 18:56:03 2012) [[sssd[krb5_child[26281]]]] [get_and_save_tgt] (1): 523: [-1765328360][Preauthentication failed]

但是当我执行kinit alexwinner一切都好的时候,我收到了罚单.
这是我的sssd.conf

[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss,pam

domains = MYDOMAIN.COM

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

; entry_cache_timeout = 600
; entry_cache_nowait_timeout = 300

[pam]
reconnection_retries = 3


[domain/MYDOMAIN.COM]
description = LDAP domain with AD server
enumerate = true

min_id = 1000
cache_credentials = false

id_provider = ldap
auth_provider = krb5
chpass_provider = krb5

krb5_realm = MYDOMAIN.COM
krb5_kdcip = 172.27.250.141
krb5_kpasswd = 172.27.250.141
ldap_pwd_policy = none

ldap_id_use_start_tls = false
ldap_tls_reqcert = never

ldap_uri = ldap://172.27.250.141:3268/
ldap_schema = rfc2307bis
ldap_default_bind_dn = ECAAuthUser@mydomain.com
ldap_default_authtok_type = password
ldap_default_authtok = veryhardpassword


ldap_user_search_base = ou=linux,ou=users,ou=pro,dc=mydomain,DC=com
ldap_user_object_class = user
ldap_user_uid_number = uidNumber
ldap_user_gid_number = GIDNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_user_principal = userPrincipalName
ldap_user_name = sAMAccountName
ldap_user_gecos = displayName
ldap_user_uuid = objectGUID

ldap_group_search_base = OU=Linux,OU=Roles,DC=mydomain,DC=com
ldap_group_object_class = group
ldap_group_name = Name
ldap_group_gid_number = GidNumber
ldap_force_upper_case_realm = True

这是我的krb5.conf

[libdefaults]
    default_realm = MYDOMAIN.COM
    forwardable = true

[realms]
    MYDOMAIN.COM = {
        kdc = 172.27.250.141
        admin_server = 172.27.250.141
   }

我试图看到tcpdump用于kerberos包,并且看到padata与login和kinit不同.

我能做什么？

解决方法

尝试以下设置,它们在我的环境中运行良好.

对/etc/sssd/sssd.conf进行更改

[root@localhost ~]# cat /etc/sssd/sssd.conf  |grep -v ^# |grep -v ^$
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss,pam
domains = default
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/default]
ldap_default_authtok_type = password
ldap_id_use_start_tls = False
cache_credentials = True
ldap_group_object_class = group
ldap_search_base = dc=example,dc=com
chpass_provider = krb5
ldap_default_authtok = RedHat1!
id_provider = ldap
auth_provider = krb5
ldap_default_bind_dn = cn=Administrator,cn=Users,dc=example,dc=com
ldap_user_gecos = displayName
debug_level = 0
ldap_uri = ldap://10.65.208.43/
krb5_realm = EXAMPLE.COM
krb5_kpasswd = 10.65.208.43
ldap_schema = rfc2307bis
ldap_force_upper_case_realm = True
ldap_user_object_class = person
ldap_tls_cacertdir = /etc/openldap/cacerts
krb5_server = 10.65.208.43

>运行authconfig-tui工具.在“用户信息”部分下选择ldap,在“身份验证”部分下选择Kerberos.
>在ldap设置步骤中.保持使用未选中的TLS选项将AD服务器的完全限定域名和基本DN放入.
>在kerberos设置页面上,输入AD服务器域,还列出KDC和管理服务器的AD服务器完全限定域名.

这将导致重新启动sssd守护程序.

验证： –

[root@localhost ~]# id user1

确保您的AD盒上安装了IDMU.用户具有unix属性集.

（编辑：李大同）

【声明】本站内容均来自网络，其相关言论仅代表作者个人观点，不代表本站立场。若无意侵犯到您的权利，请及时与联系站长删除相关内容!