Centos 7服务器join到abc.com,authentication正在使用authlite进行双因素authentication。 子域创build了a.abc.com,但authentication不适用于子域。 服务器可以连接到两个域吗?
[root@server01 sssd]# more /etc/sssd/sssd.conf [sssd] domains = abc.com config_file_version = 2 services = nss, pam [domain/abc.com] id_provider = ad access_provider = simple realmd_tags = manages-system joined-with-samba ad_domain = abc.com ad_server = serverdc01.abc.com,serverdc02.abc.com,_srv_ !adding in subdomain line below - SG 1-20-2017 subdomain_enumerate = all krb5_realm = ABC.COM default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /home/%u@%d simple_allow_groups = TDI Remote Access [email protected] debug_level = 0x07F0 [domain/a.abc.com] ad_server = aserverdc01.a.abc.com,aserver02.a.abc.com,_srv_ 可以validation在子域中看到用户帐户。
[root@server01 bin]# id [email protected] uid=1915601610([email protected]) gid=1915601610([email protected]) groups=1915601610([email protected]),1213401243(tdi remote access users),1915601332(authlite 1f [email protected]),1915601331(authlite [email protected]),1915601110([email protected]),1915601606([email protected]),1915600513(domain [email protected])
领域:
[root@server01 bin]# realm list abc.com type: kerberos realm-name: ABC.COM domain-name: abc.com configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common login-formats: %U login-policy: allow-permitted-logins permitted-logins: permitted-groups: TDI Remote Access [email protected]
从安全日志:
Jan 20 15:46:35 server01 cw[22854]: pam_sss(conwrks:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= [email protected] Jan 20 15:46:35 server01 cw[22854]: pam_sss(conwrks:auth): received for user [email protected]: 4 (System error)
来自krb5_child.log:
(Fri Jan 20 15:46:33 2017) [[sssd[krb5_child[23048]]]] [unpack_buffer] (0x0100): cmd [241] uid [1915601610] gid [1915601610] validate [true] enterprise principal [true] offline [false] UPN [[email protected]] (Fri Jan 20 15:46:33 2017) [[sssd[krb5_child[23048]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:1915601610] old_ccname: [not set] keytab: [/etc/krb5.keytab] (Fri Jan 20 15:46:33 2017) [[sssd[krb5_child[23048]]]] [check_use_fast] (0x0100): Not using FAST. (Fri Jan 20 15:46:33 2017) [[sssd[krb5_child[23048]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Fri Jan 20 15:46:33 2017) [[sssd[krb5_child[23048]]]] [become_user] (0x0200): Trying to become user [1915601610][1915601610]. (Fri Jan 20 15:46:33 2017) [[sssd[krb5_child[23048]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Fri Jan 20 15:46:33 2017) [[sssd[krb5_child[23048]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Fri Jan 20 15:46:33 2017) [[sssd[krb5_child[23048]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Fri Jan 20 15:46:33 2017) [[sssd[krb5_child[23048]]]] [main] (0x0400): Will perform online auth (Fri Jan 20 15:46:33 2017) [[sssd[krb5_child[23048]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [ABC.COM] (Fri Jan 20 15:46:35 2017) [[sssd[krb5_child[23048]]]] [get_and_save_tgt] (0x0020): 1234: [-1765328372][KDC policy rejects request] (Fri Jan 20 15:46:35 2017) [[sssd[krb5_child[23048]]]] [map_krb5_error] (0x0020): 1303: [-1765328372][KDC policy rejects request] (Fri Jan 20 15:46:35 2017) [[sssd[krb5_child[23048]]]] [k5c_send_data] (0x0200): Received error code 1432158209 (Fri Jan 20 15:46:35 2017) [[sssd[krb5_child[23048]]]] [main] (0x0400): krb5_child completed successfully
来自sssd_abc.com.log:
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=user] (Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [be_req_set_domain] (0x0400): Changing request domain from [abc.com] to [a.abc.com] (Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [dc=a,dc=a,dc=hawaiian,dc=aero] (Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=user)(objectclass=user)(sAMAccountName=*)(objectSID=*))][dc=a,dc=a]. (Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sdap_search_user_process] (0x0400): Search for users, returned 1 results. (Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sdap_save_user] (0x0400): Save user (Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sdap_get_primary_name] (0x0400): Processing object [email protected] (Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sdap_save_user] (0x0400): Processing user [email protected] (Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sdap_save_user] (0x0400): Adding original memberOf attributes to [[email protected]]. (Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sdap_save_user] (0x0400): Adding user principal [[email protected]] to attributes of [[email protected]]. (Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sdap_save_user] (0x0400): Storing info for user [email protected] (Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sysdb_search_by_name] (0x0400): No such entry (Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sysdb_search_by_name] (0x0400): No such entry (Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sysdb_search_user_by_uid] (0x0400): No such entry (Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success)