服务器 Gind.cn
  1. 服务器 Gind.cn
  3. Active Directory UPN更改后,SSSD AD同步失败
Intereting Posts
我应该如何创build一个debian包的本地分支? 通过RDP的Azure VM DDOS攻击 在Windows 7中如何实现与在Unix中将文件权限设置为0600相当的安全级别? 在vista / W7下将c:\ users移动到d:\ users的最佳方法是什么? 每次移除磁盘并重新插入raid5服务器时,是否必须格式化磁盘? Centos用户帐户nologin但可能考虑到 在Windows上通过JSR160RMI监视IBM Websphere 8.x JMX失败 iptables的被动FTPstream量统计? 使用Salt轻松安装txt文件中的软件包列表 是否可以在本地networking的不同服务器上build立一个公共IP点? VM和Docker网桥通信如何通过pfSense VM进行路由? 设置SQL复制有多难? 它可以由一个Semi SQL用户完成吗? 转发请求到多个服务器 是否有可能从SequelPro连接到一个非公开的RDS实例? ESXi上的VM的CPU分配

Active Directory UPN更改后,SSSD AD同步失败

我最近遇到了一个问题,就是我的AD集成在一些debian盒子上。 我使用SSSD和krb5来允许PAM根据Active Directory同步和validation用户。 这已经工作了一年多,直到ADpipe理员将AD用户的UPN从[email protected]更改为[email protected]

现在,同步和用户名识别仍然有效,但authentication突然失败,因为发送给krb5的名称似乎是“ [email protected] ”。 krb5不知道这个领域,所以无法authentication用户。

krb5.conf文件领域更改为ABCCOMPANY不起作用,因为领域实际上没有改变。

我可以kinit [email protected]使用kinit [email protected] ,它可以很好地logging我。 我不能,但是做kinit [email protected]因为它使krb5抱怨以下消息: 

 kinit: Cannot find KDC for realm "ABCCOMPANY.DK" while getting initial credentials

我觉得这是有道理的。 SSSD将UPN中的ABCCOMPANY.DK发送到krb5,但krb5不能识别该领域,因为它不存在。

所以,问题是:我如何configurationkrb5来识别领域不同于UPN? 而纯粹的好奇心是一个额外的问题:这种做法(将UPN设置为除域名之外的其他东西)是一种可以接受的做事方式吗? 有一个域组件并不匹配一个域,这似乎很奇怪。 

 (Mon Jan 23 13:12:59 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Mon Jan 23 13:12:59 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Mon Jan 23 13:12:59 2017) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'mnn' matched without domain, user is mnn (Mon Jan 23 13:12:59 2017) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Mon Jan 23 13:12:59 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [mnn] from [<ALL>] (Mon Jan 23 13:12:59 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [[email protected]] (Mon Jan 23 13:12:59 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3]. (Mon Jan 23 13:12:59 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3]. (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate (Mon Jan 23 13:12:59 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'mnn' matched without domain, user is mnn (Mon Jan 23 13:12:59 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): user: mnn (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: 172.16.112.155 (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 8724 (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [be_get_account_info] (0x0100): Got request for [3][1][name=mnn] (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [sysdb_error_to_errno] (0x0020): LDB returned unexpected error: [No such attribute] ... (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [[email protected]] (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: company.dk (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): user: mnn (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: 172.16.112.155 (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 8724 (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [be_pam_handler] (0x0100): Got request with the following data (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [pam_print_data] (0x0100): domain: company.dk (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [pam_print_data] (0x0100): user: mnn (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [pam_print_data] (0x0100): service: sshd (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [pam_print_data] (0x0100): tty: ssh (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [pam_print_data] (0x0100): ruser: (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [pam_print_data] (0x0100): rhost: 172.16.112.155 (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [pam_print_data] (0x0100): authtok type: 1 (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [pam_print_data] (0x0100): priv: 1 (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [pam_print_data] (0x0100): cli_pid: 8724 (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [krb5_auth_send] (0x0100): Home directory for user [mnn] not known. (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [krb5_auth_send] (0x0200): Ignoring ccache attribute [FILE:/tmp/krb5cc_876027530_rTTlt3], because it doesn'texist. (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'KERBEROS' (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [resolve_srv_send] (0x0200): The status of SRV lookup is neutral (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_KERBEROS._udp.company.dk' (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'KERBEROS' as 'resolved' (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'ad2.company.dk' in files (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [set_server_common_status] (0x0100): Marking server 'ad2.company.dk' as 'resolving name' (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'ad2.company.dk' in files (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'ad2.company.dk' in DNS (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [set_server_common_status] (0x0100): Marking server 'ad2.company.dk' as 'name resolved' (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [be_resolve_server_process] (0x0200): Found address for server ad2.company.dk: [xxx.xx.x.xx] TTL 3600 (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'KPASSWD' (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [resolve_srv_send] (0x0200): The status of SRV lookup is neutral (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_KPASSWD._udp.company.dk' (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'KPASSWD' as 'resolved' (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [be_resolve_server_process] (0x0200): Found address for server ad2.company.dk: [xxx.xx.x.xx] TTL 3600 (Mon Jan 23 13:13:00 2017) [sssd] [service_send_ping] (0x0100): Pinging company.dk (Mon Jan 23 13:13:00 2017) [sssd] [service_send_ping] (0x0100): Pinging nss (Mon Jan 23 13:13:00 2017) [sssd] [service_send_ping] (0x0100): Pinging pam (Mon Jan 23 13:13:00 2017) [sssd] [ping_check] (0x0100): Service pam replied to ping (Mon Jan 23 13:13:00 2017) [sssd] [ping_check] (0x0100): Service nss replied to ping (Mon Jan 23 13:13:00 2017) [sssd[be[company.dk]]] [become_user] (0x0200): Trying to become user [876027530][876000513]. (Mon Jan 23 13:13:00 2017) [sssd] [ping_check] (0x0100): Service company.dk replied to ping (Mon Jan 23 13:13:00 2017) [[sssd[krb5_child[8727]]]] [unpack_buffer] (0x0100): cmd [241] uid [876027530] gid [876000513] validate [false] enterprise principal [false] offline [false] UPN [[email protected]] (Mon Jan 23 13:13:00 2017) [[sssd[krb5_child[8727]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_876027530_XXXXXX] keytab: [/etc/krb5.keytab] (Mon Jan 23 13:13:00 2017) [[sssd[krb5_child[8727]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Mon Jan 23 13:13:00 2017) [[sssd[krb5_child[8727]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Mon Jan 23 13:13:00 2017) [[sssd[krb5_child[8727]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [false] (Mon Jan 23 13:13:00 2017) [[sssd[krb5_child[8727]]]] [k5c_setup] (0x0100): Not using FAST. (Mon Jan 23 13:13:00 2017) [[sssd[krb5_child[8727]]]] [get_and_save_tgt] (0x0020): 981: [-1765328230][Cannot find KDC for realm "ABCCOMPANY.DK"] (Mon Jan 23 13:13:00 2017) [[sssd[krb5_child[8727]]]] [map_krb5_error] (0x0020): 1043: [-1765328230][Cannot find KDC for realm "ABCCOMPANY.DK"] (Mon Jan 23 13:13:00 2017) [[sssd[krb5_child[8727]]]] [k5c_send_data] (0x0200): Received error code 1432158209 (Mon Jan 23 13:13:00 2017) [sssd[be[company.dk]]] [child_sig_handler] (0x0100): child [8727] finished successfully. (Mon Jan 23 13:13:00 2017) [sssd[be[company.dk]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success] (Mon Jan 23 13:13:00 2017) [sssd[be[company.dk]]] [be_pam_handler_callback] (0x0100): Sending result [4][company.dk] (Mon Jan 23 13:13:00 2017) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [4][company.dk] (Mon Jan 23 13:13:00 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4]. (Mon Jan 23 13:13:00 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 29 (Mon Jan 23 13:13:00 2017) [sssd[be[company.dk]]] [be_pam_handler_callback] (0x0100): Sent result [4][company.dk] (Mon Jan 23 13:13:02 2017) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Mon Jan 23 13:13:02 2017) [sssd[pam]] [client_recv] (0x0200): Client disconnected! (Mon Jan 23 13:13:04 2017) [sssd] [monitor_quit_signal] (0x0040): Monitor received Interrupt: terminating children (Mon Jan 23 13:13:04 2017) [sssd] [monitor_quit] (0x0040): Returned with: 0 (Mon Jan 23 13:13:04 2017) [sssd] [monitor_quit] (0x0020): Terminating [pam][8719] (Mon Jan 23 13:13:04 2017) [sssd[be[company.dk]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching. (Mon Jan 23 13:13:04 2017) [sssd] [monitor_quit] (0x0020): Child [pam] exited gracefully (Mon Jan 23 13:13:04 2017) [sssd] [monitor_quit] (0x0020): Terminating [nss][8718] (Mon Jan 23 13:13:04 2017) [sssd] [monitor_quit] (0x0020): Child [nss] exited gracefully (Mon Jan 23 13:13:04 2017) [sssd] [monitor_quit] (0x0020): Terminating [company.dk][8717] (Mon Jan 23 13:13:04 2017) [sssd] [monitor_quit] (0x0020): Child [company.dk] terminated with a signal

请检查您的sssd版本。 根据这个线程 UPN查找function作品sssd-1.12以来。

PS但是在sssd-1.13.2修复了相关的bug ,所以试着将sssd更新到最新版本。

UPD。 根据这篇文章, SSSD 1.10和更高版本支持替代的Kerberos主体后缀(请参阅“支持企业login”一节)。 这个function在sssd-ad提供程序中实现。 你确定你使用SSSD ad提供商,但不是krb5吗?

检查领域,至less:

  • 的krb5.conf
  • smb.conf文件
  • sssd.conf

作为参考,这是我在Ubuntu上准备AD的脚本:

https://github.com/bviktor/ubuntu-ad/blob/master/ad.sh