sssd.conf:
[sssd]
domains = corp.com
config_file_version = 2
services = nss, pam
[domain/corp.com]
ad_domain = corp.lecapam.com
krb5_realm = CORP.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
access_provider = simple
simple_allow_groups = RootUser,NonRootUser
问题是,NonRootUser AD 组的成员无法建立 SSH 连接,而 RootUser 的成员可以,我最近将 NonRootUser AD 组添加到配置中并重新启动了 sshd 和 sssd 服务。
错误:
sshd[29077]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=ad01.corp.com user=corp\test
sshd[29077]: pam_sss(sshd:account): Access denied for user corp\test: 6 (Permission denied)
sshd[29077]: Failed password for corp\\test from 1.1.1.1 port 60235 ssh2
sshd[29077]: fatal: Access denied for user corp\\\\test by PAM account configuration [preauth]
答案1
是corp\test
在 RootUser/NonRootUser 组中吗?我猜不是。