在 Sudoers 文件上启用 Windows Active Directory 组

在 Sudoers 文件上启用 Windows Active Directory 组

我们最近开始使用 Windows Active Directory 用户启用对我们的 Linux 机器的访问。所选方法是 kerberos+samba+sssd,效果很好。

我们的下一步是允许某些 AD 组拥有 sudo 权限,并且我们必须在不向我们的 Active Directory 中添加 unix 属性的情况下执行此操作(此限制来自部门上方,对此无能为力)。

在我开始启用每台机器之前,我在新机器上做了一些测试,一切正常,但是在其余机器上复制配置后,没有用户拥有 sudo 权限。

这些是文件:

/etc/krb5.conf

includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24h
 renew_lifetime = 7d
 default_realm = DOMAIN.COM

[realms]
  DOMAIN.COM = {
  kdc = 172.20.10.12
  default_domain = DOMAIN.COM
}

[kdc]
profile = /etc/krb5kdc/kdc.conf

[domain_realm]
 .domain.com = DOMAIN.COM
 domain.com = DOMAIN.COM

/etc/samba/smb.conf(文件中还有更多内容,但不相关)

[global]
        workgroup = DOMAINWORKGROUP
        security = ads
        client signing = yes
        client use spnego = yes
        kerberos method = secrets and keytab
        realm = DOMAIN.COM
        idmap config * : range = 3000-9999
        idmap config * : backend = tdb
        idmap config DOMAIN : range = 10000-19999
        idmap config DOMAIN : backend = nss

/etc/sssd/sssd.conf

[sssd]
config_file_version = 2
services = nss,pam
domains = DOMAIN.COM

[nss]

[pam]

[domain/domain.com]
id_provider = ad
auth_provider= ad
access_provider = simple

default_shell = /bin/bash
fallback_homedir = /home/%u

ldap_id_mapping = true
simple_allow_groups = produ

/etc/nsswitch.conf(大部分为默认配置)

passwd:     files sss
shadow:     files sss
group:      files sss

hosts:      files dns

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss

netgroup:   files sss

publickey:  nisplus

automount:  files
aliases:    files nisplus

sudoers: files

/etc/sudoers(此处仅设置组权限,其余文件为默认)

%produ ALL=(ALL) ALL

这是测试机器的 /var/log/secure 内容,s​​udo 在其中起作用:

Apr  1 12:16:58 testlinuxauth sshd[795]: Authorized to pgarcia, krb5 principal [email protected] (ssh_gssapi_krb5_cmdok)
Apr  1 12:16:58 testlinuxauth sshd[795]: Accepted gssapi-with-mic for pgarcia from 172.19.20.35 port 53139 ssh2
Apr  1 12:16:58 testlinuxauth sshd[795]: pam_unix(sshd:session): session opened for user pgarcia by (uid=0)
Apr  1 12:17:03 testlinuxauth sudo: pam_sss(sudo:auth): authentication success; logname=pgarcia uid=1731417387 euid=0 tty=/dev/pts/1 ruser=pgarcia rhost= user=pgarcia
Apr  1 12:17:03 testlinuxauth sudo: pgarcia : TTY=pts/1 ; PWD=/home/pgarcia ; USER=root ; COMMAND=/bin/pwd
Apr  1 12:17:03 testlinuxauth sudo: pam_unix(sudo:session): session opened for user root by pgarcia(uid=0)
Apr  1 12:17:03 testlinuxauth sudo: pam_unix(sudo:session): session closed for user root

这是另一台 sudo 不起作用的机器的同一文件的内容:

Apr  1 12:09:34 em13 sshd[30061]: Authorized to pgarcia, krb5 principal [email protected] (ssh_gssapi_krb5_cmdok)
Apr  1 12:09:34 em13 sshd[30061]: Accepted gssapi-with-mic for pgarcia from 172.19.20.35 port 53031 ssh2
Apr  1 12:09:34 em13 sshd[30061]: pam_unix(sshd:session): session opened for user pgarcia by (uid=0)
Apr  1 12:09:49 em13 sudo: pam_unix(sudo:auth): authentication failure; logname=pgarcia uid=1731417387 euid=0 tty=/dev/pts/1 ruser=pgarcia rhost=  user=pgarcia
Apr  1 12:09:49 em13 sudo: pam_ldap(sudo:auth): error reading from nslcd: Connection restarted by the remote machine <- I had to translate this, so maybe is not accurate at all?
Apr  1 12:09:53 em13 sudo: pam_unix(sudo:auth): conversation failed
Apr  1 12:09:53 em13 sudo: pam_unix(sudo:auth): auth could not identify password for [pgarcia]
Apr  1 12:09:53 em13 sudo: pam_ldap(sudo:auth): failed to get password: Authentication token tampering error <- I had to translate this too
Apr  1 12:09:53 em13 sudo: pgarcia : 1 incorrect password attempt ; TTY=pts/1 ; PWD=/home/pgarcia ; USER=root ; COMMAND=/bin/pwd

笔记:pgarcia 是我的用户和 produ 组的成员。

两台机器的配置文件相同。所以很明显我遗漏了我在测试机器上做过的某些事情,但找不到是什么或在哪里。我在这里读了很多问题,在其他网站(包括 redhat 文档)上也读过解决方案,但一点运气都没有。不确定为什么 pam_sss 在第一台机器上负责 sudo,但我想这就是我成功所需要的吧?

谢谢你们

相关内容