在Proxmox 4.4上我用FreeIPA服务器安装了Centos 7 VM:
ipa-server-install --idstart 10000 --setup-dns
我可以使用IPA用户并login到Proxmox上的其他虚拟机,但是当我尝试使用Centos 7 LXC容器时,出现错误:
May 6 13:15:50 aaaaaa sshd[424]: Authorized to user, krb5 principal [email protected] (ssh_gssapi_krb5_cmdok) May 6 13:15:50 aaaaaa sshd[424]: pam_sss(sshd:account): Access denied for user user: 4 (System error) May 6 13:15:50 aaaaaa sshd[424]: fatal: Access denied for user user by PAM account configuration [preauth]
但:
[root@aaaaaa ~]# su - user Creating home directory for user. [user@aaaaaa ~]$
现在在这个服务器上有/etc/passwd这样的用户,所以它来自IPA。
[user@aaaaaa ~]$ id uid=10001(user) gid=10000(admins) groups=10000(admins) [user@aaaaaa ~]$ getent passwd user user:*:10001:10000:Name Surename:/home/user:/bin/bash
此外,我login到FreeIPA服务器后,无法以root用户身份login到此容器。
[root@aaaaaa ~]# kinit admin Password for [email protected]: [root@aaaaaa ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_rirBgUU Default principal: [email protected] Valid starting Expires Service principal 05/06/2017 14:56:21 05/07/2017 14:56:19 krbtgt/[email protected]
所以,Kerberos的工作,但唯一的问题是ssh。 我改变了Proxmox /etc/subgid和/etc/subuid (在这里build议)来获得更多的ID,但这是绝望的举动。 我的IPA ID范围不高,从10000开始,我可以做su - user所以它不是这样的情况。
我想我检查了一切,包括删除sssd数据库,但它并没有改变任何东西。
这是我的sssd.conf :
[domain/homelab.local] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = homelab.local id_provider = ipa auth_provider = ipa access_provider = permit ipa_hostname = aaaaaa.homelab.local chpass_provider = ipa dyndns_update = True ipa_server = _srv_, ipa.homelab.local dyndns_iface = eth0 ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh domains = homelab.local [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp]
而我的system-auth :
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth [default=1 success=ok] pam_localuser.so auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
和我的sshd_config文件:
HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key SyslogFacility AUTHPRIV AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication yes ChallengeResponseAuthentication no GSSAPIAuthentication yes GSSAPICleanupCredentials no UsePAM yes X11Forwarding yes UsePrivilegeSeparation sandbox # Default for new installations. AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS Subsystem sftp /usr/libexec/openssh/sftp-server
下面是从我可以连接到LXC容器的ssh输出:
ssh -vvv user@aaaaaa OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 60: Applying options for * debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22 aaaaaa debug1: permanently_drop_suid: 10001 debug1: identity file /home/user/.ssh/id_rsa type -1 debug1: identity file /home/user/.ssh/id_rsa-cert type -1 debug1: identity file /home/user/.ssh/id_dsa type -1 debug1: identity file /home/user/.ssh/id_dsa-cert type -1 debug1: identity file /home/user/.ssh/id_ecdsa type -1 debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/user/.ssh/id_ed25519 type -1 debug1: identity file /home/user/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.6.1 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1 debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000 debug2: fd 6 setting O_NONBLOCK debug2: fd 5 setting O_NONBLOCK debug3: load_hostkeys: loading entries for host "aaaaaa" from file "/home/user/.ssh/known_hosts" debug3: load_hostkeys: loaded 0 keys debug3: load_hostkeys: loading entries for host "aaaaaa" from file "/var/lib/sss/pubconf/known_hosts" debug3: load_hostkeys: found key type ECDSA in file /var/lib/sss/pubconf/known_hosts:2 debug3: load_hostkeys: found key type RSA in file /var/lib/sss/pubconf/known_hosts:4 debug3: load_hostkeys: found key type DSA in file /var/lib/sss/pubconf/known_hosts:6 debug3: load_hostkeys: found key type ED25519 in file /var/lib/sss/pubconf/known_hosts:8 debug3: load_hostkeys: loaded 4 keys debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa,ssh-dss, debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[email protected],zlib debug2: kex_parse_kexinit: none,[email protected],zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[email protected] debug2: kex_parse_kexinit: none,[email protected] debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: setup [email protected] debug1: kex: server->client aes128-ctr [email protected] none debug2: mac_setup: setup [email protected] debug1: kex: client->server aes128-ctr [email protected] none debug1: kex: [email protected] need=16 dh_need=16 debug1: kex: [email protected] need=16 dh_need=16 debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ECDSA 4f:71:72:5c:46:e5:58:3b:cf:17:75:c9:52:35:38:e9 debug3: load_hostkeys: loading entries for host "aaaaaa" from file "/home/user/.ssh/known_hosts" debug3: load_hostkeys: loaded 0 keys debug3: load_hostkeys: loading entries for host "aaaaaa" from file "/var/lib/sss/pubconf/known_hosts" debug3: load_hostkeys: found key type ECDSA in file /var/lib/sss/pubconf/known_hosts:2 debug3: load_hostkeys: found key type RSA in file /var/lib/sss/pubconf/known_hosts:4 debug3: load_hostkeys: found key type DSA in file /var/lib/sss/pubconf/known_hosts:6 debug3: load_hostkeys: found key type ED25519 in file /var/lib/sss/pubconf/known_hosts:8 debug3: load_hostkeys: loaded 4 keys debug1: Host 'aaaaaa' is known and matches the ECDSA host key. debug1: Found key in /var/lib/sss/pubconf/known_hosts:2 debug1: ssh_ecdsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/user/.ssh/id_rsa ((nil)), debug2: key: /home/user/.ssh/id_dsa ((nil)), debug2: key: /home/user/.ssh/id_ecdsa ((nil)), debug2: key: /home/user/.ssh/id_ed25519 ((nil)), debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-keyex debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-keyex debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet, disable method debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug2: we sent a gssapi-with-mic packet, wait for reply Connection closed by UNKNOWN
当然,在服务器上user不是我使用的真正的login。
更多的build议,我可以检查? 我从这几天开始苦苦挣扎,找不到任何线索如何解决这个问题。 我希望这里有人能帮助我。
更新:
我写了一个错误,我不能以root用户身份login。 我可以。 但是仍然不能通过ssh来loginIPA的其他用户。 另外,当我su - user我不能从这个用户做sudo ,但在其他虚拟机上,来自IPA的这个用户可以通过sudo运行任何命令。
UPDATE2:我发现在容器上,当我执行kinit user ,然后klist我得到:
Ticket cache: KEYRING:persistent:0:0
但在虚拟机上看起来像:
Ticket cache: KEYRING:persistent:10001:krb_ccache_K1JScvu
su - user通常会避免实际的身份validation,因为/etc/pam.d/su包含auth sufficient pam_rootok.so作为第一行,用于短路任何根身份validation。 所以SSSD根本不涉及。
请勿在容器内使用密钥环ccache存储,因为密钥环不是名称空间。 从容器中的/etc/krb5.conf中删除default_ccache_name = KEYRING:persistent:%{uid} 。 libkrb5将默认为FILE:... /tmp ccache。
最后,当SSSD报告“系统错误”时,您应该使用故障排除指南,将域部分的debugging级别提高到9,并分析容器中的日志。 有关详细信息,请参阅https://web.archive.org/web/20170102152322/https://fedorahosted.org/sssd/wiki/Troubleshooting 。 SSSD项目最近已经迁移到pagure.io并且在Fedora托pipe基础架构退役后还没有重新生成文档,因此链接到了一个后卫机器。
我想我部分解决了这个问题。 在@abbra注释之后,我开始检查/var/log/sssd/文件夹中的所有日志,并在检查selinux_child.log发现:
(Mon May 8 21:20:29 2017) [[sssd[selinux_child[694]]]] [unpack_buffer] (0x2000): username: user (Mon May 8 21:20:29 2017) [[sssd[selinux_child[694]]]] [main] (0x0400): performing selinux operations (Mon May 8 21:20:29 2017) [[sssd[selinux_child[694]]]] [sss_semanage_init] (0x0020): SELinux policy not managed (Mon May 8 21:20:29 2017) [[sssd[selinux_child[694]]]] [get_seuser] (0x0020): Cannot create SELinux handle (Mon May 8 21:20:29 2017) [[sssd[selinux_child[694]]]] [seuser_needs_update] (0x2000): get_seuser: ret: 5 seuser: unknown mls: unknown (Mon May 8 21:20:29 2017) [[sssd[selinux_child[694]]]] [sss_semanage_init] (0x0020): SELinux policy not managed (Mon May 8 21:20:29 2017) [[sssd[selinux_child[694]]]] [set_seuser] (0x0020): Cannot init SELinux management (Mon May 8 21:20:29 2017) [[sssd[selinux_child[694]]]] [main] (0x0020): Cannot set SELinux login context. (Mon May 8 21:20:29 2017) [[sssd[selinux_child[694]]]] [main] (0x0020): selinux_child failed!
首先,我完全禁用了Selinux,但是这并不能解决我的问题。 在那之后,我在/etc/sssd/sssd.conf里放入了: selinux_provider=none 。 重新启动容器后,我可以通过SSHlogin为IPA用户,我也可以使用sudo。 我没有menage如何使用SeLinux和通过SSHlogin到容器,但现在我认为它对我来说确定。
更新:
我也禁用了krb5.conf中的krb5.conf 。