我们已经设置了一个有效的 SSSD+Samba+Krb5 捆绑包,用于在 Linux 计算机上授权域用户。授权工作正常,但是getent 组示例不返回群组中的完整用户列表。而ID命令显示用户所属的特定组
伊德·姆舍佩列夫命令示例 (pam_nas_管理员组存在):
~$ id mshepelev
uid=578290105(mshepelev) gid=1145492938(linuxadm) группы=128(vboxusers),132(libvirtd),
6990039486(exchange_terminal),45633573(domain admins),6753567(domain users),4563345(it dept base),1019817232(printer_it),
5673883(linuxadm),4356383822(buh),25472572456(pam_nas_admins)....
getent 组 pam_nas_admins示例(该组中没有 mshepelev):
~$ getent group pam_nas_admins
pam_nas_admins:*:6969932058:nhramchihin,apyataev,
vshuykov,isaidashev,admin,nrosnovskiy,itugunov,
malfereva,mdimitraki,izinoviev,gkulakov,mcherenkov,kfomchenko,mkotov,aromanovskiy
更新
另一台电脑上也出现了同样的情况,但对于用户 isaidashev 来说则相反。ID命令返回完整列表,捷特集团 pam_nas_管理员返回除用户本身之外的所有人(输出有姆舍佩列夫用户但没有伊赛达舍夫用户)
以下是配置文件: /etc/krb5.conf
cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = example.com
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
#add
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 2d
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
example.com = {
kdc = dc2012.example.com
kdc = echo.example.com
kdc = artemis.example.com
admin_server = dc2012.example.com
default_domain = example.com
}
[domain_realm]
.example.com = example.com
example.com = example.com
[login]
krb4_convert = false
krb4_get_tickets = false
/etc/samba/smb.conf
cat /etc/samba/smb.conf
[global]
workgroup = example
security = ADS
## Full domain name
realm = example.com
security = user
kerberos method = system keytab
log file = /var/log/samba/log.%m
log level = 10
max log size = 50
load printers = no
cups options = raw
printcap name = /dev/null
idmap config * : backend = tdb
idmap config * : range = 100000-299999
idmap config example.com : backend = rid
idmap config example.com : range = 300000-499999
domain master = no
local master = no
preferred master = no
os level = 0
domain logons = no
#Настройки для принтеров(отключение поддержки)
load printers = no
show add printer wizard = no
printcap name = /dev/null
disable spoolss = yes
/etc/sssd/sssd.conf
cat /etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = example.com
debug_level = 7
[nss]
#allowed_shells = /bin/bash, /bin/hgcsh
shell_fallback = /bin/bash
default_shell = /bin/bash
debug_level = 7
entry_cache_timeout = 2
enum_cache_timeout = 5
[domain/example.com]
enumerate = true
debug_level = 7
ad_domain = example.com
krb5_realm = example.com
krb5_store_password_if_offline = True
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
access_provider = ad
#ldap_id_mapping = True
use_fully_qualified_names = False
default_shell = /bin/bash
fallback_homedir = /home/%u
krb5_validate = false
/etc/nsswitch.conf
cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat sss
group: compat sss
shadow: compat sss
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis sss
sudoers: files sss
/etc/realmd.conf
cat /etc/realmd.conf
[active-directory]
os-name = exampleBuntu
os-version = 16.04
[service]
automatic-install = no
[users]
default-home = /home/%u
default-shell = /bin/bash
[example.com]
user-principal = yes
fully-qualified-names = no
下面是日志文件。不知为何,sssd_domain.log 显示端口 389 不可用,但实际上它是开放的
~$ nslookup -type=srv _ldap._tcp.example.com
Server: 10.20.20.1
Address: 10.20.20.1#53
_ldap._tcp.example.com service = 0 100 389 echo.example.com.
_ldap._tcp.example.com service = 0 100 389 artemis.example.com.
_ldap._tcp.example.com service = 0 100 389 dc2012.example.com.
分别检查端口
~$ nc -zv example.com 389
Connection to example.com 389 port [tcp/ldap] succeeded!
mshepelev@example480:~$ nc -zv dc2012 389
Connection to dc2012 389 port [tcp/ldap] succeeded!
mshepelev@example480:~$ nc -zv artemis 389
Connection to artemis 389 port [tcp/ldap] succeeded!
/etc/var/log/sssd/sssd_example.com.log
(Tue Jul 4 13:19:58 2017) [sssd[be[example.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server
(Tue Jul 4 13:19:58 2017) [sssd[be[example.com]]] [be_resolve_server_process] (0x0200): Found address for server artemis.example.com: [10.30.0.3] TTL 3600
(Tue Jul 4 13:19:58 2017) [sssd[be[example.com]]] [be_primary_server_timeout_activate] (0x0400): The primary server reconnection is already scheduled
(Tue Jul 4 13:19:58 2017) [sssd[be[example.com]]] [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT...
(Tue Jul 4 13:19:58 2017) [sssd[be[example.com]]] [create_tgt_req_send_buffer] (0x0400): buffer size: 31
(Tue Jul 4 13:19:58 2017) [sssd[be[example.com]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child
(Tue Jul 4 13:19:58 2017) [sssd[be[example.com]]] [write_pipe_handler] (0x0400): All data has been sent!
(Tue Jul 4 13:19:58 2017) [sssd[be[example.com]]] [read_pipe_handler] (0x0400): EOF received, client finished
(Tue Jul 4 13:19:58 2017) [sssd[be[example.com]]] [sdap_get_tgt_recv] (0x0400): Child responded: 14 [Preauthentication failed], expired on [0]
(Tue Jul 4 13:19:58 2017) [sssd[be[example.com]]] [sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad address]
(Tue Jul 4 13:19:58 2017) [sssd[be[example.com]]] [sdap_cli_kinit_done] (0x0400): Cannot get a TGT: ret [1432158218](Authentication Failed)
(Tue Jul 4 13:19:58 2017) [sssd[be[example.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'artemis.example.com' as 'not working'
(Tue Jul 4 13:19:58 2017) [sssd[be[example.com]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Tue Jul 4 13:19:58 2017) [sssd[be[example.com]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Tue Jul 4 13:19:58 2017) [sssd[be[example.com]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Tue Jul 4 13:19:58 2017) [sssd[be[example.com]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'artemis.example.com' as 'not working'
(Tue Jul 4 13:19:58 2017) [sssd[be[example.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'
(Tue Jul 4 13:19:58 2017) [sssd[be[example.com]]] [get_server_status] (0x1000): Status of server 'dc2012.example.com' is 'name resolved'
(Tue Jul 4 13:19:58 2017) [sssd[be[example.com]]] [get_port_status] (0x1000): Port status of port 389 for server 'dc2012.example.com' is 'not working'
(Tue Jul 4 13:19:58 2017) [sssd[be[example.com]]] [get_server_status] (0x1000): Status of server 'echo.example.com' is 'name resolved'
(Tue Jul 4 13:19:58 2017) [sssd[be[example.com]]] [get_port_status] (0x1000): Port status of port 389 for server 'echo.example.com' is 'not working'
(Tue Jul 4 13:19:58 2017) [sssd[be[example.com]]] [get_server_status] (0x1000): Status of server 'artemis.example.com' is 'name resolved'
(Tue Jul 4 13:19:58 2017) [sssd[be[example.com]]] [get_port_status] (0x1000): Port status of port 389 for server 'artemis.example.com' is 'not working'
(Tue Jul 4 13:19:58 2017) [sssd[be[example.com]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD'
(Tue Jul 4 13:19:58 2017) [sssd[be[example.com]]] [child_sig_handler] (0x1000): Waiting for child [1814].
(Tue Jul 4 13:19:58 2017) [sssd[be[example.com]]] [child_sig_handler] (0x0100): child [1814] finished successfully.
(Tue Jul 4 13:19:58 2017) [sssd[be[example.com]]] [be_resolve_server_done] (0x1000): Server resolution failed: 5
(Tue Jul 4 13:19:58 2017) [sssd[be[example.com]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error])
(Tue Jul 4 13:19:58 2017) [sssd[be[example.com]]] [be_ptask_enable] (0x0400): Task [Check if online (periodic)]: enabling task
(Tue Jul 4 13:19:58 2017) [sssd[be[example.com]]] [be_ptask_schedule] (0x0400): Task [Check if online (periodic)]: scheduling task 62 seconds from now [1499163660]
(Tue Jul 4 13:19:58 2017) [sssd[be[example.com]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks.
(Tue Jul 4 13:19:58 2017) [sssd[be[example.com]]] [ad_subdomains_get_conn_done] (0x0080): No AD server is available, cannot get the subdomain list while offline
(Tue Jul 4 13:19:58 2017) [sssd[be[example.com]]] [sdap_dyndns_get_addrs_done] (0x0080): No LDAP server is available, dynamic DNS update is skipped in offline mode.
(Tue Jul 4 13:19:58 2017) [sssd[be[example.com]]] [sdap_dyndns_update_addrs_done] (0x0040): Can't get addresses for DNS update
(Tue Jul 4 13:19:58 2017) [sssd[be[example.com]]] [ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed [1432158230]: Dynamic DNS update not possible while offline
(Tue Jul 4 13:19:58 2017) [sssd[be[example.com]]] [ad_dyndns_nsupdate_done] (0x0040): Updating DNS entry failed [1432158230]: Dynamic DNS update not possible while offline
(Tue Jul 4 13:19:59 2017) [sssd[be[example.com]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.example.com], [2][No such file or directory]
(Tue Jul 4 13:20:29 2017) [sssd[be[example.com]]] [be_primary_server_timeout] (0x0400): Looking for primary server!
(Tue Jul 4 13:20:29 2017) [sssd[be[example.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'
(Tue Jul 4 13:20:29 2017) [sssd[be[example.com]]] [get_server_status] (0x1000): Status of server 'dc2012.example.com' is 'name resolved'
(Tue Jul 4 13:20:29 2017) [sssd[be[example.com]]] [get_port_status] (0x1000): Port status of port 389 for server 'dc2012.example.com' is 'not working'
(Tue Jul 4 13:20:29 2017) [sssd[be[example.com]]] [get_port_status] (0x0100): Reseting the status of port 389 for server 'dc2012.example.com'
(Tue Jul 4 13:20:29 2017) [sssd[be[example.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved
(Tue Jul 4 13:20:29 2017) [sssd[be[example.com]]] [get_server_status] (0x1000): Status of server 'dc2012.example.com' is 'name resolved'
(Tue Jul 4 13:20:29 2017) [sssd[be[example.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server
(Tue Jul 4 13:20:29 2017) [sssd[be[example.com]]] [be_resolve_server_process] (0x0200): Found address for server dc2012.example.com: [10.20.20.1] TTL 3600
(Tue Jul 4 13:20:29 2017) [sssd[be[example.com]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://dc2012.example.com'
(Tue Jul 4 13:20:29 2017) [sssd[be[example.com]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://dc2012.example.com'
(Tue Jul 4 13:20:29 2017) [sssd[be[example.com]]] [be_run_reconnect_cb] (0x0400): Reconnecting. Running callbacks.
/var/log/sssd/krb5_child.log
(Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [main] (0x0400): krb5_child started.
(Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [unpack_buffer] (0x1000): total buffer size: [126]
(Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [unpack_buffer] (0x0100): cmd [241] uid [1019815042] gid [1019817477] validate [false] enterprise principal [true] offline [false] UPN [[email protected]]
(Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_1019815042_n1SyC3] keytab: [/etc/krb5.keytab]
(Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
(Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [k5c_setup] (0x0100): Not using FAST.
(Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [main] (0x0400): Will perform online auth
(Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [tgt_req_child] (0x1000): Attempting to get a TGT
(Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [example.com]
(Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [get_and_save_tgt] (0x0100): TGT validation is disabled.
(Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [k5c_send_data] (0x0200): Received error code 0
(Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [main] (0x0400): krb5_child completed successfully
/var/log/sssd/ldap_child.log
(Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1956]]]] [main] (0x0020): ldap_child_get_tgt_sync failed.
(Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1956]]]] [prepare_response] (0x0400): Building response for result [-1765328360]
(Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1956]]]] [pack_buffer] (0x1000): result [14] krberr [-1765328360] msgsize [24] msg [Preauthentication failed]
(Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1956]]]] [main] (0x0400): ldap_child completed successfully
(Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [main] (0x0400): ldap_child started.
(Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [unpack_buffer] (0x1000): total buffer size: 31
(Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [unpack_buffer] (0x1000): realm_str size: 8
(Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [unpack_buffer] (0x1000): got realm_str: example.com
(Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [unpack_buffer] (0x1000): princ_str size: 7
(Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [unpack_buffer] (0x1000): got princ_str: example480$
(Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [unpack_buffer] (0x1000): keytab_name size: 0
(Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [unpack_buffer] (0x1000): lifetime: 86400
(Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [[email protected]]
(Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [default]
(Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Preauthentication failed
(Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [main] (0x0020): ldap_child_get_tgt_sync failed.
(Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [prepare_response] (0x0400): Building response for result [-1765328360]
(Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [pack_buffer] (0x1000): result [14] krberr [-1765328360] msgsize [24] msg [Preauthentication failed]
(Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [main] (0x0400): ldap_child completed successfully
/var/log/sssd/sssd_nss.log
(Tue Jul 4 13:22:31 2017) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
(Tue Jul 4 13:22:31 2017) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected!
(Tue Jul 4 13:22:31 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Tue Jul 4 13:22:31 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Tue Jul 4 13:22:31 2017) [sssd[nss]] [nss_cmd_endpwent] (0x0100): Terminating request info for all accounts
(Tue Jul 4 13:22:31 2017) [sssd[nss]] [nss_cmd_endgrent] (0x0100): Terminating request info for all groups
(Tue Jul 4 13:22:31 2017) [sssd[nss]] [nss_cmd_endpwent] (0x0100): Terminating request info for all accounts
(Tue Jul 4 13:22:31 2017) [sssd[nss]] [nss_cmd_endgrent] (0x0100): Terminating request info for all groups
(Tue Jul 4 13:22:31 2017) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
(Tue Jul 4 13:23:09 2017) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected!
(Tue Jul 4 13:23:09 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Tue Jul 4 13:23:09 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Tue Jul 4 13:23:09 2017) [sssd[nss]] [nss_cmd_endpwent] (0x0100): Terminating request info for all accounts
(Tue Jul 4 13:23:09 2017) [sssd[nss]] [nss_cmd_endgrent] (0x0100): Terminating request info for all groups
(Tue Jul 4 13:23:09 2017) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
(Tue Jul 4 13:23:09 2017) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected!
(Tue Jul 4 13:23:09 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Tue Jul 4 13:23:09 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Tue Jul 4 13:23:09 2017) [sssd[nss]] [nss_cmd_endpwent] (0x0100): Terminating request info for all accounts
(Tue Jul 4 13:23:09 2017) [sssd[nss]] [nss_cmd_endgrent] (0x0100): Terminating request info for all groups
(Tue Jul 4 13:23:09 2017) [sssd[nss]] [nss_cmd_endpwent] (0x0100): Terminating request info for all accounts
(Tue Jul 4 13:23:09 2017) [sssd[nss]] [nss_cmd_endgrent] (0x0100): Terminating request info for all groups
(Tue Jul 4 13:23:09 2017) [sssd[nss]] [client_recv] (0x0200): Client disconnected!