我安装了 Debian Squeeze 和 sssd。当我尝试通过 ssh 以用户“alexwinner”身份登录服务器时,我在日志中看到:
(Fri May 11 18:56:03 2012) [[sssd[krb5_child[26281]]]] [get_and_save_tgt] (1): 523: [-1765328360][Preauthentication failed]
但是当我执行kinit alexwinner一切正常时,我收到了票。这是我的 sssd.conf
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = MYDOMAIN.COM
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
; entry_cache_timeout = 600
; entry_cache_nowait_timeout = 300
[pam]
reconnection_retries = 3
[domain/MYDOMAIN.COM]
description = LDAP domain with AD server
enumerate = true
min_id = 1000
cache_credentials = false
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
krb5_realm = MYDOMAIN.COM
krb5_kdcip = 172.27.250.141
krb5_kpasswd = 172.27.250.141
ldap_pwd_policy = none
ldap_id_use_start_tls = false
ldap_tls_reqcert = never
ldap_uri = ldap://172.27.250.141:3268/
ldap_schema = rfc2307bis
ldap_default_bind_dn = [email protected]
ldap_default_authtok_type = password
ldap_default_authtok = veryhardpassword
ldap_user_search_base = ou=linux,ou=users,ou=pro,dc=mydomain,DC=com
ldap_user_object_class = user
ldap_user_uid_number = uidNumber
ldap_user_gid_number = GIDNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_user_principal = userPrincipalName
ldap_user_name = sAMAccountName
ldap_user_gecos = displayName
ldap_user_uuid = objectGUID
ldap_group_search_base = OU=Linux,OU=Roles,DC=mydomain,DC=com
ldap_group_object_class = group
ldap_group_name = Name
ldap_group_gid_number = GidNumber
ldap_force_upper_case_realm = True
这是我的 krb5.conf
[libdefaults]
default_realm = MYDOMAIN.COM
forwardable = true
[realms]
MYDOMAIN.COM = {
kdc = 172.27.250.141
admin_server = 172.27.250.141
}
我尝试查看 kerberos 包的 tcpdump,并发现 padata 对于 login 和 kinit 是不同的。
我能做些什么?
答案1
尝试以下设置,它们在我的环境中运行得很好。
更改 /etc/sssd/sssd.conf
[root@localhost ~]# cat /etc/sssd/sssd.conf |grep -v ^# |grep -v ^$
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = default
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/default]
ldap_default_authtok_type = password
ldap_id_use_start_tls = False
cache_credentials = True
ldap_group_object_class = group
ldap_search_base = dc=example,dc=com
chpass_provider = krb5
ldap_default_authtok = RedHat1!
id_provider = ldap
auth_provider = krb5
ldap_default_bind_dn = cn=Administrator,cn=Users,dc=example,dc=com
ldap_user_gecos = displayName
debug_level = 0
ldap_uri = ldap://10.65.208.43/
krb5_realm = EXAMPLE.COM
krb5_kpasswd = 10.65.208.43
ldap_schema = rfc2307bis
ldap_force_upper_case_realm = True
ldap_user_object_class = person
ldap_tls_cacertdir = /etc/openldap/cacerts
krb5_server = 10.65.208.43
- 运行 authconfig-tui 工具。在“用户信息”部分下选择 ldap,在“身份验证”部分下选择 Kerberos。
- 在 ldap 设置步骤中。不要选择使用 TLS 选项,而是输入 AD 服务器的完全限定域名和基本 DN。
- 在 kerberos 设置页面上输入 AD 服务器领域,还列出 KDC 和管理服务器的 AD 服务器完全限定域名。
这将导致重新启动 sssd 守护进程。
核实 :-
[root@localhost ~]# id user1
确保您的 AD 盒上安装了 IDMU 并且用户已设置 unix 属性。