我有一个最新版本的红帽的问题,nss / nscd不接受MD5证书。 由于build议,我用sssdreplacenscd这个howto http://www.couyon.net/1/post/2012/04/enabling-ldap-usergroup-support-and-authentication-in-centos-6.html
我已经运行这个命令来激活sssd:
authconfig --enablesssd --enablesssdauth --enablelocauthorize --update 我已经确保/etc/nsswitch.conf中的引用全部设置为“files sss”:
passwd: files sss shadow: files sss group: files sss
我已经增加了debug_level到5来提供更多的信息:
[root@tst-02 sssd]# cat sssd_default.log (Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel (Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [sysdb_domain_init_internal] (0x0200): DB File for default: /var/lib/sss/db/cache_default.ldb (Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [sbus_init_connection] (0x0200): Adding connection CF9220 (Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [monitor_common_send_id] (0x0100): Sending ID: (%BE_default,1) (Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [sss_names_init] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)]. (Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [common_parse_search_base] (0x0100): Search base added: [DEFAULT][dc=it,dc=domain,dc=nl][SUBTREE][] (Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [common_parse_search_base] (0x0100): Search base added: [USER][dc=it,dc=domain,dc=nl][SUBTREE][] (Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [common_parse_search_base] (0x0100): Search base added: [GROUP][dc=it,dc=domain,dc=nl][SUBTREE][] (Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [common_parse_search_base] (0x0100): Search base added: [NETGROUP][dc=it,dc=domain,dc=nl][SUBTREE][] (Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [common_parse_search_base] (0x0100): Search base added: [SERVICE][dc=it,dc=domain,dc=nl][SUBTREE][] (Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [fo_add_server] (0x0080): Adding new server 'ldap1.it.domain.nl', to service 'LDAP' (Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [fo_add_server] (0x0080): Adding new server 'ldap2.it.domain.nl', to service 'LDAP' (Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [load_backend_module] (0x0200): no module name found in confdb, using [permit]. (Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [be_process_init] (0x0080): No SUDO module provided for [default] !! (Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [load_backend_module] (0x0200): no module name found in confdb, using [ldap]. (Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [ldap_get_autofs_options] (0x0200): Option ldap_autofs_search_base set to dc=it,dc=domain,dc=nl (Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [common_parse_search_base] (0x0100): Search base added: [AUTOFS][dc=it,dc=domain,dc=nl][SUBTREE][] (Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [load_backend_module] (0x0200): no module name found in confdb, using [ldap]. (Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [be_process_init] (0x0020): No selinux module provided for [default] !! (Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [load_backend_module] (0x0200): no module name found in confdb, using [ldap]. (Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [be_process_init] (0x0020): No host info module provided for [default] !! (Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [load_backend_module] (0x0200): no module name found in confdb, using [ldap]. (Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [be_process_init] (0x0020): Subdomains are not supported for [default] !! (Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [sbus_server_init_new_connection] (0x0200): Entering. (Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0xd05680. (Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [sbus_init_connection] (0x0200): Adding connection D05680 (Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [sbus_server_init_new_connection] (0x0200): Got a connection (Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0xd04ad0] (Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [sbus_server_init_new_connection] (0x0200): Entering. (Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0xd05080. (Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [sbus_init_connection] (0x0200): Adding connection D05080 (Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [sbus_server_init_new_connection] (0x0200): Got a connection (Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0xd09030] (Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [client_registration] (0x0100): Cancel DP ID timeout [0xd04ad0] (Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [client_registration] (0x0100): Added Frontend client [PAM] (Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [client_registration] (0x0100): Cancel DP ID timeout [0xd09030] (Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [client_registration] (0x0100): Added Frontend client [NSS] [root@tst-02 sssd]# cat /etc/sssd/sssd.conf [domain/default] ldap_id_use_start_tls = False cache_credentials = True ldap_search_base = dc=it,dc=domain,dc=nl krb5_realm = EXAMPLE.COM krb5_server = kerberos.example.com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://ldap1.it.domain.nl,ldap://ldap2.it.domain.nl ldap_tls_cacertdir = /etc/openldap/cacerts debug_level = 5 [sssd] services = nss, pam config_file_version = 2 debug_level = 5 domains = default [nss] [pam] [sudo] [autofs] [ssh] [pac] [root@tst-02 sssd]#
LDAP使用Red Hat 6.2上的nss / nscd / nslcd正常工作。 升级到红帽6.4打破了LDAP,因为nss升级: http : //www.unixmen.com/rhel-centos-6-4-ldap-md5-certificate-error-caused-by-nss-3-14 -update /,https://access.redhat.com/site/solutions/323923 。
因为我们使用客户端使用的nslcd,所以不会使用外部环境variables,要么使用更强的散列签名的新证书,要么将nss和nss-tools降级到版本3.13.6-1.el6_3。 因为这个原因,我想用sssd代替。
我如何才能找出LDAP不能使用sssd的原因?
即使是SSSD也会遇到与NSLCD相同的问题,这个问题不是nss-pam-ldapd或nscd而是nss包。
所以无论是升级到最新的nss包还是下面的do添加对md5支持。
将/etc/grub.conf添加到内核行的末尾
systemd.setenv=NSS_HASH_ALG_SUPPORT=+MD5
要么
创build/etc/profile.d/nss.sh
export NSS_HASH_ALG_SUPPORT=+MD5