我的一台服务器有问题
我使用密钥在我的服务器上使用 AD 帐户进行身份验证,它在大多数情况下都有效。 SSSD模块用于对AD用户进行身份验证。
有时我无法对 AD 用户进行身份验证,似乎服务器会尝试对本地用户进行身份验证
这是工作身份验证
Sep 17 15:06:02 x3v6prod sshd[6762]: debug1: userauth-request for user sagex3 service ssh-connection method gssapi-with-mic
Sep 17 15:06:02 x3v6prod sshd[6762]: debug1: attempt 1 failures 0
Sep 17 15:06:02 x3v6prod sshd[6759]: debug1: PAM: setting PAM_RHOST to "blueway-prod.XXXXXXXXXX.fr"
Sep 17 15:06:02 x3v6prod sshd[6759]: debug1: PAM: setting PAM_TTY to "ssh"
Sep 17 15:06:02 x3v6prod sshd[6762]: Postponed gssapi-with-mic for sagex3 from 192.168.60.184 port 49310 ssh2
Sep 17 15:06:02 x3v6prod sshd[6762]: debug1: userauth-request for user sagex3 service ssh-connection method publickey
Sep 17 15:06:02 x3v6prod sshd[6762]: debug1: attempt 2 failures 0
Sep 17 15:06:02 x3v6prod sshd[6762]: debug1: test whether pkalg/pkblob are acceptable
Sep 17 15:06:02 x3v6prod sshd[6759]: debug1: temporarily_use_uid: 285005224/285000513 (e=0/0)
Sep 17 15:06:02 x3v6prod sshd[6759]: debug1: trying public key file /home/XXXXXXXXXX.FR/sagex3/.ssh/authorized_keys
Sep 17 15:06:02 x3v6prod sshd[6759]: debug1: fd 8 clearing O_NONBLOCK
Sep 17 15:06:02 x3v6prod sshd[6759]: debug1: matching key found: file /home/XXXXXXXXXX/sagex3/.ssh/authorized_keys, line 1
Sep 17 15:06:02 x3v6prod sshd[6759]: Found matching RSA key: ca:38:16:a0:d0:ca:60:6b:28:63:09:5b:01:b2:90:d1
Sep 17 15:06:02 x3v6prod sshd[6759]: debug1: restore_uid: 0/0
Sep 17 15:06:02 x3v6prod sshd[6762]: Postponed publickey for sagex3 from 192.168.60.184 port 49310 ssh2
Sep 17 15:06:02 x3v6prod sshd[6762]: debug1: userauth-request for user sagex3 service ssh-connection method publickey
Sep 17 15:06:02 x3v6prod sshd[6762]: debug1: attempt 3 failures 0
Sep 17 15:06:02 x3v6prod sshd[6759]: debug1: temporarily_use_uid: 285005224/285000513 (e=0/0)
Sep 17 15:06:02 x3v6prod sshd[6759]: debug1: trying public key file /home/XXXXXXXXXX/sagex3/.ssh/authorized_keys
Sep 17 15:06:02 x3v6prod sshd[6759]: debug1: fd 8 clearing O_NONBLOCK
Sep 17 15:06:02 x3v6prod sshd[6759]: debug1: matching key found: file /home/XXXXXXXXXX/sagex3/.ssh/authorized_keys, line 1
Sep 17 15:06:02 x3v6prod sshd[6759]: Found matching RSA key: ca:38:16:a0:d0:ca:60:6b:28:63:09:5b:01:b2:90:d1
Sep 17 15:06:02 x3v6prod sshd[6759]: debug1: restore_uid: 0/0
Sep 17 15:06:02 x3v6prod sshd[6759]: debug1: ssh_rsa_verify: signature correct
这里不工作身份验证
Sep 17 15:06:06 x3v6prod sshd[6795]: debug1:userauth-request for user sagex3 service ssh-connection method none
Sep 17 15:06:06 x3v6prod sshd[6795]: debug1: attempt 0 failures 0
Sep 17 15:06:06 x3v6prod sshd[6799]: debug1: SSH2_MSG_KEXINIT received
Sep 17 15:06:06 x3v6prod sshd[6799]: debug1: kex: client->server aes128-ctr hmac-md5 none
Sep 17 15:06:06 x3v6prod sshd[6799]: debug1: kex: server->client aes128-ctr hmac-md5 none
Sep 17 15:06:06 x3v6prod sshd[6799]: debug1: expecting SSH2_MSG_KEXDH_INIT
Sep 17 15:06:06 x3v6prod sshd[6792]: debug1: PAM: initializing for "sagex3"
Sep 17 15:06:06 x3v6prod sshd[6795]: debug1: userauth-request for user sagex3 service ssh-connection method gssapi-with-mic
Sep 17 15:06:06 x3v6prod sshd[6795]: debug1: attempt 1 failures 0
Sep 17 15:06:06 x3v6prod sshd[6792]: debug1: PAM: setting PAM_RHOST to "blueway-prod.XXXXXXXXXX.fr"
Sep 17 15:06:06 x3v6prod sshd[6792]: debug1: PAM: setting PAM_TTY to "ssh"
Sep 17 15:06:06 x3v6prod sshd[6795]: Postponed gssapi-with-mic for sagex3 from 192.168.60.184 port 49314 ssh2
Sep 17 15:06:06 x3v6prod sshd[6795]: debug1: userauth-request for user sagex3 service ssh-connection method publickey
Sep 17 15:06:06 x3v6prod sshd[6795]: debug1: attempt 2 failures 0
Sep 17 15:06:06 x3v6prod sshd[6795]: debug1: test whether pkalg/pkblob are acceptable
Sep 17 15:06:06 x3v6prod sshd[6792]: debug1: temporarily_use_uid: 285005224/285000513 (e=0/0)
Sep 17 15:06:06 x3v6prod sshd[6799]: debug1: SSH2_MSG_NEWKEYS sent
Sep 17 15:06:06 x3v6prod sshd[6799]: debug1: expecting SSH2_MSG_NEWKEYS
Sep 17 15:06:06 x3v6prod sshd[6792]: debug1: trying public key file /home/SAGEX3/.ssh/authorized_keys
Sep 17 15:06:06 x3v6prod sshd[6799]: debug1: SSH2_MSG_NEWKEYS received
Sep 17 15:06:06 x3v6prod sshd[6799]: debug1: KEX done
Sep 17 15:06:06 x3v6prod sshd[6792]: debug1: Could not open authorized keys '/home/SAGEX3/.ssh/authorized_keys': No such file or directory
Sep 17 15:06:06 x3v6prod sshd[6792]: debug1: restore_uid: 0/0
Sep 17 15:06:06 x3v6prod sshd[6792]: debug1: temporarily_use_uid: 285005224/285000513 (e=0/0)
Sep 17 15:06:06 x3v6prod sshd[6792]: debug1: trying public key file /home/SAGEX3/.ssh/authorized_keys2
Sep 17 15:06:06 x3v6prod sshd[6792]: debug1: Could not open authorized keys '/home/SAGEX3/.ssh/authorized_keys2': No such file or directory
Sep 17 15:06:06 x3v6prod sshd[6792]: debug1: restore_uid: 0/0
Sep 17 15:06:06 x3v6prod sshd[6792]: Failed publickey for sagex3 from 192.168.60.184 port 49314 ssh2
Sep 17 15:06:06 x3v6prod sshd[6799]: debug1: userauth-request for user sagex3 service ssh-connection method none
Sep 17 15:06:06 x3v6prod sshd[6799]: debug1: attempt 0 failures 0
Sep 17 15:06:06 x3v6prod sshd[6795]: debug1: userauth-request for user sagex3 service ssh-connection method password
Sep 17 15:06:06 x3v6prod sshd[6795]: debug1: attempt 3 failures 1
Sep 17 15:06:06 x3v6prod sshd[6792]: Failed none for sagex3 from 192.168.60.184 port 49314 ssh2
Sep 17 15:06:06 x3v6prod sshd[6795]: debug1: userauth-request for user sagex3 service ssh-connection method password
Sep 17 15:06:06 x3v6prod sshd[6795]: debug1: attempt 4 failures 2
Sep 17 15:06:06 x3v6prod sshd[6792]: Failed password for sagex3 from 192.168.60.184 port 49314 ssh2
Sep 17 15:06:06 x3v6prod sshd[6795]: debug1: userauth-request for user sagex3 service ssh-connection method password
Sep 17 15:06:06 x3v6prod sshd[6795]: debug1: attempt 5
和 SSSD 日志
Tue Sep 17 15:06:01 2019) [sssd[be[XXXXXXXX]]] [ad_gpo_access_done] (0x0040): GPO-based access control failed.
(Tue Sep 17 15:06:01 2019) [sssd[be[XXXXXXXX]]] [ad_gpo_access_done] (0x0040): Ignoring error: [22](Invalid argument); GPO-based access control failed, but GPO is not in enforcing mode.
(Tue Sep 17 15:06:01 2019) [sssd[be[XXXXXXXX]]] [child_sig_handler] (0x0020): waitpid did not found a child with changed status.
(Tue Sep 17 15:06:01 2019) [sssd[be[XXXXXXXX]]] [child_sig_handler] (0x0020): child [6688] failed with status [1].
(Tue Sep 17 15:06:01 2019) [sssd[be[XXXXXXXX]]] [gpo_cse_done] (0x0020): ad_gpo_parse_gpo_child_response failed: [22][Invalid argument]
(Tue Sep 17 15:06:01 2019) [sssd[be[XXXXXXXX]]] [ad_gpo_cse_done] (0x0040): Unable to retrieve policy data: [22](Invalid argument}
(Tue Sep 17 15:06:01 2019) [sssd[be[XXXXXXXX]]] [ad_gpo_access_done] (0x0040): GPO-based access control failed.
(Tue Sep 17 15:06:01 2019) [sssd[be[XXXXXXXX]]] [ad_gpo_access_done] (0x0040): Ignoring error: [22](Invalid argument); GPO-based access control failed, but GPO is not in enforcing mode.
(Tue Sep 17 15:06:01 2019) [sssd[be[XXXXXXXX]]] [child_sig_handler] (0x0020): child [6700] failed with status [1].
(Tue Sep 17 15:06:01 2019) [sssd[be[XXXXXXXX]]] [ad_gpo_get_som_attrs_done] (0x0040): no attrs found for SOM; try next SOM
(Tue Sep 17 15:06:02 2019) [sssd[be[XXXXXXXX]]] [gpo_cse_done] (0x0020): ad_gpo_parse_gpo_child_response failed: [22][Invalid argument]
(Tue Sep 17 15:06:02 2019) [sssd[be[XXXXXXXX]]] [ad_gpo_cse_done] (0x0040): Unable to retrieve policy data: [22](Invalid argument}
(Tue Sep 17 15:06:02 2019) [sssd[be[XXXXXXXX]]] [ad_gpo_access_done] (0x0040): GPO-based access control failed.
(Tue Sep 17 15:06:02 2019) [sssd[be[XXXXXXXX]]] [ad_gpo_access_done] (0x0040): Ignoring error: [22](Invalid argument); GPO-based access control failed, but GPO is not in enforcing mode.
(Tue Sep 17 15:06:02 2019) [sssd[be[XXXXXXXX]]] [child_sig_handler] (0x0020): child [6743] failed with status [1].
(Tue Sep 17 15:06:02 2019) [sssd[be[XXXXXXXX]]] [ad_gpo_get_som_attrs_done] (0x0040): no attrs found for SOM; try next SOM
(Tue Sep 17 15:06:02 2019) [sssd[be[XXXXXXXX]]] [gpo_cse_done] (0x0020): ad_gpo_parse_gpo_child_response failed: [22][Invalid argument]
(Tue Sep 17 15:06:02 2019) [sssd[be[XXXXXXXX]]] [ad_gpo_cse_done] (0x0040): Unable to retrieve policy data: [22](Invalid argument}
(Tue Sep 17 15:06:02 2019) [sssd[be[XXXXXXXX]]] [ad_gpo_access_done] (0x0040): GPO-based access control failed.
(Tue Sep 17 15:06:02 2019) [sssd[be[XXXXXXXX]]] [ad_gpo_access_done] (0x0040): Ignoring error: [22](Invalid argument); GPO-based access control failed, but GPO is not in enforcing mode.
(Tue Sep 17 15:06:02 2019) [sssd[be[XXXXXXXX]]] [child_sig_handler] (0x0020): child [6763] failed with status [1].
(Tue Sep 17 15:16:18 2019) [sssd[be[XXXXXXXX]]] [sdap_ad_tokengroups_initgr_mapping_done] (0x0080): Domain not found for SID S-1-5-21-374409226-1497903906-623647154-2705
(Tue Sep 17 15:16:18 2019) [sssd[be[XXXXXXXX]]] [sdap_ad_tokengroups_initgr_mapping_done] (0x0080): Domain not found for SID S-1-5-21-374409226-1497903906-623647154-2663
(Tue Sep 17 15:16:18 2019) [sssd[be[XXXXXXXX]]] [sdap_ad_tokengroups_initgr_mapping_done] (0x0080): Domain not found for SID S-1-5-21-374409226-1497903906-623647154-1560
(Tue Sep 17 15:18:45 2019) [sssd[be[XXXXXXXX]]] [sdap_id_conn_data_expire_handler] (0x0080): connection is about to expire, releasing it
(Tue Sep 17 15:20:45 2019) [sssd[be[XXXXXXXX]]] [sdap_id_conn_data_expire_handler] (0x0080): connection is about to expire, releasing it
(Tue Sep 17 15:32:28 2019) [sssd[be[XXXXXXXX]]] [sdap_get_server_opts_from_rootdse] (0x0080): Received invalid value for AD compatibility level. Using the lowest-common compatibility level
(Tue Sep 17 15:47:22 2019) [sssd[be[XXXXXXXX]]] [sdap_id_conn_data_expire_handler] (0x0080): connection is about to expire, releasing it
(Tue Sep 17 15:48:28 2019) [sssd[be[XXXXXXXX]]] [sdap_get_server_opts_from_rootdse] (0x0080): Received invalid value for AD compatibility level. Using the lowest-common compatibility level
(Tue Sep 17 16:00:01 2019) [sssd[be[XXXXXXXX]]] [sdap_get_server_opts_from_rootdse] (0x0080): Received invalid value for AD compatibility level. Using the lowest-common compatibility level
(Tue Sep 17 16:00:01 2019) [sssd[be[XXXXXXXX]]] [sysdb_get_real_name] (0x0040): Cannot find user [postfix] in cache
(Tue Sep 17 16:00:01 2019) [sssd[be[XXXXXXXX]]] [sysdb_get_real_name] (0x0040): Cannot find user [postfix] in cache
(Tue Sep 17 16:03:22 2019) [sssd[be[XXXXXXXX]]] [sdap_id_conn_data_expire_handler] (0x0080): connection is about to expire, releasing it
(Tue Sep 17 16:03:30 2019) [sssd[be[XXXXXXXX]]] [sdap_get_server_opts_from_rootdse] (0x0080): Received invalid value for AD compatibility level. Using the lowest-common compatibility level
(Tue Sep 17 16:03:33 2019) [sssd[be[XXXXXXXX]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching.
(Tue Sep 17 16:03:33 2019) [sssd[be[XXXXXXXX]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching.
(Tue Sep 17 16:03:33 2019) [sssd[be[XXXXXXXX]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching.
(Tue Sep 17 16:03:34 2019) [sssd[be[XXXXXXXX]]] [be_process_init] (0x0080): No SUDO module provided for [XXXXXXXX] !!
(Tue Sep 17 16:03:34 2019) [sssd[be[XXXXXXXX]]] [be_process_init] (0x0020): No selinux module provided for [XXXXXXXX] !!
(Tue Sep 17 16:03:34 2019) [sssd[be[XXXXXXXX]]] [be_process_init] (0x0020): No host info module provided for [XXXXXXXX] !!
(Tue Sep 17 16:03:34 2019) [sssd[be[XXXXXXXX]]] [sdap_get_server_opts_from_rootdse] (0x0080): Received invalid value for AD compatibility level. Using the lowest-common compatibility level
(Tue Sep 17 16:03:34 2019) [sssd[be[XXXXXXXX]]] [be_run_online_cb] (0x0080): Going online. Running callbacks.
(Tue Sep 17 16:03:34 2019) [sssd[be[XXXXXXXX]]] [be_ptask_enable] (0x0080): Task [AD machine account password renewal]: already enabled
(Tue Sep 17 16:03:34 2019) [sssd[be[XXXXXXXX]]] [resolv_gethostbyname_done] (0x0040): querying hosts database failed [5]: Input/output error
(Tue Sep 17 16:03:34 2019) [sssd[be[XXXXXXXX]]] [nsupdate_get_addrs_done] (0x0040): Could not resolve address for this machine, error [5]: Input/output error, resolver returned: [11]: Could not contact DNS servers
(Tue Sep 17 16:03:34 2019) [sssd[be[XXXXXXXX]]] [nsupdate_get_addrs_done] (0x0040): nsupdate_get_addrs_done failed: [5]: [Input/output error]
(Tue Sep 17 16:03:34 2019) [sssd[be[XXXXXXXX]]] [sdap_dyndns_dns_addrs_done] (0x0040): Could not receive list of current addresses [5]: Input/output error
(Tue Sep 17 16:03:34 2019) [sssd[be[XXXXXXXX]]] [ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed [5]: Input/output error
(Tue Sep 17 16:03:34 2019) [sssd[be[XXXXXXXX]]] [ad_dyndns_nsupdate_done] (0x0040): Updating DNS entry failed [5]: Input/output error
(Tue Sep 17 16:06:22 2019) [sssd[be[XXXXXXXX]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching.
(Tue Sep 17 16:06:22 2019) [sssd[be[XXXXXXXX]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching.
(Tue Sep 17 16:06:22 2019) [sssd[be[XXXXXXXX]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching.
(Tue Sep 17 16:06:22 2019) [sssd[be[XXXXXXXX]]] [be_process_init] (0x0080): No SUDO module provided for [XXXXXXXX] !!
(Tue Sep 17 16:06:22 2019) [sssd[be[XXXXXXXX]]] [be_process_init] (0x0020): No selinux module provided for [XXXXXXXX] !!
(Tue Sep 17 16:06:22 2019) [sssd[be[XXXXXXXX]]] [be_process_init] (0x0020): No host info module provided for [XXXXXXXX] !!
(Tue Sep 17 16:06:22 2019) [sssd[be[XXXXXXXX]]] [sdap_get_server_opts_from_rootdse] (0x0080): Received invalid value for AD compatibility level. Using the lowest-common compatibility level
(Tue Sep 17 16:06:22 2019) [sssd[be[XXXXXXXX]]] [be_run_online_cb] (0x0080): Going online. Running callbacks.
(Tue Sep 17 16:06:23 2019) [sssd[be[XXXXXXXX]]] [be_ptask_enable] (0x0080): Task [AD machine account password renewal]: already enabled
(Tue Sep 17 16:06:23 2019) [sssd[be[XXXXXXXX]]] [resolv_gethostbyname_done] (0x0040): querying hosts database failed [5]: Input/output error
(Tue Sep 17 16:06:23 2019) [sssd[be[XXXXXXXX]]] [nsupdate_get_addrs_done] (0x0040): Could not resolve address for this machine, error [5]: Input/output error, resolver returned: [11]: Could not contact DNS servers
(Tue Sep 17 16:06:23 2019) [sssd[be[XXXXXXXX]]] [nsupdate_get_addrs_done] (0x0040): nsupdate_get_addrs_done failed: [5