最近开始将我们的 Ubuntu 服务器加入域以进行身份验证。在大多数情况下,我都成功了,并且相信每个系统上的所有配置都相同。但是,今天遇到了两个允许身份验证但不允许 SUDO 访问的情况。我已经验证并再次验证了正确的 sudoers 配置(至少确认它与工作系统相同)、realmd 配置和 SSSD 配置。
如您所见,这是通过 SSH 会话然后尝试进入 SUDO 的日志。表明用户不在 sudoers 组中。再往下,您将找到 sudoers 文件输出和其他几个相关的配置片段。请就下一步故障排除提供建议。非常感谢。
Oct 22 16:04:58 server-1 sshd[8701]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.15.25 user=MYDOMAIN\smithj
Oct 22 16:04:58 server-1 sshd[8701]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.15.25 user=MYDOMAIN\smithj
Oct 22 16:04:59 server-1 sshd[8701]: Accepted password for MYDOMAIN\\smithj from 192.168.15.25 port 7438 ssh2
Oct 22 16:04:59 server-1 sshd[8701]: pam_unix(sshd:session): session opened for user MYDOMAIN\smithj by (uid=0)
Oct 22 16:04:59 server-1 systemd-logind[1323]: New session 6 of user smithj.
Oct 22 16:05:00 server-1 systemd: pam_unix(systemd-user:session): session opened for user smithj by (uid=0)
Oct 22 16:05:06 server-1 sudo: pam_unix(sudo:auth): authentication failure; logname=smithj uid=535028654 euid=0 tty=/dev/pts/1 ruser=smithj rhost= user=smithj
Oct 22 16:05:06 server-1 sudo: pam_sss(sudo:auth): authentication success; logname=smithj uid=535028654 euid=0 tty=/dev/pts/1 ruser=smithj rhost= user=smithj
Oct 22 16:05:07 server-1 sudo: smithj : user NOT in sudoers ; TTY=pts/1 ; PWD=/home/MYDOMAIN/smithj ; USER=root ; COMMAND=/bin/su
Sudoers 文件:
# As file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.di
#AD Domain Groups and Users
%domain\ admins ALL=(ALL) NOPASSWD:ALL
“id smithj”的输出
uid=535028654(smithj) gid=535000513(domain users) groups=535000513(domain users),535000512(domain admins)
“getent group ‘domain admins’”的输出:
domain admins:*:535000512:smithj
“getent passwd smithj”的输出:
smithj:*:535028654:535000513:Smith, John:/home/MYDOMAIN/smithj:/bin/bash
SSSD.conf
[sssd]
domains = mydomain.com
config_file_version = 2
services = nss, pam
[domain/mydomain.com]
ad_domain = mydomain.com
krb5_realm = MYDOMAIN.COM
realmd_tags = joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/MYDOMAIN/%u
access_provider = simple
simple_allow_groups = Domain Admins
Realmd 配置文件
[users]
default-home = /home/MYDOMAIN/%U
default-shell = /bin/bash
[active-directory]
default-client = sssd
os-name = Ubuntu Server
os-version = 16.04
[service]
automatic-install = no
[mydomain.com]
fully-qualified-names = no
automatic-id-mapping = yes
user-principal = yes
manage-system = no