我安装了Debian Squeeze和sssd.当我尝试通过ssh用户’alexwinner’登录服务器时,我在日志中看到:
(Fri May 11 18:56:03 2012) [[sssd[krb5_child[26281]]]] [get_and_save_tgt] (1): 523: [-1765328360][Preauthentication Failed]
但是当我执行kinit alexwinner一切都好的时候,我收到了罚单.
这是我的sssd.conf
[sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss,pam domains = MYDOMAIN.COM [nss] filter_groups = root filter_users = root reconnection_retries = 3 ; entry_cache_timeout = 600 ; entry_cache_nowait_timeout = 300 [pam] reconnection_retries = 3 [domain/MYDOMAIN.COM] description = LDAP domain with AD server enumerate = true min_id = 1000 cache_credentials = false id_provider = ldap auth_provider = krb5 chpass_provider = krb5 krb5_realm = MYDOMAIN.COM krb5_kdcip = 172.27.250.141 krb5_kpasswd = 172.27.250.141 ldap_pwd_policy = none ldap_id_use_start_tls = false ldap_tls_reqcert = never ldap_uri = ldap://172.27.250.141:3268/ ldap_schema = rfc2307bis ldap_default_bind_dn = ECAAuthUser@mydomain.com ldap_default_authtok_type = password ldap_default_authtok = veryhardpassword ldap_user_search_base = ou=linux,ou=users,ou=pro,dc=mydomain,DC=com ldap_user_object_class = user ldap_user_uid_number = uidNumber ldap_user_gid_number = GIDNumber ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_user_principal = userPrincipalName ldap_user_name = sAMAccountName ldap_user_gecos = displayName ldap_user_uuid = objectGUID ldap_group_search_base = OU=Linux,OU=Roles,DC=mydomain,DC=com ldap_group_object_class = group ldap_group_name = Name ldap_group_gid_number = GidNumber ldap_force_upper_case_realm = True
这是我的krb5.conf
[libdefaults]
default_realm = MYDOMAIN.COM
forwardable = true
[realms]
MYDOMAIN.COM = {
kdc = 172.27.250.141
admin_server = 172.27.250.141
}
我试图看到tcpdump用于kerberos包,并且看到padata与login和kinit不同.
我能做什么?
解决方法
尝试以下设置,它们在我的环境中运行良好.
对/etc/sssd/sssd.conf进行更改
[root@localhost ~]# cat /etc/sssd/sssd.conf |grep -v ^# |grep -v ^$ [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss,pam domains = default [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 [domain/default] ldap_default_authtok_type = password ldap_id_use_start_tls = False cache_credentials = True ldap_group_object_class = group ldap_search_base = dc=example,dc=com chpass_provider = krb5 ldap_default_authtok = RedHat1! id_provider = ldap auth_provider = krb5 ldap_default_bind_dn = cn=Administrator,cn=Users,dc=example,dc=com ldap_user_gecos = displayName debug_level = 0 ldap_uri = ldap://10.65.208.43/ krb5_realm = EXAMPLE.COM krb5_kpasswd = 10.65.208.43 ldap_schema = rfc2307bis ldap_force_upper_case_realm = True ldap_user_object_class = person ldap_tls_cacertdir = /etc/openldap/cacerts krb5_server = 10.65.208.43
>运行authconfig-tui工具.在“用户信息”部分下选择ldap,在“身份验证”部分下选择Kerberos.
>在ldap设置步骤中.保持使用未选中的TLS选项将AD服务器的完全限定域名和基本DN放入.
>在kerberos设置页面上,输入AD服务器域,还列出KDC和管理服务器的AD服务器完全限定域名.
这将导致重新启动sssd守护程序.
验证: –
[root@localhost ~]# id user1
