使用 SSSD 将 Ubuntu 22.04 加入 Active Directory 后找不到域

使用 SSSD 将 Ubuntu 22.04 加入 Active Directory 后找不到域

从 Ubuntu 20.04 开始,我们使用 SSSD 和 realmd 将这些服务器加入到我们的一个 Active Directory 域中。这几乎是开箱即用的。

然而,对于 Ubuntu 22.04,我们遇到了问题。而且我没有可行的解决方案,因此我提出了这个问题。

我们的组织有 1 个 AD 林。在这个林中,我们有一个名为“例子.local“。此域有几个子域,”产品.示例.本地“,”用户.示例.本地“,”acc.示例.local“。”用户.示例.本地“ 有一个名为 的子域 ”dev.users.示例.local“。此域具有对”的快捷信任产品.示例.本地“(记住这一点很重要)。

当服务器加入域时“dev.users.示例.local“,用户(来自林中的任何域)都应该能够登录到服务器。

这在 Ubuntu 20.04(使用 SSSD 版本 2.2.3)上按预期工作。在 Ubuntu 22.04 上,只有来自加入域(dev.users.example.local)和具有快捷方式信任的域的用户才会被找到并能够登录到服务器。

我们尝试使用 sssctl 调试这个问题。

跑步sssctl domain-list

返回结果

  • dev.users.示例.local
  • 产品.示例.本地

预期结果:

  • dev.users.示例.local
  • 用户.示例.本地
  • 例子.local
  • 产品.示例.本地
  • acc.示例.local

SSSD 版本:

  • Ubuntu 22.04:2.6.3
  • Ubuntu 20.04:2.2.3

这是我们对 SSSD 的配置(在 Ubuntu 20.04 上按预期运行):

[sssd]
domains = dev.users.example.local
config_file_version = 2
services = nss, pam

debug_level = 9

[domain/dev.users.example.local]
# Offline logins
# cache_credentials = true

# Providers
id_provider = ad
auth_provider = ad
access_provider = simple

# Uncomment if you want to use POSIX UIDs and GIDs set on the AD side
# ldap_id_mapping = False

# Uncomment if the trusted domains are not reachable
# ad_enabled_domains = ad.example.com

# Set default shell and override AD Home directory
default_shell = /bin/bash
override_homedir = /home/%d/%u

# Comment out if you prefer to use shortnames.
use_fully_qualified_names = True

# AD Specific settings
# ad_use_ldaps = True

debug_level = 9

[nss]
debug_level = 9

[pam]
debug_level = 9

PAM 配置:/etc/pam.d/sshd

# PAM configuration for the Secure Shell service

# Standard Un*x authentication.
@include common-auth

# Disallow non-root logins when /etc/nologin exists.
account    required     pam_nologin.so

# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account  required     pam_access.so

# Standard Un*x authorization.
@include common-account

# SELinux needs to be the first session rule.  This ensures that any
# lingering context has been cleared.  Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close

# Set the loginuid process attribute.
session    required     pam_loginuid.so

# Create a new session keyring.
session    optional     pam_keyinit.so force revoke

# Standard Un*x session setup and teardown.
@include common-session

# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session    optional     pam_motd.so  motd=/run/motd.dynamic
session    optional     pam_motd.so noupdate

# add to the end (create Home Dir automatically when initial login)
session optional        pam_mkhomedir.so skel=/etc/skel umask=077

# Print the status of the user's mailbox upon successful login.
session    optional     pam_mail.so standard noenv # [1]

# Set up user limits from /etc/security/limits.conf.
session    required     pam_limits.so

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
session    required     pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale

# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context.  Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open

# Standard Un*x password updating.
@include common-password

使用 realmd 我们允许某些 AD 组登录到服务器。

我尝试在 Ubuntu 22.04 上安装新版本(和旧版本 2.2.3)的 SSSD,但无法做到这一点。

我们如何才能在不更改 Active Directory 的情况下实现此功能?我们的配置有什么问题?

相关内容