在 Red Hat 上从 nslcd 迁移到 sssd 以解决 NSS MD5 问题

在 Red Hat 上从 nslcd 迁移到 sssd 以解决 NSS MD5 问题

我遇到了最新版本的 Red Hat 问题,nss/nscd 不接受 MD5 证书。根据建议,我将使用本指南将 nscd 替换为 sssdhttp://www.couyon.net/1/post/2012/04/enabling-ldap-usergroup-support-and-authentication-in-centos-6.html

我已运行此命令来激活 sssd:

authconfig --enablesssd --enablesssdauth --enablelocauthorize --update

我已确保 /etc/nsswitch.conf 中的引用全部设置为“文件 sss”:

passwd:     files sss
shadow:     files sss
group:      files sss

我已将 debug_level 增加到 5 以提供更多信息:

[root@tst-02 sssd]# cat sssd_default.log
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [sysdb_domain_init_internal] (0x0200): DB File for default: /var/lib/sss/db/cache_default.ldb
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [sbus_init_connection] (0x0200): Adding connection CF9220
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [monitor_common_send_id] (0x0100): Sending ID: (%BE_default,1)
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [sss_names_init] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)].
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [common_parse_search_base] (0x0100): Search base added: [DEFAULT][dc=it,dc=domain,dc=nl][SUBTREE][]
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [common_parse_search_base] (0x0100): Search base added: [USER][dc=it,dc=domain,dc=nl][SUBTREE][]
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [common_parse_search_base] (0x0100): Search base added: [GROUP][dc=it,dc=domain,dc=nl][SUBTREE][]
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [common_parse_search_base] (0x0100): Search base added: [NETGROUP][dc=it,dc=domain,dc=nl][SUBTREE][]
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [common_parse_search_base] (0x0100): Search base added: [SERVICE][dc=it,dc=domain,dc=nl][SUBTREE][]
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [fo_add_server] (0x0080): Adding new server 'ldap1.it.domain.nl', to service 'LDAP'
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [fo_add_server] (0x0080): Adding new server 'ldap2.it.domain.nl', to service 'LDAP'
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [load_backend_module] (0x0200): no module name found in confdb, using [permit].
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [be_process_init] (0x0080): No SUDO module provided for [default] !!
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [load_backend_module] (0x0200): no module name found in confdb, using [ldap].
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [ldap_get_autofs_options] (0x0200): Option ldap_autofs_search_base set to dc=it,dc=domain,dc=nl
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [common_parse_search_base] (0x0100): Search base added: [AUTOFS][dc=it,dc=domain,dc=nl][SUBTREE][]
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [load_backend_module] (0x0200): no module name found in confdb, using [ldap].
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [be_process_init] (0x0020): No selinux module provided for [default] !!
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [load_backend_module] (0x0200): no module name found in confdb, using [ldap].
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [be_process_init] (0x0020): No host info module provided for [default] !!
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [load_backend_module] (0x0200): no module name found in confdb, using [ldap].
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [be_process_init] (0x0020): Subdomains are not supported for [default] !!
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [id_callback] (0x0100): Got id ack and version (1) from Monitor
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [sbus_server_init_new_connection] (0x0200): Entering.
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0xd05680.
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [sbus_init_connection] (0x0200): Adding connection D05680
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [sbus_server_init_new_connection] (0x0200): Got a connection
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0xd04ad0]
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [sbus_server_init_new_connection] (0x0200): Entering.
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0xd05080.
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [sbus_init_connection] (0x0200): Adding connection D05080
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [sbus_server_init_new_connection] (0x0200): Got a connection
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0xd09030]
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [client_registration] (0x0100): Cancel DP ID timeout [0xd04ad0]
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [client_registration] (0x0100): Added Frontend client [PAM]
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [client_registration] (0x0100): Cancel DP ID timeout [0xd09030]
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [client_registration] (0x0100): Added Frontend client [NSS]
[root@tst-02 sssd]# cat /etc/sssd/sssd.conf
[domain/default]
ldap_id_use_start_tls = False
cache_credentials = True
ldap_search_base = dc=it,dc=domain,dc=nl
krb5_realm = EXAMPLE.COM
krb5_server = kerberos.example.com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://ldap1.it.domain.nl,ldap://ldap2.it.domain.nl
ldap_tls_cacertdir = /etc/openldap/cacerts
debug_level = 5

[sssd]
services = nss, pam
config_file_version = 2
debug_level = 5

domains = default
[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]
[root@tst-02 sssd]#

LDAP 在 Red Hat 6.2 上与 nss/nscd/nslcd 配合良好。升级到 Red Hat 6.4 后,LDAP 出现故障,原因是 nss 升级:http://www.unixmen.com/rhel-centos-6-4-ldap-md5-certificate-error-caused-by-nss-3-14-update/https://access.redhat.com/site/solutions/323923

因为我们在客户端使用了 nslcd,所以它不会使用外部环境变量,所以要么需要使用更强的哈希值签名的新证书,要么将 nss 和 nss-tools 降级到版本 3.13.6-1.el6_3。由于这个原因,我想改用 sssd。

我如何才能找出 LDAP 无法与 sssd 一起工作的原因?

答案1

甚至SSSD会有与同样的问题NSLCD,该问题不是出在nss-pam-ldapdnscd而是出在nss包上。

因此,要么将nss包升级到最新版本,要么执行以下操作来添加对的支持md5

添加/etc/grub.conf到内核行的末尾

systemd.setenv=NSS_HASH_ALG_SUPPORT=+MD5

或者

创造/etc/profile.d/nss.sh

export NSS_HASH_ALG_SUPPORT=+MD5

相关内容