您好,我正在尝试设置 SSSD 以在 RHEL 上对 AD 进行身份验证。
当我运行 时,我能够使用我的 AD 用户和密码登录并查看我的组id
。但是当我尝试使用 sudo 时,它只是不断提示我输入密码 ( Sorry, please try again
)。有什么想法吗?我知道这不是 sudoers 文件,因为当我运行 sudo -U myUser -l
I时see (root) ALL
,但我可以su
毫无问题地 root,并且不会提示我输入密码。
我的假设是它与 PAM 有关。
pam.d/系统身份验证-ac
auth required pam_env.so
auth sufficient pam_localuser.so
auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password sufficient pam_krb5.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
session optional pam_krb5.so
pam.d/密码验证-ac
auth required pam_env.so
auth [default=1 success=ok] pam_localuser.so
auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
sssd.conf
[sssd]
config_file_version = 2
domains = myDomain
services = nss, pam, pac
[domain/myDomain]
id_provider = ad
access_provider = ad
ad_server = adSer2.ca,adSer1.ca
ad_access_filter = memberOf=CN=IT - Shared Services,OU=Infrastructure,OU=CompanyGrps,DC=company,DC=ca
default_shell = /bin/bash
fallback_homedir = /home/%u
ignore_group_members = true
debug_level = 1
[nss]
[pam]
debug_level = 1
pam_verbosity = 3
[pac]
nsswitch.conf
passwd: files sss ldap
shadow: files sss ldap
group: files sss ldap
#initgroups: files
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss ldap
publickey: nisplus
automount: files sss ldap
aliases: files nisplus
sudoers
root ALL=(ALL) ALL
%it\ -\ shared\ services ALL = (root) ALL
更新
我通过从 PAM 配置中删除 kerberos 来使其工作,但我不确定这样做是否会引入安全风险。
答案1
根据我的经验,我必须限定该组的域/etc/sudoers
因此我的 sudoers 声明看起来更像这样:
%[email protected] ALL = (root) ALL
由于组名中有空格,因此如下所示:
%it\ -\ shared\ [email protected] ALL = (root) ALL