我希望这是正确的提问论坛。
我们运行一个集群(Centos 7),使用 FreeIPA 进行帐户管理。周日,IPA 服务器突然重启,从那时起,用户就无法再通过 ssh 登录,也无法再成功请求 Kerberos 凭据:
$ KRB5_TRACE=/dev/stdout kinit
[29387] 1658843092.500360: Getting initial credentials for [email protected]
[29387] 1658843092.500362: Sending unauthenticated request
[29387] 1658843092.500363: Sending request (195 bytes) to ABC.UNI-XX.DE
[29387] 1658843092.500364: Resolving hostname ceg-ipa01.abc.uni-xx.de
[29387] 1658843092.500365: Initiating TCP connection to stream XXX.XXX.XXX.XXX:88
[29387] 1658843092.500366: Terminating TCP connection to stream XXX.XXX.XXX.XXX:88
[29387] 1658843092.500367: Sending initial UDP request to dgram XXX.XXX.XXX.XXX:88
kinit: Cannot contact any KDC for realm 'ABC.UNI-XX.DE' while getting initial credentials
这里ABC.UNI-XX.DE是域,并ceg-ipa01托管 IPA 服务器。Pingceg-ipa01工作正常。我已经重新启动了ceg-ipa01和krb5kdc服务kadmin,但没有任何成功。但是,我可以使用 root 等本地帐户访问集群。
这是krb5.confIPA 服务器上的文件
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = ABC.UNI-XX.DE
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
ABC.UNI-XX.DE = {
kdc = ceg-ipa01.abc.uni-xx.de:88
master_kdc = ceg-ipa01.abc.uni-xx.de:88
admin_server = ceg-ipa01.abc.uni-xx.de:749
default_domain = abc.uni-xx.de
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.abc.uni-xx.de = ABC.UNI-XX.DE
abc.uni-xx.de = ABC.UNI-XX.DE
ceg-ipa01.abc.uni-xx.de = ABC.UNI-XX.DE
[dbmodules]
ABC.UNI-XX.DE = {
db_library = ipadb.so
}
[plugins]
certauth = {
module = ipakdb:kdb/ipadb.so
enable_only = ipakdb
}
这是客户端上的同一个文件
#File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = ABC.UNI-XX.DE
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
dns_canonicalize_hostname = false
ticket_lifetime = 30d
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
ABC.UNI-XX.DE = {
kdc = ceg-ipa01.abc.uni-xx.de:88
master_kdc = ceg-ipa01.abc.uni-xx.de:88
admin_server = ceg-ipa01.abc.uni-xx.de:749
kpasswd_server = ceg-ipa01.abc.uni-xx.de:464
default_domain = abc.uni-xx.de
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.abc.uni-xx.de = ABC.UNI-XX.DE
abc.uni-xx.de = ABC.UNI-XX.DE
ceg-octane.abc.uni-xx.de = ABC.UNI-XX.DE
据我所见,没有明显的语法错误(例如缺少大写)。
如果这有帮助的话,我们还可以在以下配置上运行 LDAPceg-ipa01
$ cat /etc/openldap/ldap.conf
SASL_NOCANON on
URI ldaps://ceg-ipa01.abc.uni-xx.de
BASE dc=abc,dc=uni-xx,dc=de
TLS_CACERT /etc/ipa/ca.crt
SASL_MECH GSSAPI
以及客户
$ cat /etc/openldap/ldap.conf
TLS_CACERTDIR /etc/openldap/cacerts
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
#URI ldaps://ceg-ipa01.abc.uni-xx.de # modified by IPA
URI ldap://ldap
#BASE dc=abc,dc=uni-xx,dc=de # modified by IPA
BASE dc=abc,dc=uni-xx,dc=de
TLS_CACERT /etc/ipa/ca.crt
我也在以下位置看到此错误消息/var/messages:
failed to bind to LDAP server ldap://ceg-ipa01.abc.uni-xx.de: Can't contact LDAP server: Transport endpoint is not connected
ldapsearch在客户端上运行
# ldapsearch -x -b "dc=abc,dc=uni-xx,dc=de" -d-1 -H ldap://ceg-ipa01.abc.uni-xx.de -v
ldap_url_parse_ext(ldap://ceg-ipa01.abc.uni-xx.de)
ldap_initialize( ldap://ceg-ipa01.abc.uni-xx.de:389/??base )
ldap_create
ldap_url_parse_ext(ldap://ceg-ipa01.abc.uni-xx.de:389/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ceg-ipa01.abc.uni-xx.de:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying XXX.XXX.XXX.XXX:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect errno: 113
ldap_close_socket: 3
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
归根结底,客户端无法正确连接到服务器,因此身份验证失败。但由于我对 FreeIPA、Kerberos 和 LDAP 还不熟悉,我不知道下一步该怎么做。所以我非常感谢任何帮助!
答案1
问题解决了,防火墙配置错误,即接口在区域中public。将其移动到该trusted区域可修复错误。
具体步骤:
# firewall-cmd --zone=trusted --change-interface=<interface> --permanent
# firewall-cmd --reload