sssd 活动目录密码集成不起作用

我们正在设置 sssd 以便使用以下配置与活动目录一起使用。

我们不使用属性映射，因为我们想使用 AD ldap 对象中定义的属性，例如自定义 uid、unixHomeDirectory 和公钥等。

sssd.conf：

[sssd]
domains = company.domain
config_file_version = 2
services = nss, pam, sudo, ssh
debug_level = 6

[domain/sew.online]
ad_hostname = EXAMPLESERVER01 #This is templated using ansible
ad_domain = company.domain
krb5_realm = COMPANY.DOMAIN
krb5_store_password_if_offline = true
use_fully_qualified_names = false
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
lookup_family_order = ipv4_only
cache_credentials = true
dns_discovery_domain = {{ prod_domain_name }}
create_homedir = true
auto_private_groups = true
ad_gpo_access_control = permissive
ad_gpo_cache_timeout = 30
ad_site = SITENAME
case_sensitive = false
enumerate = false
default_shell = /bin/bash
ldap_schema = ad
ldap_id_mapping = False
ldap_user_shell = loginShell
ldap_user_principal = samAccountName
ldap_user_ssh_public_key = altSecurityIdentities
ldap_user_home_directory = unixHomeDirectory
fallback_homedir = /home/%u

ldap_force_upper_case_realm = true
ldap_purge_cache_timeout = 0
ldap_account_expire_policy = ad
ldap_group_search_base = DN=etc...
ldap_user_search_base = DN=etc...
debug_level = 6

[nss]
fallback_homedir = /home/%u
reconnection_retries = 3
debug_level = 6

[pam]
offline_credentials_expiration = 3
offline_failed_login_attempts = 10
offline_failed_login_delay = 30
pam_verbosity = 3
pam_id_timeout = 10
pam_pwd_expiration_warning = 30
reconnection_retries = 3
debug_level = 6

krb5配置文件

[logging]
default = FILE:/var/log/krb5libs.log

[libdefaults]
default_realm = COMPANY.DOMAIN
ticket_lifetime = 1d
renew_lifetime = 7d
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
allow_weak_crypto = false
permitted_enctypes = aes256-cts-hmac-sha1-96
default_tkt_enctypes = aes256-cts
default_tgs_enctypes = aes256-cts
kdc_timesync = 1
kdc_timeout = 3000
forwardable = true
renewable = true
proxiable = true
udp_preference_limit = 1
rnds = false

这里是各种 sssd 日志文件的 pastebin： https://pastebin.com/2P58uybg

日志显示已经成功登录（通过 sshd 和公钥认证）的域用户尝试运行sudo bash

除密码外，广告集成可按预期运行：

• 用户可以使用其 sAMAccountName 登录
• 如果我运行 id username，您可以从活动目录中看到用户名的组及其 gid
• 计算机对象（使用 adcli 添加）显示在活动目录中
• 计算机 SPN 似乎有一个有效的 Kerberos 票证

作为故障排除步骤，我在域控制器上配置了 LDAPS，并将内部信任的证书添加到 ubuntu 的 ca 存储中。

我已经查看了 sudo 日志（非常详细），它显示该组成功匹配并允许用户 sudo。

任何帮助均感激不尽。

编辑：

主机操作系统：Ubuntu 18.04

nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat systemd sss
group:          compat systemd sss
shadow:         compat sss
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files sss
ethers:         db files
rpc:            db files

netgroup:       nis sss
sudoers:        files sss

为 ansible 角色安装的软件包：

• 安德克利
• krb5-用户
• ssd 的
• sssd 工具
• sssd-ad
• sssd-krb5
• python3-sss
• libpam-sss
• 库nss-ss
• libsss-sudo