我们在 IPA 域中拥有多个 EC-2 实例,这些实例与我们的 Active Directory 域具有信任关系。在较旧的实例上,ssh 不需要 Windows 计算机的域后缀。但在较新的实例上,用户名无效,并且仅适用于手动添加的域。或者,如果在通过 SSH 登录到较旧的实例之一时缓存了用户名。问题是 sssd.conf 和 sshd_conf 文件在两个实例上是相同的,sssd 版本也是如此。还使用相同的 IPA 主服务器。sssd 日志中也没有关于域后缀的信息,即使在日志级别 9 也是如此。安全日志仅包含以下内容:
sshd[20356]: Invalid user jgrosse from ip port 1593
sshd[20356]: input_userauth_request: invalid user jgrosse [preauth]
sshd[20356]: Postponed keyboard-interactive for invalid user jgrosse from ip port 1593 ssh2 [preauth]
sshd[20366]: pam_unix(sshd:auth): check pass; user unknown
sshd[20366]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host-ip
sshd[20356]: error: PAM: User not known to the underlying authentication module for illegal user jgrosse from host-ip
sshd[20356]: Failed keyboard-interactive/pam for invalid user jgrosse from ip port 1593 ssh2
sshd[20356]: Postponed keyboard-interactive for invalid user jgrosse from ip port 1593 ssh2 [preauth]
sshd[20356]: Connection closed by ip port 1593 [preauth]
sssd 配置文件:
[domain/ipa-domain]
krb5_auth_timeout = 60
debug_level = 3
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa-domain
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = host.ipa-domain
chpass_provider = ipa
dyndns_update = True
ipa_server = _srv_, ipamaster1.ipa-domain
dyndns_iface = eth0
ldap_tls_cacert = /etc/ipa/ca.crt
realmd_tags = manages-system
default_shell = /bin/bash
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
[sssd]
default_domain_suffix = ad-domain
debug_level = 9
services = nss, sudo, pam, ssh
domains = ipa-domain
[nss]
filter_users = ec2-user,adm,postdrop,postfix,avahi,bin,daemon,dbus,haldaemon,halt,ldap,mail,named,news,nfsnobody,nobody,nscd,nslcd,ntp,operator,radiusd,root,rpc,rpcuser,saslauth,shutdown,smmsp,sshd,sync,tcpdump,vcsa
filter_groups = ec2-user,slocate,adm,audio,bin,cdrom,cgred,daemon,dbus,dialout,dip,disk,floppy,fuse,kmem,ldap,lock,lp,mail,man,mem,nfsnobody,nobody,nscd,ntp,root,rpc,rpcuser,saslauth,smmsp,sshd,sys,tape,tcpdump,tty,users,utempter,utmp,vcsa,video
homedir_substring = /home
[pam]
pam_id_timeout=60
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[secrets]
[session_recording]
我已经没有地方去寻找配置的差异了。