一些 AD 用户无法访问域中的 Ubuntu 机器,尝试通过 ssh 访问服务器后出现错误/var/log/auth.log:
Jun 14 11:50:36 SR sshd[1467842]: Invalid user UserName from 192.168.40.45 port 49378
Jun 14 11:50:37 SR sshd[1467842]: Connection reset by invalid user UserName 192.168.40.45 port 49378 [preauth]
Jun 14 11:50:45 SR sshd[1467955]: Invalid user UserName from 192.168.40.45 port 49379
Jun 14 11:50:50 SR sshd[1467955]: pam_unix(sshd:auth): check pass; user unknown
Jun 14 11:50:50 SR sshd[1467955]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.40.45
Jun 14 11:50:50 SR sshd[1467955]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.40.45 user=UserName
Jun 14 11:50:50 SR sshd[1467955]: pam_sss(sshd:auth): received for user UserName: 10 (User not known to the underlying authentication module)
Jun 14 11:50:52 SR sshd[1467955]: Failed password for invalid user UserName from 192.168.40.45 port 49379 ssh2
它对其他用户有效,但这个特定用户最近加入,他无法访问机器。还更改了ldap_idmap_range(min/max and size),以检查问题是否与 ID 映射有关,但没有奏效。即使用户尝试通过 GUI 登录,他们也会收到以下错误:
我也尝试通过其他用户的 ssh 会话登录su - UserName,但仍然无法登录并返回错误:su: user UserName does not exist
下面是 sssd 配置文件:
[sssd]
domains = "dn"
config_file_version = 2
services = nss, pam
[domain/"dn"]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = "DN"
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = "dn"
# use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = ad
ad_gpo_access_control = permissive
这些是日志文件的内容/var/log/sssd
/var/log/sssd/sssd_Domain-Name.log.1:
(Date) [be[mydomain.com]] [orderly_shutdown] (0x0010): SIGTERM: killing children
(Date) [be[mydomain.com]] [orderly_shutdown] (0x0010): SIGTERM: killing children
(Date) [be[mydomain.com]] [orderly_shutdown] (0x0010): SIGTERM: killing children
(Date) [be[mydomain.com]] [orderly_shutdown] (0x0010): SIGTERM: killing children
和sssd.log:
(Date) [sssd] [service_signal_done] (0x0010): Unable to signal service [2]: No such file or directory
(Date) [sssd] [service_signal_done] (0x0010): Unable to signal service [2]: No such file or directory
(Date) [sssd] [service_signal_done] (0x0010): Unable to signal service [2]: No such file or directory
基本上没有其他内容,主日志文件是空的这是我得到的sssd状态:
sssd.service - System Security Services Daemon
Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2023-06-17 06:45:14 CEST; 3 days ago
Main PID: 3371613 (sssd)
Tasks: 4 (limit: 77003)
Memory: 45.5M
CGroup: /system.slice/sssd.service
├─3371613 /usr/sbin/sssd -i --logger=files
├─3371615 /usr/libexec/sssd/sssd_be --domain mydomain.com --uid 0 --gid 0 --logger=files
├─3371616 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
└─3371617 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
Date MyServer sssd_be[3371615]: Backend is online
Date MyServer sssd[816515]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may>
Date MyServer sssd[816515]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may>
Date MyServer adcli[816513]: GSSAPI client step 1
Date MyServer adcli[816513]: GSSAPI client step 1
Date MyServer adcli[816513]: GSSAPI client step 1
Date MyServer sssd[816519]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may>
Date MyServer sssd[816519]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may>
Date MyServer sssd[816524]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may>
Date MyServer sssd_be[3371615]: Backend is offline
答案1
问题出在 sss 缓存上,我删除了缓存sss_cache -E并重新启动了机器,似乎一切都运行正常,我想即使我没有重新启动机器它也会开始工作,需要一些时间才能应用更改