无法使用 sssd ldap 进行 ssh 和 pwauth

tag-icon tag-icon ldap sssd
无法使用 sssd ldap 进行 ssh 和 pwauth

/etc/sssd/sssd.conf

[sssd]
config_file_version = 2
services = nss,pam,sudo,ssh
domains = local,ldap
debug_level = 9
sbus_timeout = 2
reconnection_retries = 3

[nss]
#filter_groups = root
#filter_users = root
#enum_cache_timeout = 30

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5

[domain/local]
id_provider = local
auth_provider = local
access_provider = permit
debug_level = 9

[domain/ldap]
id_provider = ldap
auth_provider = ldap
sudo_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://10.24.83.198:10389/
ldap_search_base = ou=users,dc=sprint,dc=com
ldap_user_search_base = ou=users,dc=sprint,dc=com
ldap_sudo_search_base = ou=users,dc=sprint,dc=com
ldap_group_search_base = ou=users,dc=sprint,dc=com
ldap_tls_reqcert = never
#ldap_tls_reqcert = allow
#ldap_tls_cacertdir = /etc/cacerts

cache_credentials = false
ldap_schema = rfc2307bis
debug_level = 9
# Enumeration is discouraged for performance reasons.
enumerate = true
ldap_default_bind_dn = uid=admin,ou=system
ldap_default_authtok_type = password
ldap_default_authtok = secret
ldap_id_use_start_tls = false

/etc/pam.d/ 中的 grep -ri ‘pam_sss.so’

[root@lab pam.d]# grep -ri 'pam_sss.so'
smartcard-auth-ac:account     [default=bad success=ok     user_unknown=ignore] pam_sss.so
smartcard-auth-ac:session     optional      pam_sss.so
password-auth-ac:auth        sufficient    pam_sss.so use_first_pass
password-auth-ac:account     [default=bad success=ok     user_unknown=ignore] pam_sss.so
password-auth-ac:password    sufficient    pam_sss.so use_authtok
password-auth-ac:session     optional      pam_sss.so
sshd:auth        sufficient    pam_sss.so
fingerprint-auth-ac:account     [default=bad success=ok     user_unknown=ignore] pam_sss.so
fingerprint-auth-ac:session     optional      pam_sss.so
system-auth-ac:auth        sufficient    pam_sss.so
system-auth-ac:account     [default=bad success=ok user_unknown=ignore]     pam_sss.so
system-auth-ac:password    sufficient    pam_sss.so use_authtok
system-auth-ac:session     optional      pam_sss.so
[root@lab pam.d]#

LDAP 搜索结果

[root@lab ~]# ldapsearch -H ldap://10.24.83.198:10389 -x -D "uid=admin,ou=system" -W -b "ou=users,dc=sprint,dc=com" -s one -a always -z 1000 "(objectClass=*)" "hasSubordinates" "objectClass"
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <ou=users,dc=sprint,dc=com> with scope oneLevel
# filter: (objectClass=*)
# requesting: hasSubordinates objectClass 
#

# labusr52, users, sprint.com
dn: uid=labusr52,ou=users,dc=sprint,dc=com
objectClass: posixAccount
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: shadowAccount

# labusr50, users, sprint.com
dn: uid=labusr50,ou=users,dc=sprint,dc=com
objectClass: posixAccount
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: shadowAccount

# labusr50_pb, users, sprint.com
dn: uid=labusr50_pb,ou=users,dc=sprint,dc=com
objectClass: posixAccount
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: shadowAccount

# sssd_2, users, sprint.com
dn: uid=sssd_2,ou=users,dc=sprint,dc=com
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson

# labusr50_root, users, sprint.com
dn: uid=labusr50_root,ou=users,dc=sprint,dc=com
objectClass: posixAccount
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: shadowAccount

# sssd_3, users, sprint.com
dn: uid=sssd_3,ou=users,dc=sprint,dc=com
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson

# sssd_4, users, sprint.com
dn: uid=sssd_4,ou=users,dc=sprint,dc=com
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson

# sssd_5, users, sprint.com
dn: uid=sssd_5,ou=users,dc=sprint,dc=com
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson

# sssd_root, users, sprint.com
dn: uid=sssd_root,ou=users,dc=sprint,dc=com
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson

# labusr50_cc, users, sprint.com
dn: uid=labusr50_cc,ou=users,dc=sprint,dc=com
objectClass: posixAccount
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: shadowAccount

# labusr51, users, sprint.com
dn: uid=labusr51,ou=users,dc=sprint,dc=com
objectClass: posixAccount
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: shadowAccount

# sssd_root_0, users, sprint.com
dn: uid=sssd_root_0,ou=users,dc=sprint,dc=com
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson

# sssd_ldap_group_1, users, sprint.com
dn: uid=sssd_ldap_group_1,ou=users,dc=sprint,dc=com
objectClass: posixAccount
objectClass: top
objectClass: posixGroup

# search result
search: 2
result: 0 Success

# numResponses: 14
# numEntries: 13
[root@lab ~]#

问题 1:不确定为什么 'getent passwd' 没有返回 root 用户

[root@lab ~]# getent passwd
labusr50_cc:*:500:500:Lab User50:/:/bin/bash
labusr50_pb:*:491:491:Lab User50:/:/bin/bash
labusr50:*:29990:29990:Lab User50:/home/labusr50:/bin/bash
labusr51:*:29991:29991:Lab User51:/home/labusr51:/bin/bash
labusr52:*:29992:29992:Lab User52:/home/labusr52:/bin/bash
sssd_2:*:2:3:cn_sssd_2:/:
sssd_3:*:3:3:cn_sssd_3:/:
sssd_4:*:4:4:cn_sssd_4:/:

问题 2:即使“id”和“su”命令有效,pwauth 也会失败并出现以下错误

[root@lab ~]# id sssd_5
uid=5(sync) gid=5(tty) groups=0(root)
[root@lab ~]# su - sssd_5
-sh-4.1$ ls
bin  boot  cgroup  dev  etc  home  lib  lib64  lost+found  media  mnt  opt  proc  qsb_config  root  run  sbin  selinux  srv  sys  tmp  usr  var
-sh-4.1$ pwd
/
-sh-4.1$ exit
logout
[root@lab ~]# pwauth
sssd_5
sprint123
[root@lab ~]# echo $?
1
[root@lab ~]#

[root@lab ~]# tailf /var/log/message

2017-06-24T19:32:25.823061+00:00 lab sssd[be[ldap]]: Could not start TLS encryption. TLS error -12156:The server certificate included a public key that was too weak.

[root@lab ~]# tailf /var/log/sssd/sssd_ldap.log

(Sat Jun 24 19:32:25 2017) [sssd[be[ldap]]] [sdap_connect_done] (0x0080): ldap_install_tls failed: [Connect error] [TLS error -12156:The server certificate included a public key that was too weak.]

以上 2 个错误是否意味着我必须使用 ldaps 而不是 ldap?

[root@lab ~]# tailf /var/log/secure

2017-06-24T19:32:25.824275+00:00 lab pwauth: pam_sss(pwauth:auth): authentication failure; logname=root uid=0 euid=0 tty= ruser= rhost= user=sssd_5
2017-06-24T19:32:25.824312+00:00 lab pwauth: pam_sss(pwauth:auth): received for user sssd_5: 9 (Authentication service cannot retrieve authentication info)
2017-06-24T19:32:25.824769+00:00 lab pwauth: pam_unix(pwauth:auth): authentication failure; logname=root uid=0 euid=0 tty= ruser= rhost=  user=sssd_5

[root@lab ~]# tailf /var/log/audit/audit.log

type=USER_AUTH msg=audit(1498332641.906:164744): user pid=20973 uid=0 auid=0 ses=26854 subj=kernel msg='op=PAM:authentication acct="sssd_5" exe="/bin/su" hostname=? addr=? terminal=pts/0 res=success'
type=USER_ACCT msg=audit(1498332641.906:164745): user pid=20973 uid=0 auid=0 ses=26854 subj=kernel msg='op=PAM:accounting acct="sssd_5" exe="/bin/su" hostname=? addr=? terminal=pts/0 res=success'
type=USER_ACCT msg=audit(1498332641.906:164745): user pid=20973 uid=0 auid=0 ses=26854 subj=kernel msg='op=PAM:accounting acct="sssd_5" exe="/bin/su" hostname=? addr=? terminal=pts/0 res=success'
type=USER_START msg=audit(1498332643.479:164746): user pid=20973 uid=0 auid=0 ses=26854 subj=kernel msg='op=PAM:session_open acct="sssd_5" exe="/bin/su" hostname=? addr=? terminal=pts/0 res=success'
type=CRED_ACQ msg=audit(1498332643.479:164747): user pid=20973 uid=0 auid=0 ses=26854 subj=kernel msg='op=PAM:setcred acct="sssd_5" exe="/bin/su" hostname=? addr=? terminal=pts/0 res=success'
type=CRED_DISP msg=audit(1498332666.596:164748): user pid=20973 uid=0 auid=0 ses=26854 subj=kernel msg='op=PAM:setcred acct="sssd_5" exe="/bin/su" hostname=? addr=? terminal=pts/0 res=success'
type=USER_END msg=audit(1498332668.366:164749): user pid=20973 uid=0 auid=0 ses=26854 subj=kernel msg='op=PAM:session_close acct="sssd_5" exe="/bin/su" hostname=? addr=? terminal=pts/0 res=success'
type=USER_AUTH msg=audit(1498332747.664:164750): user pid=21823 uid=0 auid=0 ses=26854 subj=kernel msg='op=PAM:authentication acct="sssd_5" exe="/usr/sbin/pwauth" hostname=? addr=? terminal=pts/0 res=failed'

我对 SSSD、LDAP 还很陌生,因此对上述 2 个问题的任何指示都会很有帮助。

答案1

使用以下方法修复问题 2目录服务以及相应的 LDAP 服务器证书。

对于问题 1,我尝试在部分中添加filter_users = bin条目,但仍然被过滤掉[NSS]root users (gid=uid=0)固态存储系统

相关内容