我有一个连接到我的LDAP服务器的CoreOS服务器。 使用id和ldapsearch命令后,我得到了正确的答案。 不过,我仍然无法使用SSHlogin。
我可以在sssd_LDAP.log文件上看到服务器已经收到用户(my_user)login的请求,但请求被拒绝。
tail -f /var/log/sssd/sssd_LDAP.log (Sun Nov 13 15:06:29 2016) [sssd[be[LDAP]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success) (Sun Nov 13 15:06:49 2016) [sssd[be[LDAP]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=etcd] (Sun Nov 13 15:06:49 2016) [sssd[be[LDAP]]] [sysdb_get_real_name] (0x0040): Cannot find user [etcd] in cache (Sun Nov 13 15:06:49 2016) [sssd[be[LDAP]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success) (Sun Nov 13 15:07:10 2016) [sssd[be[LDAP]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=etcd] (Sun Nov 13 15:07:10 2016) [sssd[be[LDAP]]] [sysdb_get_real_name] (0x0040): Cannot find user [etcd] in cache (Sun Nov 13 15:07:10 2016) [sssd[be[LDAP]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success) (Sun Nov 13 15:07:30 2016) [sssd[be[LDAP]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=etcd] (Sun Nov 13 15:07:30 2016) [sssd[be[LDAP]]] [sysdb_get_real_name] (0x0040): Cannot find user [etcd] in cache (Sun Nov 13 15:07:30 2016) [sssd[be[LDAP]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success) (Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=etcd] (Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [sysdb_get_real_name] (0x0040): Cannot find user [etcd] in cache (Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success) (Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [be_get_account_info] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][1][name=my_user] (Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [sdap_initgr_nested_send] (0x0100): User entry lacks original memberof ? (Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success) (Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [be_pam_handler] (0x0100): Got request with the following data (Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): domain: LDAP (Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): user: my_user (Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): service: sshd (Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): tty: ssh (Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): ruser: (Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): rhost: xxxx (Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): authtok type: 0 (Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): newauthtok type: 0 (Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): priv: 1 (Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): cli_pid: 21280 (Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): logon name: not set (Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 7, <NULL>) [Success (Authentication failure)] (Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [be_pam_handler_callback] (0x0100): Sending result [7][LDAP] 有谁知道这是什么问题?
更新 :我删除了/ etc下的configuration文件,因为/ usr下的默认PAMconfiguration启用了sssd。
以下是目前的错误:
Dec 12 09:33:07 localhost sshd[3298]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxxx user=my_user Dec 12 09:33:07 localhost sshd[3298]: pam_sss(sshd:auth): received for user my_user: 7 (Authentication failure) Dec 12 09:33:11 localhost sshd[3298]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxxx user=my_user Dec 12 09:33:14 localhost sshd[3296]: PAM: Authentication failure for my_user from xxxx
这里是目前的configuration:
cat system-auth
auth required pam_env.so auth sufficient pam_sss.so use_first_pass auth sufficient pam_unix.so try_first_pass likeauth nullok auth required pam_deny.so account required pam_unix.so # Don't fail if the user is unknown to sssd or if sssd isn't running account required pam_sss.so ignore_unknown_user ignore_authinfo_unavail account optional pam_permit.so password sufficient pam_unix.so try_first_pass nullok sha512 shadow password sufficient pam_sss.so use_authtok password required pam_deny.so session required pam_limits.so session required pam_env.so session required pam_unix.so session optional pam_permit.so session optional pam_sss.so -session optional pam_systemd.so
cat sshd
auth include system-remote-login account include system-remote-login password include system-remote-login session include system-remote-login
根据这条线:
(Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): authtok type: 0
没有密码从PAM堆栈传递到SSSD(authtoktypes0表示没有密码,1是密码),所以没有严格的SSSD可以用来validationLDAP服务器。
我会build议检查PAMconfiguration(虽然我从来没有使用过coreos,所以我不知道PAM堆栈是怎么样的)
你没有提到你的LDAP主机是什么,假设(我知道)是Active Directory,这可能不是确切的修复,当你尝试用SSHlogin时,你需要指定主机和用户名,所以证书检查不是推定是违反当地的证书。 在AD的情况下,您的ssh用户名将是AD \ username。
您应该提供有关使用LDAP的主机的信息以查询来自这些系统的凭据,并检查这些系统上的日志以查看是否到达该主机,以及是否正在生成错误。