WEBMIN LDAP 身份验证:passwd 返回“身份验证令牌操作错误”

WEBMIN LDAP 身份验证:passwd 返回“身份验证令牌操作错误”

更新:2023 年 1 月 25 日 我相信我的 sssd 和 nslcd 工作正常,我还调整了 webmin 中的 pam 模块。我还将 db 添加到 nsswitch.conf,因此我首先检查那里。截至目前,我可以使用 ldapsearch -x -D cn=bindadmin,ou=People,dc=xxx,dc=com -W 来成功查询充满用户的数据库我也可以成功 passwd $USER 并使用使用 su -l $USER 的新密码我遇到的唯一剩下的问题是允许用户登录 webmin 我希望因为客户端正在工作并且密码更改有效,它会允许我登录,但是当我尝试更改时用于 webmin 登录的转换后的 webmin 用户 acl 我在 /var/webmin/miniserv.error 中收到以下错误,这似乎是我收到的唯一日志错误消息,它阻止了我的 webmin 用户登录。有什么想法吗?

/usr/libexec/webmin/acl/save_unix.cgi 第 80 行的数字 ne (!=) 中的参数“”不是数字。 [25/Jan/2023:11:01:59 -0500] 重新加载配置

我正在尝试为 unix 用户登录设置 ldap 身份验证,但收到令牌错误。我有 ldap 用户和组正在工作,并且我已将所有 unix 用户转换为 webmin 用户,但我无法让用户登录或使用 passwd 更改密码。我配置并启用了 sssd.conf,但我相信问题可能与 PAM 文件有关,我的经验有限,如果有任何帮助,我将不胜感激,我将在下面添加一些 PAM 配置sssd.conf。如果您需要其他任何信息来帮助解决此问题,请告诉我,谢谢。

我也无法使用 ldapmodify 或 ldapsearch 之类的东西,这是因为配置错误的 ldap-client 未到达我认为的服务器?当我使用 nslcd.conf 文件在 webmin 上配置 ldap-client 并使用验证按钮时,它返回以下内容,但它没有给我像以前一样运行/启动客户端的选项,它只给我验证配置选项和两者一起启动 ldap-client 这可能是它无法正确连接的原因吗?

当我尝试 ldap 搜索时出现错误消息:

SASL/GSS-SPNEGO authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (SPNEGO cannot find mechanisms to negotiate)

Finding LDAP base for users ..
.. found base dc=xxxx,dc=com.
Connecting to LDAP server ..
.. connected to ldap-primary.ue1.-prod.com

Searching for users ..
.. found 507 users.

Checking Unix users service ..
.. service is setup to query LDAP.

Looking for Unix user bjones ..
.. user found successfully.

Your system has been successfully configured as an LDAP client!

期望:

  • LDAP 用户和组功能正在运行 [完整]
  • 转换后的 unix webmin 用户登录功能正常工作 [不工作]

以下命令有效

$ id tuser
uid=6469(tuser) gid=6250(gwtest) groups=6250(gwtest),9003(git),9001(softeng)

$ getent passwd tuser
tuser:*:6469:6250:test user:/home/tuser:/bin/bash

当我尝试时记录消息passwd tuser

passwd: pam_unix(passwd:chauthtok): user "tuser" does not exist in /etc/passwd
passwd: pam_sss(passwd:chauthtok): Authentication failed for user tuser: 4 (System error)

当转换后的 webmin 用户尝试登录时记录消息:

pam_unix(webmin:auth): authentication failure; logname= uid=0 euid=0 tty=10000 ruser= rhost=xxx user=xxx
webmin[8072]: Invalid login as xxxx from xxxx

密码验证:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

password requisite pam_pwquality.so try_first_pass local_users_only retry=3
password sufficient pam_unix.so sha512 shadow nullok try_first_pass
password sufficient pam_sss.so


password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so

passwd
#%PAM-1.0
auth include system-auth
account include system-auth
password substack system-auth
-password optional pam_gnome_keyring.so
password substack postlogin

webmin
#%PAM-1.0
auth sufficient pam_ldap.so
auth required pam_unix.so nullok
account sufficient pam_ldap.so
account required pam_unix.so
session sufficient pam_ldap.so
session required pam_unix.so

system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so

SSD配置文件

[sssd]
config_file_version = 2
services = nss, pam, ssh
reconnection_retries = 3
domains = xxxx

[nss]
filter_groups = root
filter_users = root,named,nscd

[

[domain/xxx]
access_provider = ldap
auth_provider = ldap
cache_credentials = true
chpass_provider = none
debug_level = 3
entry_cache_timeout = 300
enum_cache_timeout = 300
enumerate = true
id_provider = ldap
ldap_access_order = expire
ldap_account_expire_policy = shadow
ldap_default_authtok_type = password
ldap_default_authtok = xxxx

ldap_default_bind_dn = cn=bindadmin-sssd,ou=People,dc=xxxx,dc=com
ldap_enumeration_refresh_timeout = 300
ldap_group_member = memberUid
ldap_group_name = cn
ldap_group_object_class = posixGroup
ldap_group_search_base = ou=Groups,dc=xxxx,dc=com
ldap_id_use_start_tls = false
ldap_network_timeout = 3
ldap_pwd_policy = shadow
ldap_schema = rfc2307
ldap_search_base = dc=xxx,dc=com
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_reqcert = never
ldap_uri = ldaps://ldap-01.ue1-prod.com
ldap_user_name = uid
ldap_user_object_class = posixAccount
ldap_user_search_base = ou=People,dc=xxxx,dc=com
ldap_user_shadow_expire = shadowExpire
shell_fallback = /bin/bash

答案1

我通过安装解决了这个问题perl-Authen-PAM-module ( yum install perl-Authen-PAM) 并更新我的 webmin pam 配置:

auth       required     pam_env.so
auth       sufficient   pam_unix.so likeauth nullok
auth       sufficient   pam_ldap.so use_first_pass
auth       required     pam_deny.so

account    sufficient   pam_unix.so
account    sufficient   pam_ldap.so
account    required     pam_ldap.so

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password   sufficient   pam_unix.so nullok md5 shadow use_authtok
password   sufficient   pam_ldap.so use_first_pass
password   required     pam_deny.so

相关内容