服务器 Gind.cn
  1. 服务器 Gind.cn
  3. AD密码更改后,基于CentOS 7 SSSD的用户访问将停止工作
Intereting Posts
我如何知道哪些用户的凭据在本地系统上被caching? 从全局远程桌面会话主机设置中排除单个用户 刻录50台电脑,每台电脑不安装操作系统 迁移到专用主机。 网站加载非常缓慢。 如何将lsredirect到cd命令 如何tracerouting一个192.168.xx退出本地networking? 无法validation后端服务器:没有可用的机制 Windows 2008 R2任务Schduler提出以下错误“0x41301” 思科ASA 8.4端口转发 如何将具有相同IP的多个设备连接到Windows PC 为什么在我的EC2 c1.medium实例上SQL占用了50%的CPU? 上游过早closures连接,同时从上游客户端读取响应报头 如何将所有“已经”收到的邮件发送给每个人的其他recipety 如何在dm-crypt / LVM卷中增长一个ext4文件系统? ESX Server 5.1 – 合并错误:locking的文件

AD密码更改后,基于CentOS 7 SSSD的用户访问将停止工作

我们使用SSSD在Centos 7.3 build 1611上提供AD身份validation和kerberos TGT获取。

这对大多数99%的用户来说是正确的,但是我们遇到了一个问题,那就是密码更改后(通过Windows PC),单个用户不能再login到Centos(但是可以loginWindows和其他相关的AD / LDAP服务 – 电子邮件等)

我们已经尝试过跟踪,包括SSH和SSSD,重置pam_faillock条目,提供不同的服务器(通过realmd连接到同一个AD域),但是我们仍然看到一条消息,指出用户的密码不正确。

如果我们尝试和kinit作为失败的用户,也会失败,通常的消息指出密码不正确:

kinit:获取初始凭证时,预authentication失败

我已经检查了我所能做到的 – 对于我未经训练的人来说,这看起来不像Centos / SSSD问题,而是中心问题。 然而,你有没有试过去ADpipe理员这样的模糊的东西? 🙂

只是想知道是否有人看到这样的事情,如果有什么我们可以做的修复。

SSD追踪debugging7 – krb5_child.log: 

(Fri Apr 21 12:40:17 2017) [[sssd[krb5_child[2488]]]] [main] (0x0400): krb5_child started. (Fri Apr 21 12:40:17 2017) [[sssd[krb5_child[2488]]]] [unpack_buffer] (0x1000): total buffer size: [133] (Fri Apr 21 12:40:17 2017) [[sssd[krb5_child[2488]]]] [unpack_buffer] (0x0100): cmd [241] uid [792856944] gid [792800513] validate [true] enterprise principal [true] offline [false] UPN [<USERNAME>@<DOMAIN>] (Fri Apr 21 12:40:17 2017) [[sssd[krb5_child[2488]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_792856944] old_ccname: [not set] keytab: [/etc/krb5.keytab] (Fri Apr 21 12:40:17 2017) [[sssd[krb5_child[2488]]]] [check_use_fast] (0x0100): Not using FAST. (Fri Apr 21 12:40:17 2017) [[sssd[krb5_child[2488]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Fri Apr 21 12:40:17 2017) [[sssd[krb5_child[2488]]]] [become_user] (0x0200): Trying to become user [792856944][792800513]. (Fri Apr 21 12:40:17 2017) [[sssd[krb5_child[2488]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Fri Apr 21 12:40:17 2017) [[sssd[krb5_child[2488]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Fri Apr 21 12:40:17 2017) [[sssd[krb5_child[2488]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Fri Apr 21 12:40:17 2017) [[sssd[krb5_child[2488]]]] [main] (0x0400): Will perform online auth (Fri Apr 21 12:40:17 2017) [[sssd[krb5_child[2488]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Fri Apr 21 12:40:17 2017) [[sssd[krb5_child[2488]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [<KRB5REALM>] (Fri Apr 21 12:40:17 2017) [[sssd[krb5_child[2488]]]] [get_and_save_tgt] (0x0020): 1296: [-1765328360][Preauthentication failed] (Fri Apr 21 12:40:17 2017) [[sssd[krb5_child[2488]]]] [map_krb5_error] (0x0020): 1365: [-1765328360][Preauthentication failed] (Fri Apr 21 12:40:17 2017) [[sssd[krb5_child[2488]]]] [k5c_send_data] (0x0200): Received error code 1432158221 (Fri Apr 21 12:40:17 2017) [[sssd[krb5_child[2488]]]] [main] (0x0400): krb5_child completed successfully

和SSHD日志文件(用DEBUG设置) 

 Apr 21 10:01:25 <CENTOSHOST> sshd[21720]: debug1: Forked child 21779. Apr 21 10:01:25 <CENTOSHOST> sshd[21779]: Set /proc/self/oom_score_adj to 0 Apr 21 10:01:25 <CENTOSHOST> sshd[21779]: debug1: rexec start in 4 out 4 newsock 4 pipe 6 sock 7 Apr 21 10:01:25 <CENTOSHOST> sshd[21779]: debug1: inetd sockets after dupping: 3, 3 Apr 21 10:01:25 <CENTOSHOST> sshd[21779]: Connection from <USERIPADDRESS> port 54908 on <LINUXHOST> port 22 Apr 21 10:01:25 <CENTOSHOST> sshd[21779]: debug1: Client protocol version 2.0; client software version PuTTY_Release_0.60 Apr 21 10:01:25 <CENTOSHOST> sshd[21779]: debug1: no match: PuTTY_Release_0.60 Apr 21 10:01:25 <CENTOSHOST> sshd[21779]: debug1: Enabling compatibility mode for protocol 2.0 Apr 21 10:01:25 <CENTOSHOST> sshd[21779]: debug1: Local version string SSH-2.0-OpenSSH_6.6.1 Apr 21 10:01:25 <CENTOSHOST> sshd[21779]: debug1: SELinux support enabled [preauth] Apr 21 10:01:25 <CENTOSHOST> sshd[21779]: debug1: permanently_set_uid: 74/74 [preauth] Apr 21 10:01:25 <CENTOSHOST> sshd[21779]: debug1: list_hostkey_types: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] Apr 21 10:01:25 <CENTOSHOST> sshd[21779]: debug1: SSH2_MSG_KEXINIT sent [preauth] Apr 21 10:01:25 <CENTOSHOST> sshd[21779]: debug1: SSH2_MSG_KEXINIT received [preauth] Apr 21 10:01:25 <CENTOSHOST> sshd[21779]: debug1: kex: client->server aes256-ctr hmac-sha1 none [preauth] Apr 21 10:01:25 <CENTOSHOST> sshd[21779]: debug1: kex: server->client aes256-ctr hmac-sha1 none [preauth] Apr 21 10:01:25 <CENTOSHOST> sshd[21779]: debug1: kex: diffie-hellman-group-exchange-sha256 need=32 dh_need=32 [preauth] Apr 21 10:01:25 <CENTOSHOST> sshd[21779]: debug1: kex: diffie-hellman-group-exchange-sha256 need=32 dh_need=32 [preauth] Apr 21 10:01:25 <CENTOSHOST> sshd[21779]: debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received [preauth] Apr 21 10:01:25 <CENTOSHOST> sshd[21779]: debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent [preauth] Apr 21 10:01:25 <CENTOSHOST> sshd[21779]: debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT [preauth] Apr 21 10:01:26 <CENTOSHOST> sshd[21779]: debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent [preauth] Apr 21 10:01:26 <CENTOSHOST> sshd[21779]: debug1: SSH2_MSG_NEWKEYS sent [preauth] Apr 21 10:01:26 <CENTOSHOST> sshd[21779]: debug1: expecting SSH2_MSG_NEWKEYS [preauth] Apr 21 10:01:26 <CENTOSHOST> sshd[21779]: debug1: SSH2_MSG_NEWKEYS received [preauth] Apr 21 10:01:26 <CENTOSHOST> sshd[21779]: debug1: KEX done [preauth] Apr 21 10:02:18 <CENTOSHOST> sshd[21779]: debug1: userauth-request for user <USERACCOUNT> service ssh-connection method none [preauth] Apr 21 10:02:18 <CENTOSHOST> sshd[21779]: debug1: attempt 0 failures 0 [preauth] Apr 21 10:02:18 <CENTOSHOST> sshd[21779]: debug1: PAM: initializing for "<USERACCOUNT>" Apr 21 10:02:18 <CENTOSHOST> sshd[21779]: debug1: PAM: setting PAM_RHOST to "<USERPC>" Apr 21 10:02:18 <CENTOSHOST> sshd[21779]: debug1: PAM: setting PAM_TTY to "ssh" Apr 21 10:02:18 <CENTOSHOST> sshd[21779]: debug1: userauth_send_banner: sent [preauth] Apr 21 10:02:24 <CENTOSHOST> sshd[21779]: debug1: userauth-request for user <USERACCOUNT> service ssh-connection method password [preauth] Apr 21 10:02:24 <CENTOSHOST> sshd[21779]: debug1: attempt 1 failures 0 [preauth] Apr 21 10:02:24 <CENTOSHOST> sshd[21779]: pam_succeed_if(sshd:auth): requirement "user in <LOCALSUPERACCOUNT>" not met by user "<USERACCOUNT>" Apr 21 10:02:27 <CENTOSHOST> sshd[21779]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<USERPC> user=<USERACCOUNT> Apr 21 10:02:27 <CENTOSHOST> sshd[21779]: pam_sss(sshd:auth): received for user <USERACCOUNT>: 17 (Failure setting user credentials) Apr 21 10:02:29 <CENTOSHOST> sshd[21779]: debug1: PAM: password authentication failed for <USERACCOUNT>: Authentication failure Apr 21 10:02:29 <CENTOSHOST> sshd[21779]: Failed password for <USERACCOUNT> from <USERIPADDRESS> port 54908 ssh2 Apr 21 10:05:42 <CENTOSHOST> sshd[21779]: Connection closed by <USERIPADDRESS> [preauth] Apr 21 10:05:42 <CENTOSHOST> sshd[21779]: debug1: do_cleanup [preauth] Apr 21 10:05:42 <CENTOSHOST> sshd[21779]: debug1: monitor_read_log: child log fd closed Apr 21 10:05:42 <CENTOSHOST> sshd[21779]: debug1: do_cleanup Apr 21 10:05:42 <CENTOSHOST> sshd[21779]: debug1: PAM: cleanup Apr 21 10:05:42 <CENTOSHOST> sshd[21779]: debug1: Killing privsep child 21780

谢谢。 任何build议感激地收到。