Centos 7 在子域中使用 authlite 进行 sssd 身份验证

tag-icon tag-icon centos domain sssd
Centos 7 在子域中使用 authlite 进行 sssd 身份验证

Centos 7 服务器已加入 abc.com,并且身份验证正在使用 authlite 对 abc.com 进行双因素身份验证。创建了一个子域 a.abc.com,但身份验证无法在该子域上进行。服务器可以加入两个域吗?

[root@server01 sssd]# more /etc/sssd/sssd.conf
[sssd]
domains = abc.com
config_file_version = 2
services = nss, pam

[domain/abc.com]
id_provider = ad
access_provider = simple
realmd_tags = manages-system joined-with-samba
ad_domain = abc.com
ad_server = serverdc01.abc.com,serverdc02.abc.com,_srv_
!adding in subdomain line below - SG 1-20-2017
subdomain_enumerate = all
krb5_realm = ABC.COM
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
simple_allow_groups = TDI Remote Access [email protected]
debug_level = 0x07F0

[domain/a.abc.com]
ad_server = aserverdc01.a.abc.com,aserver02.a.abc.com,_srv_

可以验证用户帐户是否在子域中可见。

[root@server01 bin]# id [email protected]
uid=1915601610([email protected]) gid=1915601610([email protected])       groups=1915601610([email protected]),1213401243(tdi remote access users),1915601332(authlite 1f [email protected]),1915601331(authlite [email protected]),1915601110([email protected]),1915601606([email protected]),1915600513(domain [email protected])

领域:

[root@server01 bin]# realm list
abc.com
  type: kerberos
  realm-name: ABC.COM
  domain-name: abc.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common
  login-formats: %U
  login-policy: allow-permitted-logins
  permitted-logins:
  permitted-groups: TDI Remote Access [email protected]

来自安全日志:

Jan 20 15:46:35 server01 cw[22854]: pam_sss(conwrks:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= [email protected]
Jan 20 15:46:35 server01 cw[22854]: pam_sss(conwrks:auth): received for user [email protected]: 4 (System error)

来自 krb5_child.log:

(Fri Jan 20 15:46:33 2017) [[sssd[krb5_child[23048]]]] [unpack_buffer] (0x0100): cmd [241] uid [1915601610] gid [1915601610] validate [true] enterprise principal [true] offline [false] UPN [[email protected]]
(Fri Jan 20 15:46:33 2017) [[sssd[krb5_child[23048]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:1915601610] old_ccname: [not set] keytab: [/etc/krb5.keytab]
(Fri Jan 20 15:46:33 2017) [[sssd[krb5_child[23048]]]] [check_use_fast] (0x0100): Not using FAST.
(Fri Jan 20 15:46:33 2017) [[sssd[krb5_child[23048]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
(Fri Jan 20 15:46:33 2017) [[sssd[krb5_child[23048]]]] [become_user] (0x0200): Trying to become user [1915601610][1915601610].
(Fri Jan 20 15:46:33 2017) [[sssd[krb5_child[23048]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Fri Jan 20 15:46:33 2017) [[sssd[krb5_child[23048]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
(Fri Jan 20 15:46:33 2017) [[sssd[krb5_child[23048]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Fri Jan 20 15:46:33 2017) [[sssd[krb5_child[23048]]]] [main] (0x0400): Will perform online auth
(Fri Jan 20 15:46:33 2017) [[sssd[krb5_child[23048]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [ABC.COM]
(Fri Jan 20 15:46:35 2017) [[sssd[krb5_child[23048]]]] [get_and_save_tgt] (0x0020): 1234: [-1765328372][KDC policy rejects request]
(Fri Jan 20 15:46:35 2017) [[sssd[krb5_child[23048]]]] [map_krb5_error] (0x0020): 1303: [-1765328372][KDC policy rejects request]
(Fri Jan 20 15:46:35 2017) [[sssd[krb5_child[23048]]]] [k5c_send_data] (0x0200): Received error code 1432158209
(Fri Jan 20 15:46:35 2017) [[sssd[krb5_child[23048]]]] [main] (0x0400): krb5_child completed successfully

来自 sssd_abc.com.log:

(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=user]
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [be_req_set_domain] (0x0400): Changing request domain from [abc.com] to [a.abc.com]
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [dc=a,dc=a,dc=hawaiian,dc=aero]
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=user)(objectclass=user)(sAMAccountName=*)(objectSID=*))][dc=a,dc=a].
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sdap_search_user_process] (0x0400): Search for users, returned 1 results.
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sdap_save_user] (0x0400): Save user
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sdap_get_primary_name] (0x0400): Processing object [email protected]
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sdap_save_user] (0x0400): Processing user [email protected]
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sdap_save_user] (0x0400): Adding original memberOf attributes to [[email protected]].
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sdap_save_user] (0x0400): Adding user principal [[email protected]] to attributes of [[email protected]].
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sdap_save_user] (0x0400): Storing info for user [email protected]
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sysdb_search_by_name] (0x0400): No such entry
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sysdb_search_by_name] (0x0400): No such entry
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sysdb_search_user_by_uid] (0x0400): No such entry
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success)

相关内容