openldap – AWS Simple AD：对于使用adtool创建的用户,“KDC不

发布时间：2020-12-15 18:27:51 所属栏目：安全来源：网络整理

导读：背景我正在尝试以我在AWS Directory Services Simple AD中创建的用户身份登录(通过SSH,运行sssd的Amazon Linux EC2实例).我正在使用kerberos进行身份验证并使用LDAP识别用户(全部通过sssd.) 问题我无法以使用adtool创建的用户身份登录,这意味着我很难自动

背景

我正在尝试以我在AWS Directory Services Simple AD中创建的用户身份登录(通过SSH,运行sssd的Amazon Linux EC2实例).我正在使用kerberos进行身份验证并使用LDAP识别用户(全部通过sssd.)

问题

我无法以使用adtool创建的用户身份登录,这意味着我很难自动将新用户添加到Simple AD中.当我尝试时,KDC说它不支持加密类型(我假设这是用户的密码？)请参阅下面的“错误消息”部分.

但是,我可以作为内置管理员用户以及我在加入域的Windows Server 2008 EC2实例上通过Microsoft管理控制台创建的用户登录.所以我的设置工作,或者至少部分工作.

TL;需要DR解决方案

我需要知道我在adtool上做错了什么导致我无法以用户创建的用户身份登录.我不知道我做错了什么,我认为这对于那些试图做与我类似的事情的人来说通常很有用.详情如下.

错误信息

当尝试使用adtool创建的用户登录时,这是sssd的输出：

(Thu Dec 31 15:35:35 2015) [[sssd[krb5_child[5459]]]] [sss_child_krb5_trace_cb] (0x4000): [5459] 1451576135.446649: Response was from master KDC

(Thu Dec 31 15:35:35 2015) [[sssd[krb5_child[5459]]]] [sss_child_krb5_trace_cb] (0x4000): [5459] 1451576135.446788: Received error from KDC: -1765328370/KDC has no support for encryption type

(Thu Dec 31 15:35:35 2015) [[sssd[krb5_child[5459]]]] [get_and_save_tgt] (0x0020): 996: [-1765328370][KDC has no support for encryption type]
(Thu Dec 31 15:35:35 2015) [[sssd[krb5_child[5459]]]] [map_krb5_error] (0x0020): 1065: [-1765328370][KDC has no support for encryption type]
(Thu Dec 31 15:35:35 2015) [[sssd[krb5_child[5459]]]] [k5c_send_data] (0x0200): Received error code 1432158209

从客户端来看,它说Permission denied,请再试一次.

建筑

以下是我在Simple AD中的架构：

此设置使我能够使用LDAPS,即使AWS的Simple AD不支持它.

ELB的route53记录是directory.myteam.mycompany.com,但我用于Simple AD的域是myteam.mycompany.internal.

运行sssd的机器上的配置

/etc/sssd/sssd.conf：

[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss,pam
domains = myteam

[nss]
default_shell = /bin/bash
fallback_homedir = /home/%u
ldap_user_home_directory = unixHomeDirectory

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5

[domain/myteam]
enumerate = true
cache_credentials = TRUE

id_provider = ldap

ldap_uri = ldaps://directory.myteam.mycompany.com
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
ldap_default_bind_dn = CN=test-user,CN=users,DC=myteam,DC=mycompany,DC=internal
ldap_default_authtok = REDACTED_PASSWORD
ldap_id_use_start_tls = true
ldap_schema = AD
ldap_force_upper_case_realm = true
ldap_id_mapping = true
ldap_search_base = CN=users,DC=internal

ldap_user_uuid = none
ldap_group_uuid = none

chpass_provider = krb5
auth_provider = krb5
krb5_server = directory.myteam.mycompany.com
krb5_realm = MYTEAM.MYCOMPANY.INTERNAL
krb5_changepw_principal = kadmin/changepw
krb5_ccachedir = /tmp
krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX
krb5_auth_timeout = 15
krb5_canonicalize = True

的/ etc / SYSCONFIG / authconfig：

IPADOMAINJOINED=no
USEMKHOMEDIR=yes
USEPAMACCESS=no
CACHECREDENTIALS=yes
USESSSDAUTH=yes
USESHADOW=yes
USEWINBIND=no
PASSWDALGORITHM=sha512
FORCELEGACY=yes
USEFPRINTD=no
FORCESMARTCARD=no
USEDB=no
USELDAPAUTH=no
USEPASSWDQC=no
IPAV2NONTP=no
WINBINDKRB5=no
USELOCAUTHORIZE=yes
USEECRYPTFS=no
USECRACKLIB=yes
USEIPAV2=no
USEWINBINDAUTH=no
USESMARTCARD=no
USELDAP=yes
USENIS=no
USEKERBEROS=no
USESYSNETAUTH=no
USESSSD=yes
USEPWQUALITY=yes
USEHESIOD=no

除了这两个文件之外,我还确保在sshd_config中启用密码验证,并使用sudo authconfig –updateall –enablesssd –enablesssdauth在pam模块中启用sssd.

将/etc/pam.d/system-auth：

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet_success
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

软件版本

> uname -a：Linux ip-172-31-31-2 4.1.10-17.31.amzn1.x86_64#1 SMP Sat Oct 24 01:31:37 UTC 2015 x86_64 x86_64 x86_64 GNU / Linux
> sssd 1.12.2
> adtool 1.3.3
> openldap-clients 2.4.23-34.25.amzn1

用户之间的差异

为了显示这些用户在我的目录中的不同,这里是从运行sssd的实例使用ldapsearch查询它们的输出.

使用adtool创建的用户(编辑：您将在下面看到pwdLastSet值存在,我相信这不存在,并且它的存在是我答案的关键)：

$ldapsearch -LLL  -H ldaps://directory.myteam.mycompany.com -D CN=Administrator,DC=internal -x -W '(cn=test-user)'
Enter LDAP Password:
dn: CN=test-user,CN=Users,DC=internal
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: test-user
instanceType: 4
whenCreated: 20151230204358.0Z
displayName: Test user
uSNCreated: 3532
name: test-user
objectGUID:: ZhfGzcqLd06x2UBU3UNiZQ==
codePage: 0
countryCode: 0
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAHWfr9xoaXwKvEcuoUwQAAA==
accountExpires: 9223372036854775807
sAMAccountName: test-user
sAMAccountType: 805306368
userPrincipalName: test-user@myteam.mycompany.internal
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC
 =internal
userAccountControl: 512
lockoutTime: 0
whenChanged: 20151231150317.0Z
uSNChanged: 3619
pwdLastSet: 130960477970000000
distinguishedName: CN=test-user,DC=internal

用户通过Microsoft管理控制台创建：

$ldapsearch -LLL  -H ldaps://directory.myteam.mycompany.com -D CN=Administrator,DC=internal -x -W '(sAMAccountName=test-windows-2008)'
Enter LDAP Password:
dn: CN=Test User,DC=internal
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Test User
sn: User
givenName: Test
instanceType: 4
whenCreated: 20151230223533.0Z
whenChanged: 20151230223534.0Z
displayName: Test User
uSNCreated: 3563
uSNChanged: 3563
name: Test User
objectGUID:: 2cuynP3/9EeRIm1fCUJ9jA==
userAccountControl: 512
codePage: 0
countryCode: 0
pwdLastSet: 130959885340000000
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAHWfr9xoaXwKvEcuoVwQAAA==
accountExpires: 9223372036854775807
sAMAccountName: test-windows-2008
sAMAccountType: 805306368
userPrincipalName: test-windows-2008@myteam.mycompany.internal
objectCategory: CN=Person,DC
 =internal
distinguishedName: CN=Test User,DC=internal

我使用adtool和MMC之间的区别在于MMC鼓励我将用户的密码初始化,但我忘了对用adtool创建的用户做同样的事情.以下步骤解决了这个问题,并且重复性如此：

$adtool userunlock -w REDACTED_PASSWORD 'test-user'
$adtool setpass -w REDACTED_PASSWORD  test-user REDACTED_PASSWORD

在我最初的问题中,在同事完成上述步骤设置密码之后,我今天早上重新询问了原始测试用户,因此输出显示密码已设置,但昨晚我尝试登录时没有设定,因此问题.当我今天再次尝试登录时,它工作正常,经过一番调查,我发现这就是原因.

现在,我只能推测为什么“KDC不支持加密类型”消息出现了：由于没有密码,因此没有加密类型.如果我错了,我很乐意得到纠正.

TL; DR必须记住在使用adtool而不是MMC时解锁用户并设置密码.

（编辑：李大同）

【声明】本站内容均来自网络，其相关言论仅代表作者个人观点，不代表本站立场。若无意侵犯到您的权利，请及时与联系站长删除相关内容!