我们最近开始使用 Windows Active Directory 用户启用对我们的 Linux 机器的访问。所选方法是 kerberos+samba+sssd,效果很好。
我们的下一步是允许某些 AD 组拥有 sudo 权限,并且我们必须在不向我们的 Active Directory 中添加 unix 属性的情况下执行此操作(此限制来自部门上方,对此无能为力)。
在我开始启用每台机器之前,我在新机器上做了一些测试,一切正常,但是在其余机器上复制配置后,没有用户拥有 sudo 权限。
这些是文件:
/etc/krb5.conf
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24h
renew_lifetime = 7d
default_realm = DOMAIN.COM
[realms]
DOMAIN.COM = {
kdc = 172.20.10.12
default_domain = DOMAIN.COM
}
[kdc]
profile = /etc/krb5kdc/kdc.conf
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
/etc/samba/smb.conf(文件中还有更多内容,但不相关)
[global]
workgroup = DOMAINWORKGROUP
security = ads
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = DOMAIN.COM
idmap config * : range = 3000-9999
idmap config * : backend = tdb
idmap config DOMAIN : range = 10000-19999
idmap config DOMAIN : backend = nss
/etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss,pam
domains = DOMAIN.COM
[nss]
[pam]
[domain/domain.com]
id_provider = ad
auth_provider= ad
access_provider = simple
default_shell = /bin/bash
fallback_homedir = /home/%u
ldap_id_mapping = true
simple_allow_groups = produ
/etc/nsswitch.conf(大部分为默认配置)
passwd: files sss
shadow: files sss
group: files sss
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: files
aliases: files nisplus
sudoers: files
/etc/sudoers(此处仅设置组权限,其余文件为默认)
%produ ALL=(ALL) ALL
这是测试机器的 /var/log/secure 内容,sudo 在其中起作用:
Apr 1 12:16:58 testlinuxauth sshd[795]: Authorized to pgarcia, krb5 principal [email protected] (ssh_gssapi_krb5_cmdok)
Apr 1 12:16:58 testlinuxauth sshd[795]: Accepted gssapi-with-mic for pgarcia from 172.19.20.35 port 53139 ssh2
Apr 1 12:16:58 testlinuxauth sshd[795]: pam_unix(sshd:session): session opened for user pgarcia by (uid=0)
Apr 1 12:17:03 testlinuxauth sudo: pam_sss(sudo:auth): authentication success; logname=pgarcia uid=1731417387 euid=0 tty=/dev/pts/1 ruser=pgarcia rhost= user=pgarcia
Apr 1 12:17:03 testlinuxauth sudo: pgarcia : TTY=pts/1 ; PWD=/home/pgarcia ; USER=root ; COMMAND=/bin/pwd
Apr 1 12:17:03 testlinuxauth sudo: pam_unix(sudo:session): session opened for user root by pgarcia(uid=0)
Apr 1 12:17:03 testlinuxauth sudo: pam_unix(sudo:session): session closed for user root
这是另一台 sudo 不起作用的机器的同一文件的内容:
Apr 1 12:09:34 em13 sshd[30061]: Authorized to pgarcia, krb5 principal [email protected] (ssh_gssapi_krb5_cmdok)
Apr 1 12:09:34 em13 sshd[30061]: Accepted gssapi-with-mic for pgarcia from 172.19.20.35 port 53031 ssh2
Apr 1 12:09:34 em13 sshd[30061]: pam_unix(sshd:session): session opened for user pgarcia by (uid=0)
Apr 1 12:09:49 em13 sudo: pam_unix(sudo:auth): authentication failure; logname=pgarcia uid=1731417387 euid=0 tty=/dev/pts/1 ruser=pgarcia rhost= user=pgarcia
Apr 1 12:09:49 em13 sudo: pam_ldap(sudo:auth): error reading from nslcd: Connection restarted by the remote machine <- I had to translate this, so maybe is not accurate at all?
Apr 1 12:09:53 em13 sudo: pam_unix(sudo:auth): conversation failed
Apr 1 12:09:53 em13 sudo: pam_unix(sudo:auth): auth could not identify password for [pgarcia]
Apr 1 12:09:53 em13 sudo: pam_ldap(sudo:auth): failed to get password: Authentication token tampering error <- I had to translate this too
Apr 1 12:09:53 em13 sudo: pgarcia : 1 incorrect password attempt ; TTY=pts/1 ; PWD=/home/pgarcia ; USER=root ; COMMAND=/bin/pwd
笔记:pgarcia 是我的用户和 produ 组的成员。
两台机器的配置文件相同。所以很明显我遗漏了我在测试机器上做过的某些事情,但找不到是什么或在哪里。我在这里读了很多问题,在其他网站(包括 redhat 文档)上也读过解决方案,但一点运气都没有。不确定为什么 pam_sss 在第一台机器上负责 sudo,但我想这就是我成功所需要的吧?
谢谢你们