当使用带有 AD 的 SSSD 时,SUDO 不断提示输入密码

当使用带有 AD 的 SSSD 时,SUDO 不断提示输入密码

您好,我正在尝试设置 SSSD 以在 RHEL 上对 AD 进行身份验证。

当我运行 时,我能够使用我的 AD 用户和密码登录并查看我的组id。但是当我尝试使用 sudo 时,它只是不断提示我输入密码 ( Sorry, please try again)。有什么想法吗?我知道这不是 sudoers 文件,因为当我运行 sudo -U myUser -lI时see (root) ALL,但我可以su毫无问题地 root,并且不会提示我输入密码。

我的假设是它与 PAM 有关。

pam.d/系统身份验证-ac

auth        required      pam_env.so
auth        sufficient    pam_localuser.so
auth        [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so
session     optional      pam_krb5.so

pam.d/密码验证-ac

auth        required      pam_env.so
auth        [default=1 success=ok] pam_localuser.so
auth        [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

sssd.conf

[sssd]
config_file_version = 2
domains = myDomain
services = nss, pam, pac

[domain/myDomain]
id_provider = ad
access_provider = ad
ad_server = adSer2.ca,adSer1.ca
ad_access_filter = memberOf=CN=IT - Shared Services,OU=Infrastructure,OU=CompanyGrps,DC=company,DC=ca
default_shell = /bin/bash
fallback_homedir = /home/%u
ignore_group_members = true
debug_level = 1

[nss]

[pam]
debug_level = 1
pam_verbosity = 3

[pac]

nsswitch.conf

passwd:     files sss ldap
shadow:     files sss ldap
group:      files sss ldap
#initgroups: files

#hosts:     db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss

netgroup:   files sss ldap

publickey:  nisplus

automount:  files sss ldap
aliases:    files nisplus

sudoers

root  ALL=(ALL)   ALL

%it\ -\ shared\ services ALL = (root) ALL

更新

我通过从 PAM 配置中删除 kerberos 来使其工作,但我不确定这样做是否会引入安全风险。

答案1

根据我的经验,我必须限定该组的域/etc/sudoers

因此我的 sudoers 声明看起来更像这样:

%[email protected] ALL = (root) ALL

由于组名中有空格,因此如下所示:

%it\ -\ shared\ [email protected] ALL = (root) ALL

相关内容