由于某种原因,我的 Linux 机器不允许使用 passwd 命令更改用户的 Windows AD 密码。我们可以使用 AD 访问机器,使用 AD 密码运行 sudo,运行 id 命令,我可以看到我的 AD 组等。所以看起来没问题,但 passwd 命令不起作用。
这是我的 sssd.conf:
[domain/domain.local]
ldap_schema = AD
ldap_search_base = dc=domain,dc=local
ldap_access_filter = (|(memberOf=CN=ops-linux-admin,OU=Linux,OU=Staff,DC=domain,DC=local)(memberOf=CN=all-linux,OU=Linux,OU=Staff,DC=domain,DC=local))
id_provider = ldap
ldap_uri = ldaps://secureldap.domain.local
ldap_tls_reqcert = allow
ldap_tls_cacert = /etc/pki/ca-secureldap.crt
cache_credentials = True
enumerate = False
default_shell = /bin/bash
ldap_id_mapping = True
ldap_referrals = False
use_fully_qualified_names = False
fallback_homedir = /home/%d/%u
ldap_default_bind_dn = CN=linuxbind,OU=Service Accounts,DC=domain,DC=local
ldap_default_authtok_type = obfuscated_password
ldap_default_authtok = tX45ZPkNlisqw82lW18rFNnDr
ldap_user_ssh_public_key = sshpublickey
debug_level = 4
access_provider = ldap
sudo_provider = ldap
auth_provider = ldap
autofs_provider = ldap
[sssd]
config_file_version = 2
reconnection_retries = 3
services = nss, pam, sudo, ssh
create_homedir = true
homedir_umask = 0077
skel_dir = /etc/skel
domains = domain.local
debug_level = 4
[nss]
filter_groups = root
filter_users = root
debug_level = 4
[pam]
reconnection_retries = 3
offline_credentials_expirations = 0
debug_level = 4
[ssh]
debug_level = 4
这是我从 sssd_pam.log 中看到的内容:
(Wed Aug 31 13:11:43 2022) [pam] [pam_cmd_chauthtok_prelim] (0x0100): entering pam_cmd_chauthtok_prelim
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): command: SSS_PAM_CHAUTHTOK_PRELIM
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): domain: not set
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): user: my_users
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): service: passwd
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): tty: not set
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): ruser: not set
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): rhost: not set
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): authtok type: 1
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): newauthtok type: 0
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): priv: 0
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): cli_pid: 532549
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): logon name: my_user
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): flags: 4
(Wed Aug 31 13:11:43 2022) [pam] [pam_dp_send_req] (0x0100): Sending request with the following data:
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): command: SSS_PAM_CHAUTHTOK_PRELIM
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): domain: domain.local
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): user: [email protected]
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): service: passwd
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): tty: not set
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): ruser: not set
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): rhost: not set
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): authtok type: 1
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): newauthtok type: 0
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): priv: 0
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): cli_pid: 532549
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): logon name: my_user
(Wed Aug 31 13:11:43 2022) [pam] [pam_print_data] (0x0100): flags: 4
(Wed Aug 31 13:11:43 2022) [pam] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0
(Wed Aug 31 13:11:43 2022) [pam] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal.
(Wed Aug 31 13:12:00 2022) [pam] [pam_cmd_chauthtok] (0x0100): entering pam_cmd_chauthtok
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): command: SSS_PAM_CHAUTHTOK
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): domain: not set
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): user: my_user
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): service: passwd
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): tty: not set
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): ruser: not set
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): rhost: not set
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): authtok type: 1
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): newauthtok type: 1
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): priv: 0
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): cli_pid: 532549
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): logon name: my_user
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): flags: 4
(Wed Aug 31 13:12:00 2022) [pam] [pam_dp_send_req] (0x0100): Sending request with the following data:
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): command: SSS_PAM_CHAUTHTOK
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): domain: domain.local
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): user: [email protected]
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): service: passwd
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): tty: not set
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): ruser: not set
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): rhost: not set
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): authtok type: 1
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): newauthtok type: 1
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): priv: 0
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): cli_pid: 532549
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): logon name: my_user
(Wed Aug 31 13:12:00 2022) [pam] [pam_print_data] (0x0100): flags: 4
(Wed Aug 31 13:12:00 2022) [pam] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0
(Wed Aug 31 13:12:00 2022) [pam] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal.
这是我从 sssd_domain.local.log 中看到的内容:
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [dp_pam_handler_send] (0x0100): Got request with the following data
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [pam_print_data] (0x0100): command: SSS_PAM_CHAUTHTOK_PRELIM
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [pam_print_data] (0x0100): domain: domain.local
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [pam_print_data] (0x0100): user: [email protected]
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [pam_print_data] (0x0100): service: passwd
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [pam_print_data] (0x0100): tty:
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [pam_print_data] (0x0100): ruser:
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [pam_print_data] (0x0100): rhost:
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [pam_print_data] (0x0100): authtok type: 1
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [pam_print_data] (0x0100): newauthtok type: 0
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [pam_print_data] (0x0100): priv: 0
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [pam_print_data] (0x0100): cli_pid: 532539
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [pam_print_data] (0x0100): logon name: not set
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [pam_print_data] (0x0100): flags: 0
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [sdap_pam_chpass_handler_send] (0x0040): starting password change request for user [[email protected]].
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [6]
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [sdap_get_server_opts_from_rootdse] (0x0100): Will look for schema at [CN=Schema,CN=Configuration,DC=domain,DC=local]
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [fo_set_port_status] (0x0100): Marking port 636 of server 'secureldap.domain.local' as 'working'
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [set_server_common_status] (0x0100): Marking server 'secureldap.domain.local' as 'working'
(Wed Aug 31 13:11:02 2022) [be[domain.local]] [simple_bind_send] (0x0100): Executing simple bind as: CN=My User,OU=Operations,OU=Staff,DC=domain,DC=local
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [dp_pam_handler_send] (0x0100): Got request with the following data
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [pam_print_data] (0x0100): command: SSS_PAM_CHAUTHTOK
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [pam_print_data] (0x0100): domain: domain.local
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [pam_print_data] (0x0100): user: [email protected]
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [pam_print_data] (0x0100): service: passwd
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [pam_print_data] (0x0100): tty:
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [pam_print_data] (0x0100): ruser:
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [pam_print_data] (0x0100): rhost:
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [pam_print_data] (0x0100): authtok type: 1
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [pam_print_data] (0x0100): newauthtok type: 1
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [pam_print_data] (0x0100): priv: 0
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [pam_print_data] (0x0100): cli_pid: 532539
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [pam_print_data] (0x0100): logon name: not set
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [pam_print_data] (0x0100): flags: 0
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [sdap_pam_chpass_handler_send] (0x0040): starting password change request for user [[email protected]].
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [6]
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [sdap_get_server_opts_from_rootdse] (0x0100): Will look for schema at [CN=Schema,CN=Configuration,DC=domain,DC=local]
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [fo_set_port_status] (0x0100): Marking port 636 of server 'secureldap.domain.local' as 'working'
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [set_server_common_status] (0x0100): Marking server 'secureldap.domain.local' as 'working'
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [simple_bind_send] (0x0100): Executing simple bind as: CN=My User,OU=Operations,OU=Staff,DC=domain,DC=local
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [sdap_control_create] (0x0080): Server does not support the requested control [1.3.6.1.4.1.42.2.27.8.5.1].
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [sdap_exop_modify_passwd_send] (0x0100): Executing extended operation
(Wed Aug 31 13:11:11 2022) [be[domain.local]] [sdap_exop_modify_passwd_done] (0x0080): ldap_extended_operation result: Protocol error(2), 0000203D: LdapErr: DSID-0C090FB2, comment: Unknown extended request OID, data 0, v2580
我不确定我这里遗漏了什么。我们的 AD 是 Windows Server 2012 R2
dpkg -l |grep -i sssd
iU sssd 2.2.3-3ubuntu0.9 amd64 System Security Services Daemon -- metapackage
iU sssd-ad 2.2.3-3ubuntu0.9 amd64 System Security Services Daemon -- Active Directory back end
iU sssd-ad-common 2.2.3-3ubuntu0.9 amd64 System Security Services Daemon -- PAC responder
iF sssd-common 2.2.3-3ubuntu0.9 amd64 System Security Services Daemon -- common files
iU sssd-ipa 2.2.3-3ubuntu0.9 amd64 System Security Services Daemon -- IPA back end
iU sssd-krb5 2.2.3-3ubuntu0.9 amd64 System Security Services Daemon -- Kerberos back end
iU sssd-krb5-common 2.2.3-3ubuntu0.9 amd64 System Security Services Daemon -- Kerberos helpers
iU sssd-ldap 2.2.3-3ubuntu0.9 amd64 System Security Services Daemon -- LDAP back end
iU sssd-proxy 2.2.3-3ubuntu0.9 amd64 System Security Services Daemon -- proxy back end
iU sssd-tools 2.2.3-3ubuntu0.9 amd64 System Security Services Daemon -- tools
请提供任何帮助:) 谢谢!