但是,当我使用启用了IMU的Windows Server 2012 R2服务器时,我能够获取kerberos票证,加入域,搜索LDAP,但是当我尝试从控制台以AD用户身份登录时,我在/ var / log / messages中收到此错误消息:
Jun 6 11:12:30 test [sssd[krb5_child[4760]]]: Preauthentication Failed
Jun 6 11:12:15 test login: pam_sss(login:auth): received for user aduser@domain.local: 17 (Failure setting user credentials)
Jun 6 11:12:17 test login: Failed LOGIN 1 FROM (null) FOR aduser@domain.local,Authentication failure
使用getent passwd aduser或getent group linuxgroup成功返回.
我试过这个sssd.conf文件:
- [sssd]
- config_file_version = 2
- services = nss,pam
- domains = domain.local
- debug_level = 5
- [domain/domain.local]
- id_provider = ad
- auth_provider = ad
- ad_server = dc.domain.local
- default_shell = /bin/bash
- fallback_homedir = /home/%d/%u
- cache_credentials = false
- ldap_id_mapping = false
然后我读了this错误报告.所以,我将我的sssd.conf文件更改为:
- [sssd]
- config_file_version = 2
- reconnection_retries = 2
- services = nss,pam
- debug_level = 5
- domains = domain.local
- [nss]
- debug_level = 5
- [pam]
- debug_level = 5
- [domain/domain.local]
- id_provider = ldap
- auth_provider = krb5
- chpass_provider = krb5
- debug_level = 5
- ldap_uri = ldap://dc.domain.local/
- ldap_sasl_mech = GSSAPI
- ldap_schema = rfc2307bis
- ldap_user_search_base = dc=domain,dc=local
- ldap_user_object_class = user
- ldap_user_home_directory = unixHomeDirectory
- ldap_user_principal = userPrincipalName
- ldap_group_search_base = dc=domain,dc=local
- ldap_group_object_class = group
- ldap_access_order = expire
- ldap_account_expire_policy = ad
- ldap_force_upper_case_realm = true
- ldap_referrals = false
- krb5_server = dc.domain.local
- krb5_realm = DOMAIN.LOCAL
- krb5_canonicalize = false
- enumerate = false
- cache_credentials = false
我已经清除了我的SSSD缓存并重新启动了该服务.但我无法登录.
我现在在/ var / log / messages中收到此错误:
Jun 6 11:21:43 test [sssd[krb5_child[1546]]]: Permission denied
我在/var/log/sssd/krb5_child.log中看到了这个错误:
(Sat Jun 6 11:21:43 2015) [[sssd[krb5_child[1387]]]] [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match Failed: [-1765328243][Can’t find client principal aduser@DOMAIN.LOCAL in cache collection]
(Sat Jun 6 11:21:43 2015) [[sssd[krb5_child[1387]]]] [create_ccache] (0x0020): 575: [13][Permission denied]
现在,这就是它变得奇怪的地方.作为root用户,如果我对任何AD域用户说它实际上是有效的,并且主目录是自动创建的.我即将承认失败并坚持使用2k8 DC.
解决方法
您能够从root访问该帐户的原因是PAM堆栈通常包含pam_rootok.so模块,该模块绕过使用pam_sss的身份验证.鉴于来自root工程的auth,我们至少知道检索身份信息是有效的,但不是auth.
我建议在这里或在sssd-users列表中为这个问题添加更多信息.最重要的是,sssd使用来自domain部分和krb5_child.log的高debug_level调试日志.
请在SSSD维基上的troubleshooting document中找到更多信息.
