- 我已经在 Linux 上配置了 Kerberos 服务器,它运行良好。领域名称是 EXAMPLE.COM
- 我目前没有 LDAP 服务器!
- 在 Ubuntu 22.04 桌面上,我安装了“krb5-user”和“sssd-krb5”包。
- 我已经测试了“kinit user01”,并且密码和 TGT 票证已创建(我可以用 klist 看到它)。
- 现在我想配置 Ubuntu Desktop 22.04 登录过程以向 KDC 服务器进行身份验证,但使用本地系统用户获取用户和组信息(因为我没有 LDAP 服务器)。
- Ubuntu 官方教程https://ubuntu.com/server/docs/service-kerberos-workstation-auth,但它适用于 Ubuntu 20.04 桌面版。我可以按照说明进行操作,没有任何问题。但是当我登录 Ubuntu 22.04 桌面版并执行 klist 时,没有列出 TGT 票证,看起来身份验证已回退到本地 Linux 身份验证,而不是使用 Kerberos 进行身份验证。
- 我已从 /var/log/sssd/ 目录中删除了所有日志文件。
- 以防万一我重新启动了 Ubuntu。
- 使用 KDC 服务器中的 user01 身份登录[电子邮件保护]. 在 Ubuntu 桌面上用户名是:user01
- 执行 klist 并且没有创建 TGT 票证。
- 以下是来自 /var/log/sssd/sssd.log 的日志
2023-06-05 15:03:20): [be[example.com]] [server_setup] (0x1f7c0):
Starting with debug level = 0x0070 (2023-06-05 15:03:20):
[be[example.com]] [proxy_resolver_conf] (0x0020): No resolver library
name given
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE: * [be[example.com]] [become_user] (0x0200): Trying to
become user [0][0]. * [be[example.com]] [become_user] (0x0200):
Already user [0]. * [be[example.com]] [ldb] (0x0400):
server_sort:Unable to register control with rootdse! * (2023-06-05
15:03:20): [be[example.com]] [server_setup] (0x0400): CONFDB:
/var/lib/sss/db/config.ldb * (2023-06-05 15:03:20):
[be[example.com]] [dp_get_options] (0x0400): Option
lookup_family_order has value ipv4_first * (2023-06-05 15:03:20):
[be[example.com]] [dp_get_options] (0x0400): Option
dns_resolver_timeout has value 6 * (2023-06-05 15:03:20):
[be[example.com]] [dp_get_options] (0x0400): Option
dns_resolver_op_timeout has value 3 * (2023-06-05 15:03:20):
[be[example.com]] [dp_get_options] (0x0400): Option
dns_resolver_server_timeout has value 1000 * (2023-06-05
15:03:20): [be[example.com]] [dp_get_options] (0x0400): Option
dns_discovery_domain has no value * (2023-06-05 15:03:20):
[be[example.com]] [be_res_get_opts] (0x0100): Lookup order: ipv4_first
* (2023-06-05 15:03:20): [be[example.com]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel * (2023-06-05 15:03:20):
[be[example.com]] [fo_context_init] (0x0400): Created new fail over
context, retry timeout is 30 * (2023-06-05 15:03:20):
[be[example.com]] [confdb_get_domain_internal] (0x0400): No
enumeration for [example.com]! * (2023-06-05 15:03:20):
[be[example.com]] [confdb_get_domain_internal] (0x0400): Please note
that when enumeration is disabled `getent passwd` does not return all
users by design. See sssd.conf man page for more detailed information
* (2023-06-05 15:03:20): [be[example.com]] [confdb_get_domain_internal] (0x1000): pwd_expiration_warning is -1
* (2023-06-05 15:03:20): [be[example.com]] [sysdb_domain_init_internal] (0x0200): DB File for example.com:
/var/lib/sss/db/cache_example.com.ldb * (2023-06-05 15:03:20):
[be[example.com]] [sysdb_domain_init_internal] (0x0200): Timestamp
file for example.com: /var/lib/sss/db/timestamps_example.com.ldb *
(2023-06-05 15:03:20): [be[example.com]] [sysdb_ldb_connect] (0x4000):
No ldb module path set in env * (2023-06-05 15:03:20):
[be[example.com]] [ldb] (0x0400): asq: Unable to register control with
rootdse! * (2023-06-05 15:03:20): [be[example.com]]
[sysdb_ldb_connect] (0x4000): No ldb module path set in env *
(2023-06-05 15:03:20): [be[example.com]] [sss_domain_get_state]
(0x1000): Domain example.com is Active * (2023-06-05 15:03:20):
[be[example.com]] [sss_names_init_from_args] (0x0100): Using re
[(?P<name>[^@]+)@?(?P<domain>[^@]*$)]. * (2023-06-05 15:03:20):
[be[example.com]] [sss_fqnames_init] (0x0100): Using fq format
[%1$s@%2$s]. * (2023-06-05 15:03:20): [be[example.com]]
[dp_client_init] (0x0100): Set-up Backend ID timeout [0x558ece6264a0]
* (2023-06-05 15:03:20): [be[example.com]] [dp_load_configuration] (0x0100): Using [proxy] provider for [id] * (2023-06-05 15:03:20):
[be[example.com]] [dp_load_configuration] (0x0100): Using [krb5]
provider for [auth] * (2023-06-05 15:03:20): [be[example.com]]
[dp_load_configuration] (0x0100): Using [permit] provider for [access]
* (2023-06-05 15:03:20): [be[example.com]] [dp_load_configuration] (0x0100): Using [krb5] provider for [chpass] * (2023-06-05
15:03:20): [be[example.com]] [dp_load_configuration] (0x0100): Using
[proxy] provider for [sudo] * (2023-06-05 15:03:20):
[be[example.com]] [dp_load_configuration] (0x0100): Using [proxy]
provider for [autofs] * (2023-06-05 15:03:20): [be[example.com]]
[dp_load_configuration] (0x0100): Using [proxy] provider for [selinux]
* (2023-06-05 15:03:20): [be[example.com]] [dp_load_configuration] (0x0100): Using [proxy] provider for [hostid] * (2023-06-05
15:03:20): [be[example.com]] [dp_load_configuration] (0x0100): Using
[proxy] provider for [subdomains] * (2023-06-05 15:03:20):
[be[example.com]] [dp_load_configuration] (0x0100): Using [proxy]
provider for [session] * (2023-06-05 15:03:20): [be[example.com]]
[dp_load_configuration] (0x0100): Using [proxy] provider for
[resolver] * (2023-06-05 15:03:20): [be[example.com]]
[dp_target_init] (0x0400): Initializing target [id] with module
[proxy] * (2023-06-05 15:03:20): [be[example.com]]
[dp_load_module] (0x0400): About to load module [proxy]. *
(2023-06-05 15:03:20): [be[example.com]] [dp_module_open_lib]
(0x1000): Loading module [proxy] with path
[/usr/lib/x86_64-linux-gnu/sssd/libsss_proxy.so] * (2023-06-05
15:03:20): [be[example.com]] [dp_module_run_constructor] (0x0400):
Executing module [proxy] constructor. * (2023-06-05 15:03:20):
[be[example.com]] [dp_target_run_constructor] (0x0400): Executing
target [id] constructor * (2023-06-05 15:03:20): [be[example.com]]
[dp_target_init] (0x0400): Initializing target [auth] with module
[krb5] * (2023-06-05 15:03:20): [be[example.com]] [dp_load_module]
(0x0400): About to load module [krb5]. * (2023-06-05 15:03:20):
[be[example.com]] [dp_module_open_lib] (0x1000): Loading module [krb5]
with path [/usr/lib/x86_64-linux-gnu/sssd/libsss_krb5.so] *
(2023-06-05 15:03:20): [be[example.com]] [dp_module_run_constructor]
(0x0400): Executing module [krb5] constructor. * (2023-06-05
15:03:20): [be[example.com]] [dp_get_options] (0x0400): Option
krb5_server has value kerberos.example.com * (2023-06-05
15:03:20): [be[example.com]] [dp_get_options] (0x0400): Option
krb5_backup_server has no value * (2023-06-05 15:03:20):
[be[example.com]] [dp_get_options] (0x0400): Option krb5_realm has
value EXAMPLE.COM * (2023-06-05 15:03:20): [be[example.com]]
[dp_get_options] (0x0400): Option krb5_ccachedir has value /tmp *
(2023-06-05 15:03:20): [be[example.com]] [dp_get_options] (0x0400):
Option krb5_ccname_template has no value * (2023-06-05 15:03:20):
[be[example.com]] [dp_get_options] (0x0400): Option krb5_auth_timeout
has value 6
* (2023-06-05 15:03:20): [be[example.com]] [dp_get_options] (0x0400): Option krb5_keytab has no value * (2023-06-05 15:03:20):
[be[example.com]] [dp_get_options] (0x0400): Option krb5_validate is
FALSE * (2023-06-05 15:03:20): [be[example.com]] [dp_get_options]
(0x0400): Option krb5_kpasswd has value kerberos.example.com *
(2023-06-05 15:03:20): [be[example.com]] [dp_get_options] (0x0400):
Option krb5_backup_kpasswd has no value * (2023-06-05 15:03:20):
[be[example.com]] [dp_get_options] (0x0400): Option
krb5_store_password_if_offline is FALSE * (2023-06-05 15:03:20):
[be[example.com]] [dp_get_options] (0x0400): Option
krb5_renewable_lifetime has no value * (2023-06-05 15:03:20):
[be[example.com]] [dp_get_options] (0x0400): Option krb5_lifetime has
no value * (2023-06-05 15:03:20): [be[example.com]]
[dp_get_options] (0x0400): Option krb5_renew_interval has no value
* (2023-06-05 15:03:20): [be[example.com]] [dp_get_options] (0x0400): Option krb5_use_fast has no value * (2023-06-05 15:03:20):
[be[example.com]] [dp_get_options] (0x0400): Option
krb5_fast_principal has no value * (2023-06-05 15:03:20):
[be[example.com]] [dp_get_options] (0x0400): Option krb5_canonicalize
is FALSE * (2023-06-05 15:03:20): [be[example.com]]
[dp_get_options] (0x0400): Option krb5_use_enterprise_principal is
FALSE * (2023-06-05 15:03:20): [be[example.com]] [dp_get_options]
(0x0400): Option krb5_use_kdcinfo is TRUE * (2023-06-05 15:03:20):
[be[example.com]] [dp_get_options] (0x0400): Option
krb5_kdcinfo_lookahead has no value * (2023-06-05 15:03:20):
[be[example.com]] [dp_get_options] (0x0400): Option krb5_map_user has
no value * (2023-06-05 15:03:20): [be[example.com]]
[dp_get_options] (0x0400): Option krb5_use_subdomain_realm is FALSE
* (2023-06-05 15:03:20): [be[example.com]] [krb5_service_new] (0x0100): write_kdcinfo for realm EXAMPLE.COM set to true *
(2023-06-05 15:03:20): [be[example.com]] [fo_new_service] (0x0400):
Creating new service 'KERBEROS' * (2023-06-05 15:03:20):
[be[example.com]] [fo_add_server_to_list] (0x0400): Inserted primary
server 'kerberos.example.com:0' to service 'KERBEROS' *
(2023-06-05 15:03:20): [be[example.com]] [_krb5_servers_init]
(0x0400): Added Server kerberos.example.com * (2023-06-05
15:03:20): [be[example.com]] [krb5_service_new] (0x0100):
write_kdcinfo for realm EXAMPLE.COM set to true * (2023-06-05
15:03:20): [be[example.com]] [fo_new_service] (0x0400): Creating new
service 'KPASSWD' * (2023-06-05 15:03:20): [be[example.com]]
[fo_add_server_to_list] (0x0400): Inserted primary server
'kerberos.example.com:0' to service 'KPASSWD' * (2023-06-05
15:03:20): [be[example.com]] [_krb5_servers_init] (0x0400): Added
Server kerberos.example.com * (2023-06-05 15:03:20):
[be[example.com]] [check_lifetime] (0x0200): No lifetime configured.
* (2023-06-05 15:03:20): [be[example.com]] [check_lifetime] (0x0200): No lifetime configured. * (2023-06-05 15:03:20): [be[example.com]]
[parse_krb5_map_user] (0x0100): krb5_map_user is empty! *
(2023-06-05 15:03:20): [be[example.com]] [be_fo_set_srv_lookup_plugin]
(0x0400): Trying to set SRV lookup plugin to DNS * (2023-06-05
15:03:20): [be[example.com]] [be_fo_set_srv_lookup_plugin] (0x0400):
SRV lookup plugin is now DNS * (2023-06-05 15:03:20):
[be[example.com]] [dp_target_run_constructor] (0x0400): Executing
target [auth] constructor * (2023-06-05 15:03:20):
[be[example.com]] [dp_target_init] (0x0400): Initializing target
[access] with module [permit] * (2023-06-05 15:03:20):
[be[example.com]] [dp_target_init] (0x0400): Initializing target
[chpass] with module [krb5] * (2023-06-05 15:03:20):
[be[example.com]] [dp_load_module] (0x0400): Module [krb5] is already
loaded. * (2023-06-05 15:03:20): [be[example.com]]
[dp_target_run_constructor] (0x0400): Executing target [chpass]
constructor * (2023-06-05 15:03:20): [be[example.com]]
[dp_target_init] (0x0400): Initializing target [sudo] with module
[proxy] * (2023-06-05 15:03:20): [be[example.com]]
[dp_load_module] (0x0400): Module [proxy] is already loaded. *
(2023-06-05 15:03:20): [be[example.com]] [dp_target_init] (0x0100):
Target [sudo] is not supported by module [proxy]. * (2023-06-05
15:03:20): [be[example.com]] [dp_target_init] (0x0400): Initializing
target [autofs] with module [proxy] * (2023-06-05 15:03:20):
[be[example.com]] [dp_load_module] (0x0400): Module [proxy] is already
loaded. * (2023-06-05 15:03:20): [be[example.com]]
[dp_target_init] (0x0100): Target [autofs] is not supported by module
[proxy]. * (2023-06-05 15:03:20): [be[example.com]]
[dp_target_init] (0x0400): Initializing target [selinux] with module
[proxy] * (2023-06-05 15:03:20): [be[example.com]]
[dp_load_module] (0x0400): Module [proxy] is already loaded. *
(2023-06-05 15:03:20): [be[example.com]] [dp_target_init] (0x0100):
Target [selinux] is not supported by module [proxy]. * (2023-06-05
15:03:20): [be[example.com]] [dp_target_init] (0x0400): Initializing
target [hostid] with module [proxy] * (2023-06-05 15:03:20):
[be[example.com]] [dp_load_module] (0x0400): Module [proxy] is already
loaded. * (2023-06-05 15:03:20): [be[example.com]]
[dp_target_init] (0x0100): Target [hostid] is not supported by module
[proxy]. * (2023-06-05 15:03:20): [be[example.com]]
[dp_target_init] (0x0400): Initializing target [subdomains] with
module [proxy] * (2023-06-05 15:03:20): [be[example.com]]
[dp_load_module] (0x0400): Module [proxy] is already loaded. *
(2023-06-05 15:03:20): [be[example.com]] [dp_target_init] (0x0100):
Target [subdomains] is not supported by module [proxy]. *
(2023-06-05 15:03:20): [be[example.com]] [dp_target_init] (0x0400):
Initializing target [session] with module [proxy] * (2023-06-05
15:03:20): [be[example.com]] [dp_load_module] (0x0400): Module [proxy]
is already loaded. * (2023-06-05 15:03:20): [be[example.com]]
[dp_target_init] (0x0100): Target [session] is not supported by module
[proxy]. * (2023-06-05 15:03:20): [be[example.com]]
[dp_target_init] (0x0400): Initializing target [resolver] with module
[proxy] * (2023-06-05 15:03:20): [be[example.com]]
[dp_load_module] (0x0400): Module [proxy] is already loaded. *
(2023-06-05 15:03:20): [be[example.com]] [dp_target_run_constructor]
(0x0400): Executing target [resolver] constructor * (2023-06-05
15:03:20): [be[example.com]] [proxy_resolver_conf] (0x0020): No
resolver library name given
********************** BACKTRACE DUMP ENDS HERE ********************************* (2023-06-05 15:03:20): [be[example.com]] [dp_target_run_constructor] (0x0010): Target
[resolver] constructor failed [95]: Operation not supported
答案1
我找到了解决方案。我遇到的问题是“user01”的密码与以下用户相同:
- 本地 Linux 和
- 凯尔伯洛斯。
看起来在这种配置中,Ubuntu 登录过程首先尝试使用本地 Linux 用户登录,因此如果两个密码相同,它就永远不会进入 Kerberos 登录。
就我而言,解决方案是更改本地 Linux 密码:
sudo passwd user01
现在在 Ubuntu 桌面登录:
- 输入 Kerberos 密码,Ubuntu 使用 Kerberos 进行身份验证。我可以使用
klist命令确认 Kerberos 登录成功,并且看到已创建新的 TGT 票证。 - 输入本地 Linux 密码,Ubuntu 使用本地 Linux 身份验证(例如 /etc/shadow)进行身份验证。