安装 sssd

Question

抽象的

经过多次尝试和错误，我发现我需要一个用于 gssapi 的包和四个用于 sssd 的包。我希望将常规配置集中起来，因此我使用本地私有 DNS 服务器进行名称、服务器名称和服务名称解析。因此，我首先在客户端上检查这一点。如果 DNS 服务器上没有它，您可以在每个客户端上将其全部定义为本地。我已经对其进行了注释。为了避免安装不需要的附加包，我总是对 Debian **apt** 使用选项 `--no-install-recommends`。

准备 Kerberos 客户端

首先使用“sudo klist -ke”确保您拥有有效的“/etc/krb5.keytab”。如果没有，则创建一个：

rpi ~$ sudo kadmin -p user/admin
kadmin:  addprinc -policy host -randkey host/<hostname>.example.com
kadmin:  ktadd host/<hostname>.example.com
kadmin:  q

安装 GNOME 或 Xfce 等图形用户界面后，我遇到了名称解析问题。ssd 的无法使用example.com我的扩展 DNS 名称解析来解析 DNS 域，因此它找不到 Kerberos 和 LDAP 服务器，登录失败并显示错误消息Authentication failure。有时，由于缓存的登录数据，这可能会起作用，但1970-01-01显示的Kerberos 票证数据无效klist。根据Debian 主机名解析你应该有一个像这样的条目/etc/hosts：

127.0.1.1    <hostname>.example.com    <hostname>

如果你有神经胶质细胞正在为名称服务运行的缓存，然后卸载它。我们不能使用它，因为ssd 的也会这么做。

~$ sudo systemctl disable --now nscd.service
~$ sudo apt purge nscd
~$ sudo apt-mark hold nscd

安装针对 Kerberos 进行身份验证和测试所需的 SASL/GSSAPI 模块和帮助程序：

~$ sudo apt --no-install-recommends install libsasl2-modules-gssapi-mit dnsutils ldap-utils

# check DNS resolution; must resolve full qualified dns names
~$ dig +noall +answer $(hostname -f)
~$ dig +noall +answer -x $(hostname -I)

# Check Kerberos server and LDAP server
~$ dig +noall +answer ldap-primary.example.com
~$ dig +noall +answer kdc-master.example.com

# Query for kerberos service (response: kdc10-1.example.com on port 88)
~$ dig +noall +answer SRV _kerberos._udp.example.com
_kerberos._udp.example.com 38400 IN SRV   0 0 88 kdc10-1.example.com.
# Query for ldap service (response: kdc10-1.example.com on port 389)
~$ dig +noall +answer SRV _ldap._tcp.example.com
_ldap._tcp.example.com. 38400 IN SRV   0 0 389 kdc10-1.example.com.

# Check if the sssd.service can access the LDAP-server. It uses this principal
~$ sudo kinit -k host/<hostname>.example.com
~$ sudo ldapsearch -Y GSSAPI -LLL -H ldap://ldap-primary.example.com -b "ou=home,dc=example,dc=com" "(cn=ingo)" uid cn
SASL/GSSAPI authentication started
SASL username: host/<hostname>[email protected]
SASL SSF: 256
SASL data security layer installed.
dn: cn=ingo,ou=group,ou=home,dc=example,dc=com
cn: ingo

dn: uid=ingo,ou=people,ou=home,dc=example,dc=com
uid: ingo
cn: Ingo

安装 sssd

我们只需要四个包来提供 ldap、krb5、名称服务和 pam 所需的所有服务：

~$ sudo apt --no-install-recommends install sssd-ldap sssd-krb5 libnss-sss libpam-sss

剩下的就是配置/etc/sssd/sssd.conf。我用的是这个：

~$ sudo cat /etc/sssd/sssd.conf
[sssd]
# debug log files in /var/log/sssd/
#debug_level = 7
config_file_version = 2
domains = HOME
# don't set services on Debian Bullseye. It's managed there
# by sssd-nss.socket and sssd-pam-priv.socket
services = nss, pam

[nss]
#debug_level = 7

[pam]
#debug_level = 7

[domain/HOME]
#debug_level = 7
# Set enumerate only for debugging, never for production!
#enumerate = TRUE

id_provider = ldap
# If you haven't a SRV record in DNS for the server then set it here
#ldap_uri = ldap://ldap-primary.example.com
# SRV record for backup server isn't supported. We have to set it always.
ldap_backup_uri = ldap://ldap-secondary.example.com
ldap_search_base = ou=home,dc=example,dc=com
ldap_sasl_mech = gssapi

auth_provider = krb5
chpass_provider = krb5
# Maybe I want to use the .k5login file in the home directory of the user
access_provider = krb5

# If you haven't a SRV record in DNS for the server then set it here
#krb5_server = kdc-master.example.com
# SRV record for backup server isn't supported. We have to set it always.
krb5_backup_server = kdc-replica.example.com
# If the authid isn't the first entry in /etc/krb5.keytab then set it here
#ldap_sasl_authid = host/<hostname>[email protected]
# krb5_realm must always be set here. There is no look at `/etc/krb5.conf`
krb5_realm = EXAMPLE.COM
#krb5_renewable_lifetime = 3d
krb5_renew_interval = 1h

# I don't use this
sudo_provider = none
autofs_provider = none

cache_credentials = TRUE

不要忘记保护 sssd.conf，否则 sssd 将无法启动：

~$ sudo chmod 600 /etc/sssd/sssd.conf
~$ sudo systemctl restart sssd.service

检查操作系统是否从ldap目录获取账户信息，确保查询的用户账户只在ldap目录中，而不是在本地文件中。查询的来源由用户id后面的字符表示。

:x:   from local files (/etc/passwd and /etc/group)
:*:   from the ldap directory

确保你得到:*:。

~$ getent passwd ingo
ingo:*:1000:1000:Ingo:/home/ingo:/bin/bash
~$ getent group ingo
ingo:*:1000:

设置登录的 pam 认证：

~$ sudo pam-auth-update
[*] Unix authentication
[*] SSS authentication
[*] Register user sessions in the systemd control group hierarchy
[*] Create home directory on login

并检查新用户登录：

~$ ~$ su -l ingo
Password:
Creating directory '/home/ingo'.
ingo:~$ klist
ingo:~$ logout
~$

为了测试 sssd.conf 中的设置，您必须知道 sssd 正在缓存许多数据，因此更改不会立即生效。这非常令人困惑。因此，我/var/lib/sss/db/在修改 sssd.conf 后删除了包含缓存信息的文件。我以 root 身份使用了以下一行代码：

~# systemctl stop sssd.service && rm /var/lib/sss/db/* && systemctl start sssd.service

Answer 1

抽象的

经过多次尝试和错误，我发现我需要一个用于 gssapi 的包和四个用于 sssd 的包。我希望将常规配置集中起来，因此我使用本地私有 DNS 服务器进行名称、服务器名称和服务名称解析。因此，我首先在客户端上检查这一点。如果 DNS 服务器上没有它，您可以在每个客户端上将其全部定义为本地。我已经对其进行了注释。为了避免安装不需要的附加包，我总是对 Debian **apt** 使用选项 `--no-install-recommends`。

准备 Kerberos 客户端

首先使用“sudo klist -ke”确保您拥有有效的“/etc/krb5.keytab”。如果没有，则创建一个：

rpi ~$ sudo kadmin -p user/admin
kadmin:  addprinc -policy host -randkey host/<hostname>.example.com
kadmin:  ktadd host/<hostname>.example.com
kadmin:  q

安装 GNOME 或 Xfce 等图形用户界面后，我遇到了名称解析问题。ssd 的无法使用example.com我的扩展 DNS 名称解析来解析 DNS 域，因此它找不到 Kerberos 和 LDAP 服务器，登录失败并显示错误消息Authentication failure。有时，由于缓存的登录数据，这可能会起作用，但1970-01-01显示的Kerberos 票证数据无效klist。根据Debian 主机名解析你应该有一个像这样的条目/etc/hosts：

127.0.1.1    <hostname>.example.com    <hostname>

如果你有神经胶质细胞正在为名称服务运行的缓存，然后卸载它。我们不能使用它，因为ssd 的也会这么做。

~$ sudo systemctl disable --now nscd.service
~$ sudo apt purge nscd
~$ sudo apt-mark hold nscd

安装针对 Kerberos 进行身份验证和测试所需的 SASL/GSSAPI 模块和帮助程序：

~$ sudo apt --no-install-recommends install libsasl2-modules-gssapi-mit dnsutils ldap-utils

# check DNS resolution; must resolve full qualified dns names
~$ dig +noall +answer $(hostname -f)
~$ dig +noall +answer -x $(hostname -I)

# Check Kerberos server and LDAP server
~$ dig +noall +answer ldap-primary.example.com
~$ dig +noall +answer kdc-master.example.com

# Query for kerberos service (response: kdc10-1.example.com on port 88)
~$ dig +noall +answer SRV _kerberos._udp.example.com
_kerberos._udp.example.com 38400 IN SRV   0 0 88 kdc10-1.example.com.
# Query for ldap service (response: kdc10-1.example.com on port 389)
~$ dig +noall +answer SRV _ldap._tcp.example.com
_ldap._tcp.example.com. 38400 IN SRV   0 0 389 kdc10-1.example.com.

# Check if the sssd.service can access the LDAP-server. It uses this principal
~$ sudo kinit -k host/<hostname>.example.com
~$ sudo ldapsearch -Y GSSAPI -LLL -H ldap://ldap-primary.example.com -b "ou=home,dc=example,dc=com" "(cn=ingo)" uid cn
SASL/GSSAPI authentication started
SASL username: host/<hostname>[email protected]
SASL SSF: 256
SASL data security layer installed.
dn: cn=ingo,ou=group,ou=home,dc=example,dc=com
cn: ingo

dn: uid=ingo,ou=people,ou=home,dc=example,dc=com
uid: ingo
cn: Ingo

安装 sssd

我们只需要四个包来提供 ldap、krb5、名称服务和 pam 所需的所有服务：

~$ sudo apt --no-install-recommends install sssd-ldap sssd-krb5 libnss-sss libpam-sss

剩下的就是配置/etc/sssd/sssd.conf。我用的是这个：

~$ sudo cat /etc/sssd/sssd.conf
[sssd]
# debug log files in /var/log/sssd/
#debug_level = 7
config_file_version = 2
domains = HOME
# don't set services on Debian Bullseye. It's managed there
# by sssd-nss.socket and sssd-pam-priv.socket
services = nss, pam

[nss]
#debug_level = 7

[pam]
#debug_level = 7

[domain/HOME]
#debug_level = 7
# Set enumerate only for debugging, never for production!
#enumerate = TRUE

id_provider = ldap
# If you haven't a SRV record in DNS for the server then set it here
#ldap_uri = ldap://ldap-primary.example.com
# SRV record for backup server isn't supported. We have to set it always.
ldap_backup_uri = ldap://ldap-secondary.example.com
ldap_search_base = ou=home,dc=example,dc=com
ldap_sasl_mech = gssapi

auth_provider = krb5
chpass_provider = krb5
# Maybe I want to use the .k5login file in the home directory of the user
access_provider = krb5

# If you haven't a SRV record in DNS for the server then set it here
#krb5_server = kdc-master.example.com
# SRV record for backup server isn't supported. We have to set it always.
krb5_backup_server = kdc-replica.example.com
# If the authid isn't the first entry in /etc/krb5.keytab then set it here
#ldap_sasl_authid = host/<hostname>[email protected]
# krb5_realm must always be set here. There is no look at `/etc/krb5.conf`
krb5_realm = EXAMPLE.COM
#krb5_renewable_lifetime = 3d
krb5_renew_interval = 1h

# I don't use this
sudo_provider = none
autofs_provider = none

cache_credentials = TRUE

不要忘记保护 sssd.conf，否则 sssd 将无法启动：

~$ sudo chmod 600 /etc/sssd/sssd.conf
~$ sudo systemctl restart sssd.service

检查操作系统是否从ldap目录获取账户信息，确保查询的用户账户只在ldap目录中，而不是在本地文件中。查询的来源由用户id后面的字符表示。

:x:   from local files (/etc/passwd and /etc/group)
:*:   from the ldap directory

确保你得到:*:。

~$ getent passwd ingo
ingo:*:1000:1000:Ingo:/home/ingo:/bin/bash
~$ getent group ingo
ingo:*:1000:

设置登录的 pam 认证：

~$ sudo pam-auth-update
[*] Unix authentication
[*] SSS authentication
[*] Register user sessions in the systemd control group hierarchy
[*] Create home directory on login

并检查新用户登录：

~$ ~$ su -l ingo
Password:
Creating directory '/home/ingo'.
ingo:~$ klist
ingo:~$ logout
~$

为了测试 sssd.conf 中的设置，您必须知道 sssd 正在缓存许多数据，因此更改不会立即生效。这非常令人困惑。因此，我/var/lib/sss/db/在修改 sssd.conf 后删除了包含缓存信息的文件。我以 root 身份使用了以下一行代码：

~# systemctl stop sssd.service && rm /var/lib/sss/db/* && systemctl start sssd.service

安装 sssd

答案1

抽象的

准备 Kerberos 客户端

安装 sssd

相关内容