使用 sssd 在 Microsoft Active Directory 上进行 Linux 身份验证

使用 sssd 在 Microsoft Active Directory 上进行 Linux 身份验证

我目前正在尝试使用 Linux 服务器 (Red Hat Enterprise 7.6) 基于 Microsoft Active Directory 对用户进行身份验证。这个想法是允许用户通过 SSH 连接将文档上传到他们的个人网站,而无需授予他们访问 shell 的权限。

简而言之,我们是一所学校,我们希望为我们的学生提供个人专用文件夹的访问权限。

我正在尝试使用 SSSD,这听起来很有希望。我能够加入域,当我增加日志级别时,我会看到用户被缓存在我的 Linux 服务器上。我一丝不苟地遵循了 Red Hat 文档和大多数讨论 SSSD 用法的帖子,但我可能在某些地方遗漏了一些东西。我想逐步进步,在涉及 SSH 之前,我想首先尝试在控制台上本地验证用户(而不是通过 SSH)。用户未配置为本地用户。它仅在 Active Directory 中定义。

但是它失败了,并在 /var/log/secure 中显示以下消息:

Dec 10 09:42:05 svx-pub-01 login: pam_unix(login:auth): check pass; user unknown
Dec 10 09:42:05 svx-pub-01 login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=
Dec 10 09:42:07 svx-pub-01 login: FAILED LOGIN 1 FROM tty1 FOR (unknown), User not known to the underlying authentication module

据我所知,sssd 不参与这里的身份验证,我想了解原因。

我知道我未来的目标是通过 SSH 对用户进行身份验证,但我首先想做一个非常简单的本地测试...所以我在 sssd.conf 文件中定义了一个默认 shell。出于保密目的,我修改的唯一值是“mydomain.com”,这不是真实值 :)

[sssd]
domains = mydomain.com
config_file_version = 2
services = nss, pam
debug_level = 7

[domain/mydomain.com]
ad_server = svw-dc-00.mydomain.com
ad_domain = mydomain.com
krb5_realm = mydomain.com
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
debug_level = 7
[pam]
debug_level = 7

[ssh]

这是 /etc/krb5.conf

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
# default_realm = EXAMPLE.COM
 default_ccache_name = KEYRING:persistent:%{uid}

 default_realm = MYDOMAIN.COM
[realms]
 MYDOMAIN.COM = {
 }

[domain_realm]

 mydomain.com = MYDOMAIN.COM
 .mydomain.com = MYDOMAIN.COM

这是 /etc/nsswitch.conf

passwd:     files sss
shadow:     files sss
group:      files sss
initgroups: files sss

#hosts:     db files nisplus nis dns
hosts:      files dns myhostname

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss

netgroup:   files sss

publickey:  nisplus

automount:  files sss
aliases:    files nisplus

并且 /etc/pam.d/system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok] pam_localuser.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     optional      pam_sss.so
session     required      pam_unix.so

提前非常感谢您宝贵的意见。

答案1

在 sssd.conf 中更改use_fully_qualified_domain_names = TrueFalse

您必须重新启动 sssd 服务,并可能清除缓存/var/lib/sss/db/才能使此设置生效

您可能还想更改fallback_homedir = /home/%u@%d为,fallback_homedir = /home/%u除非您希望每个人的主目录末尾都有@[domain]

相关内容