我使用 sssd 作为身份验证系统设置了 Centos7。用户身份由文件(passwd/group,由 ansible 管理)提供,身份验证通过 krb5(由 active directory 提供)完成。
sssd.conf 如下所示:
[sssd]
domains = OURADDOMAIN
services = nss, pam
[domain/OURADDOMAIN]
id_provider = files
auth_provider = krb5
krb5_server = our_domain_controller
krb5_realm = OURADDOMAIN
cache_credentials = true
[pam]
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
这在网上运行良好,没有问题,但是当我断开网络时,登录失败。如果登录正常,在 /var/log/secure 中我会看到以下内容:
Apr 21 10:18:17 authtestel7 unix_chkpwd[11986]: password check failed for user (testuser)
Apr 21 10:18:17 authtestel7 login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=testuser
Apr 21 10:18:17 authtestel7 login: pam_sss(login:auth): authentication success; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=testuser
Apr 21 10:18:17 authtestel7 login: pam_unix(login:session): session opened for user testuser by LOGIN(uid=0)
Apr 21 10:18:17 authtestel7 login: LOGIN ON tty1 BY testuser
如果登录失败,则如下所示:
Apr 21 10:18:52 authtestel7 login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=testuser
Apr 21 10:18:52 authtestel7 login: pam_sss(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=testuser
Apr 21 10:18:52 authtestel7 login: pam_sss(login:auth): received for user testuser: 6 (Permission denied)
Apr 21 10:18:54 authtestel7 login: FAILED LOGIN 1 FROM tty1 FOR testuser, Authentication failure
当我在 sssd.conf 中将调试级别设置为 4 时,我会在 sssd_pam.log 中看到以下行:
(2021-04-21 10:18:52): [pam] [sysdb_cache_auth] (0x0100): Cached user entry is too old.
但是每次 testuser 登录时都会更新 chache 文件:
[root@authtestel7 ~]# ls -lrt /var/lib/sss/db/
insgesamt 8800
-rw-------. 1 root root 1286144 6. Apr 16:56 sssd.ldb
-rw-------. 1 root root 1609728 6. Apr 16:57 timestamps_files.ldb
-rw-------. 1 root root 1609728 6. Apr 16:57 cache_files.ldb
-rw-------. 1 root root 1286144 21. Apr 10:17 config.ldb
-rw-------. 1 root root 1609728 21. Apr 10:17 timestamps_OURDOMAIN.ldb
-rw-------. 1 root root 1609728 21. Apr 10:18 cache_OURDOMAIN.ldb
知道这里有什么问题吗?
答案1
我不知道 Kerberos,但对于 AD,你需要像这样构建你的配置文件:
[sssd]
domains = foo.com,files
config_file_version = 2
services = nss, pam
[nss]
#debug_level = 9
[pam]
offline_credentials_expiration = 87
[domain/ad.uillinois.edu]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
account_cache_expiration = 90
krb5_realm = foo.com
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u
ad_domain = foo.com
ldap_id_mapping = False
access_provider = ad
auth_provider = ad
chpass_provider = ad
use_fully_qualified_names = False
simple_allow_groups = mygroup, yourgroup
ad_gpo_access_control = Permissive
[domain/files]
id_provider = files
请注意[sssd]AD 和文件的两个域的列表。如果 sssd 要知道使用缓存凭据,您必须拥有它。