但是,当我使用启用了IMU的Windows Server 2012 R2服务器时,我能够获取kerberos票证,加入域,搜索LDAP,但是当我尝试从控制台以AD用户身份登录时,我在/ var / log / messages中收到此错误消息:
Jun 6 11:12:30 test [sssd[krb5_child[4760]]]: Preauthentication Failed
Jun 6 11:12:15 test login: pam_sss(login:auth): received for user aduser@domain.local: 17 (Failure setting user credentials)
Jun 6 11:12:17 test login: Failed LOGIN 1 FROM (null) FOR aduser@domain.local,Authentication failure
使用getent passwd aduser或getent group linuxgroup成功返回.
我试过这个sssd.conf文件:
[sssd] config_file_version = 2 services = nss,pam domains = domain.local debug_level = 5 [domain/domain.local] id_provider = ad auth_provider = ad ad_server = dc.domain.local default_shell = /bin/bash fallback_homedir = /home/%d/%u cache_credentials = false ldap_id_mapping = false
然后我读了this错误报告.所以,我将我的sssd.conf文件更改为:
[sssd] config_file_version = 2 reconnection_retries = 2 services = nss,pam debug_level = 5 domains = domain.local [nss] debug_level = 5 [pam] debug_level = 5 [domain/domain.local] id_provider = ldap auth_provider = krb5 chpass_provider = krb5 debug_level = 5 ldap_uri = ldap://dc.domain.local/ ldap_sasl_mech = GSSAPI ldap_schema = rfc2307bis ldap_user_search_base = dc=domain,dc=local ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_group_search_base = dc=domain,dc=local ldap_group_object_class = group ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ldap_referrals = false krb5_server = dc.domain.local krb5_realm = DOMAIN.LOCAL krb5_canonicalize = false enumerate = false cache_credentials = false
我已经清除了我的SSSD缓存并重新启动了该服务.但我无法登录.
我现在在/ var / log / messages中收到此错误:
Jun 6 11:21:43 test [sssd[krb5_child[1546]]]: Permission denied
我在/var/log/sssd/krb5_child.log中看到了这个错误:
(Sat Jun 6 11:21:43 2015) [[sssd[krb5_child[1387]]]] [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match Failed: [-1765328243][Can’t find client principal aduser@DOMAIN.LOCAL in cache collection]
(Sat Jun 6 11:21:43 2015) [[sssd[krb5_child[1387]]]] [create_ccache] (0x0020): 575: [13][Permission denied]
现在,这就是它变得奇怪的地方.作为root用户,如果我对任何AD域用户说它实际上是有效的,并且主目录是自动创建的.我即将承认失败并坚持使用2k8 DC.
解决方法
您能够从root访问该帐户的原因是PAM堆栈通常包含pam_rootok.so模块,该模块绕过使用pam_sss的身份验证.鉴于来自root工程的auth,我们至少知道检索身份信息是有效的,但不是auth.
我建议在这里或在sssd-users列表中为这个问题添加更多信息.最重要的是,sssd使用来自domain部分和krb5_child.log的高debug_level调试日志.
请在SSSD维基上的troubleshooting document中找到更多信息.
