我遵循了文档https://docs.aws.amazon.com/directoryservice/latest/admin-guide/join_linux_instance.html
一切运行正常,但突然开始失败。
我决定清除所有内容并重新开始。(我删除所有内容并重新开始)
root@cthulhu:~# cat /etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM
rdns = false
root@cthulhu:~# cat /etc/sssd/sssd.conf
[sssd]
domains = example.com
config_file_version = 2
services = nss, pam
[domain/example.com]
ad_domain = example.com
krb5_realm = EXAMPLE.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
root@cthulhu:~# realm join -U Admin example.com --verbose
.
.
.
* /usr/sbin/update-rc.d sssd enable
* /usr/sbin/service sssd restart
* Successfully enrolled machine in realm
该实例现已加入 AD。两台计算机的时间同步。
咱们试试吧 !!!
我们可以到达 AD...
root@cthulhu:~# id [email protected]
uid=863401142([email protected]) gid=863400513(domain [email protected]) groups=863400513(domain [email protected]),863401137(aws delegated add workstations to domain [email protected])
但我们无法登录。
root@cthulhu:~# kinit -V [email protected]
Using default cache: /tmp/krb5cc_0
Using principal: [email protected]
Password for [email protected]:
kinit: Password incorrect while getting initial credentials
$ ssh example3
[email protected]@54.54.54.54's password:
Permission denied, please try again.
日志显示这些...
/var/log/syslog
Nov 11 16:33:31 cthulhu [sssd[krb5_child[2818]: Preauthentication failed
/var/log/auth.log
Nov 11 16:38:44 cthulhu sshd[3063]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.28.150.160 [email protected]
Nov 11 16:38:44 cthulhu sshd[3063]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.28.150.160 [email protected]
Nov 11 16:38:44 cthulhu sshd[3063]: pam_sss(sshd:auth): received for user [email protected]: 17 (Failure setting user credentials)
Nov 11 16:38:44 cthulhu sshd[3062]: Received disconnect from 112.85.42.71 port 31633:11: [preauth]
Nov 11 16:38:44 cthulhu sshd[3062]: Disconnected from 112.85.42.71 port 31633 [preauth]
Nov 11 16:38:47 cthulhu sshd[3063]: Failed password for [email protected] from 80.80.80.80 port 60620 ssh2
有时候,一次尝试就能成功。这真是太奇怪了。
我重新启动 sssd 重新启动日志显示......
Nov 11 16:50:24 cthulhu systemd[1]: Stopping System Security Services Daemon...
Nov 11 16:50:24 cthulhu sssd[3396]: Shutting down
Nov 11 16:50:24 cthulhu sssd[3395]: Shutting down
Nov 11 16:50:24 cthulhu sssd[be[3384]: Shutting down
Nov 11 16:50:24 cthulhu systemd[1]: Stopped System Security Services Daemon.
Nov 11 16:50:24 cthulhu systemd[1]: Starting System Security Services Daemon...
Nov 11 16:50:24 cthulhu kernel: kauditd_printk_skb: 625 callbacks suppressed
Nov 11 16:50:24 cthulhu kernel: audit: type=1400 audit(1605113424.178:2226): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/etc/sssd/conf.d/" pid=3437 comm="sssd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 11 16:50:24 cthulhu kernel: audit: type=1400 audit(1605113424.178:2227): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/usr/share/sssd/cfg_rules.ini" pid=3437 comm="sssd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 11 16:50:24 cthulhu sssd[3437]: Starting up
Nov 11 16:50:24 cthulhu sssd[be[3455]: Starting up
Nov 11 16:50:24 cthulhu kernel: audit: type=1400 audit(1605113424.210:2228): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/etc/gss/mech.d/" pid=3455 comm="sssd_be" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 11 16:50:24 cthulhu sssd[3464]: Starting up
Nov 11 16:50:24 cthulhu kernel: audit: type=1400 audit(1605113424.234:2229): apparmor="ALLOWED" operation="file_lock" profile="/usr/sbin/sssd" name="/var/lib/sss/mc/passwd" pid=3464 comm="sssd_nss" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
Nov 11 16:50:24 cthulhu kernel: audit: type=1400 audit(1605113424.238:2230): apparmor="ALLOWED" operation="file_lock" profile="/usr/sbin/sssd" name="/var/lib/sss/mc/passwd" pid=3464 comm="sssd_nss" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
Nov 11 16:50:24 cthulhu sssd[3465]: Starting up
Nov 11 16:50:24 cthulhu kernel: audit: type=1400 audit(1605113424.250:2231): apparmor="ALLOWED" operation="file_lock" profile="/usr/sbin/sssd" name="/var/lib/sss/mc/group" pid=3464 comm="sssd_nss" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
Nov 11 16:50:24 cthulhu kernel: audit: type=1400 audit(1605113424.250:2232): apparmor="ALLOWED" operation="file_lock" profile="/usr/sbin/sssd" name="/var/lib/sss/mc/group" pid=3464 comm="sssd_nss" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
Nov 11 16:50:24 cthulhu kernel: audit: type=1400 audit(1605113424.258:2233): apparmor="ALLOWED" operation="file_lock" profile="/usr/sbin/sssd" name="/var/lib/sss/mc/initgroups" pid=3464 comm="sssd_nss" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
Nov 11 16:50:24 cthulhu kernel: audit: type=1400 audit(1605113424.258:2234): apparmor="ALLOWED" operation="file_lock" profile="/usr/sbin/sssd" name="/var/lib/sss/mc/initgroups" pid=3464 comm="sssd_nss" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
Nov 11 16:50:24 cthulhu systemd[1]: Started System Security Services Daemon.
Nov 11 16:50:24 cthulhu kernel: audit: type=1400 audit(1605113424.266:2235): apparmor="ALLOWED" operation="capable" profile="/usr/sbin/sssd" pid=3437 comm="sssd" capability=12 capname="net_admin"
Nov 11 16:50:24 cthulhu systemd-resolved[785]: Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.
Nov 11 16:50:24 cthulhu sssd[3437]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database.
Nov 11 16:50:24 cthulhu systemd-resolved[785]: Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.
Nov 11 16:50:24 cthulhu sssd[3437]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database.
Nov 11 16:50:24 cthulhu systemd-resolved[785]: Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.
Nov 11 16:50:24 cthulhu sssd[3437]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database.
Nov 11 16:50:24 cthulhu systemd-resolved[785]: Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.
Nov 11 16:50:24 cthulhu sssd[3437]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database.
Nov 11 16:50:24 cthulhu sssd[3437]: response to SOA query was unsuccessful
Nov 11 16:50:24 cthulhu sssd[3437]: ; TSIG error with server: tsig verify failure
Nov 11 16:50:24 cthulhu sssd[3437]: update failed: REFUSED
Nov 11 16:50:24 cthulhu sssd[3437]: ; TSIG error with server: tsig verify failure
Nov 11 16:50:24 cthulhu sssd[3437]: update failed: REFUSED
看来唯一不起作用的就是身份验证。
我可以像这样正常地与用户一起工作......
root@cthulhu:~# su - [email protected]
[email protected]@cthulhu:~$