服务器 Gind.cn
  1. 服务器 Gind.cn
  3. SSSD不返回组的完整用户列表
Intereting Posts
从Azure机器复制到Azure存储 鱿鱼工人和服务器cpus 如何忽略dhcpd.conf中的一组Mac地址? 用于复制父项和子项logging的SQL 您如何开始创build自定义Windows CD? .bashrc:shopt:找不到 df在全新磁盘上的opensuse上显示错误的大小 在反向查找区域自动生成PTRlogging 我如何确定我的VPN是否通过UDPstream量? 如果运行时间超过15分钟,请停止Windows 2008任务计划程序中的任务? 多用户的目的是什么? TYAN – FT48B8812 IKVM AST2050非function性,解决方法,替代品 改变对象的范围 从VMWare Player到具有瘦客户端的VMWare ESXi 正式的Windows Server 2003 ISO不会启动

SSSD不返回组的完整用户列表

我们已经build立了一个工作的SSSD + Samba + Krb5捆绑包,用于授权Linux机器上的域用户。 授权可以正常工作,但getent group EXAMPLE不会返回中的完整用户列表。 id命令显示用户所属的特定组

id mshepelev命令示例( pam_nas_admins组存在): 

~$ id mshepelev uid=1019815042(mshepelev) gid=1019817477(linuxadm) группы=128(vboxusers),132(libvirtd), 1019817706(exchange_terminal),1019800512(domain admins),1019800513(domain users),1019817356(it dept base),1019817232(printer_it), 1019817477(linuxadm),1019801141(buh),1019817834(pam_nas_admins)....

getent group pam_nas_admins sample(这里没有mshepelev): 

  ~$ getent group pam_nas_admins pam_nas_admins:*:1019817834:nhramchihin,apyataev, vshuykov,isaidashev,admin,nrosnovskiy,itugunov, malfereva,mdimitraki,izinoviev,gkulakov,mcherenkov,kfomchenko,mkotov,aromanovskiy

更新
同样的情况出现在另一台PC上,反之亦然,用户isaidashev。 Id命令返回一个完整列表和getent组 pam_nas_admins返回每个人,但用户本身(输出有mshepelev用户,但没有isaidashev用户)

这里是configuration文件: /etc/krb5.conf 

 cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = BKCCO.RU kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true v4_instance_resolve = false #add dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 2d v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [realms] BKCCO.RU = { kdc = dc2012.bkcco.ru kdc = echo.bkcco.ru kdc = artemis.bkcco.ru admin_server = dc2012.bkcco.ru default_domain = BKCCO.RU } [domain_realm] .bkcco.ru = BKCCO.RU bkcco.ru = BKCCO.RU [login] krb4_convert = false krb4_get_tickets = false

/etc/samba/smb.conf中 

 cat /etc/samba/smb.conf [global] workgroup = BKC security = ADS ## Full domain name realm = BKCCO.RU security = user kerberos method = system keytab log file = /var/log/samba/log.%m log level = 10 max log size = 50 load printers = no cups options = raw printcap name = /dev/null idmap config * : backend = tdb idmap config * : range = 100000-299999 idmap config BKCCO.RU : backend = rid idmap config BKCCO.RU : range = 300000-499999 # Если вы не хотите, чтобы самба пыталась при случае вылезти в лидеры в домене или рабочей группе, # или даже стать доменконтроллером, то всегда прописывайте эти пять опций именно в таком виде domain master = no local master = no preferred master = no os level = 0 domain logons = no #Настройки для принтеров(отключение поддержки) load printers = no show add printer wizard = no printcap name = /dev/null disable spoolss = yes

/etc/sssd/sssd.conf 

  cat /etc/sssd/sssd.conf [sssd] services = nss, pam config_file_version = 2 domains = bkcco.ru debug_level = 7 [nss] #allowed_shells = /bin/bash, /bin/hgcsh shell_fallback = /bin/bash default_shell = /bin/bash debug_level = 7 entry_cache_timeout = 2 enum_cache_timeout = 5 [domain/bkcco.ru] enumerate = true debug_level = 7 ad_domain = bkcco.ru krb5_realm = BKCCO.RU krb5_store_password_if_offline = True realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad access_provider = ad #ldap_id_mapping = True use_fully_qualified_names = False default_shell = /bin/bash fallback_homedir = /home/%u krb5_validate = false

/etc/nsswitch.conf中 

 cat /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat sss group: compat sss shadow: compat sss gshadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files protocols: db files services: db files sss ethers: db files rpc: db files netgroup: nis sss sudoers: files sss

/etc/realmd.conf 

 cat /etc/realmd.conf [active-directory] os-name = BKCBuntu os-version = 16.04 [service] automatic-install = no [users] default-home = /home/%u default-shell = /bin/bash [bkcco.ru] user-principal = yes fully-qualified-names = no

以下是日志文件。 出于某种原因sssd_domain.log告诉端口389不可用,但是它是打开的 

 ~$ nslookup -type=srv _ldap._tcp.bkcco.ru Server: 192.168.20.1 Address: 192.168.20.1#53 _ldap._tcp.bkcco.ru service = 0 100 389 echo.bkcco.ru. _ldap._tcp.bkcco.ru service = 0 100 389 artemis.bkcco.ru. _ldap._tcp.bkcco.ru service = 0 100 389 dc2012.bkcco.ru.

检查端口separetly 

 ~$ nc -zv bkcco.ru 389 Connection to bkcco.ru 389 port [tcp/ldap] succeeded! mshepelev@bkc480:~$ nc -zv dc2012 389 Connection to dc2012 389 port [tcp/ldap] succeeded! mshepelev@bkc480:~$ nc -zv artemis 389 Connection to artemis 389 port [tcp/ldap] succeeded!

/etc/var/log/sssd/sssd_bkcco.ru.log 

 (Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [be_resolve_server_process] (0x0200): Found address for server artemis.bkcco.ru: [172.16.0.3] TTL 3600 (Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [be_primary_server_timeout_activate] (0x0400): The primary server reconnection is already scheduled (Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT... (Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [create_tgt_req_send_buffer] (0x0400): buffer size: 31 (Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child (Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [write_pipe_handler] (0x0400): All data has been sent! (Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [read_pipe_handler] (0x0400): EOF received, client finished (Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [sdap_get_tgt_recv] (0x0400): Child responded: 14 [Preauthentication failed], expired on [0] (Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad address] (Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [sdap_cli_kinit_done] (0x0400): Cannot get a TGT: ret [1432158218](Authentication Failed) (Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'artemis.bkcco.ru' as 'not working' (Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP (Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP (Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP (Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'artemis.bkcco.ru' as 'not working' (Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [get_server_status] (0x1000): Status of server 'dc2012.bkcco.ru' is 'name resolved' (Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [get_port_status] (0x1000): Port status of port 389 for server 'dc2012.bkcco.ru' is 'not working' (Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [get_server_status] (0x1000): Status of server 'echo.bkcco.ru' is 'name resolved' (Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [get_port_status] (0x1000): Port status of port 389 for server 'echo.bkcco.ru' is 'not working' (Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [get_server_status] (0x1000): Status of server 'artemis.bkcco.ru' is 'name resolved' (Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [get_port_status] (0x1000): Port status of port 389 for server 'artemis.bkcco.ru' is 'not working' (Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD' (Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [child_sig_handler] (0x1000): Waiting for child [1814]. (Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [child_sig_handler] (0x0100): child [1814] finished successfully. (Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [be_resolve_server_done] (0x1000): Server resolution failed: 5 (Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error]) (Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [be_ptask_enable] (0x0400): Task [Check if online (periodic)]: enabling task (Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [be_ptask_schedule] (0x0400): Task [Check if online (periodic)]: scheduling task 62 seconds from now [1499163660] (Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks. (Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [ad_subdomains_get_conn_done] (0x0080): No AD server is available, cannot get the subdomain list while offline (Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [sdap_dyndns_get_addrs_done] (0x0080): No LDAP server is available, dynamic DNS update is skipped in offline mode. (Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [sdap_dyndns_update_addrs_done] (0x0040): Can't get addresses for DNS update (Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed [1432158230]: Dynamic DNS update not possible while offline (Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [ad_dyndns_nsupdate_done] (0x0040): Updating DNS entry failed [1432158230]: Dynamic DNS update not possible while offline (Tue Jul 4 13:19:59 2017) [sssd[be[bkcco.ru]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.BKCCO.RU], [2][No such file or directory] (Tue Jul 4 13:20:29 2017) [sssd[be[bkcco.ru]]] [be_primary_server_timeout] (0x0400): Looking for primary server! (Tue Jul 4 13:20:29 2017) [sssd[be[bkcco.ru]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Tue Jul 4 13:20:29 2017) [sssd[be[bkcco.ru]]] [get_server_status] (0x1000): Status of server 'dc2012.bkcco.ru' is 'name resolved' (Tue Jul 4 13:20:29 2017) [sssd[be[bkcco.ru]]] [get_port_status] (0x1000): Port status of port 389 for server 'dc2012.bkcco.ru' is 'not working' (Tue Jul 4 13:20:29 2017) [sssd[be[bkcco.ru]]] [get_port_status] (0x0100): Reseting the status of port 389 for server 'dc2012.bkcco.ru' (Tue Jul 4 13:20:29 2017) [sssd[be[bkcco.ru]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Tue Jul 4 13:20:29 2017) [sssd[be[bkcco.ru]]] [get_server_status] (0x1000): Status of server 'dc2012.bkcco.ru' is 'name resolved' (Tue Jul 4 13:20:29 2017) [sssd[be[bkcco.ru]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Tue Jul 4 13:20:29 2017) [sssd[be[bkcco.ru]]] [be_resolve_server_process] (0x0200): Found address for server dc2012.bkcco.ru: [192.168.20.1] TTL 3600 (Tue Jul 4 13:20:29 2017) [sssd[be[bkcco.ru]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://dc2012.bkcco.ru' (Tue Jul 4 13:20:29 2017) [sssd[be[bkcco.ru]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://dc2012.bkcco.ru' (Tue Jul 4 13:20:29 2017) [sssd[be[bkcco.ru]]] [be_run_reconnect_cb] (0x0400): Reconnecting. Running callbacks.

/var/log/sssd/krb5_child.log 

 (Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [main] (0x0400): krb5_child started. (Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [unpack_buffer] (0x1000): total buffer size: [126] (Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [unpack_buffer] (0x0100): cmd [241] uid [1019815042] gid [1019817477] validate [false] enterprise principal [true] offline [false] UPN [[email protected]] (Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_1019815042_n1SyC3] keytab: [/etc/krb5.keytab] (Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [k5c_setup] (0x0100): Not using FAST. (Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [main] (0x0400): Will perform online auth (Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [BKCCO.RU] (Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [get_and_save_tgt] (0x0100): TGT validation is disabled. (Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [k5c_send_data] (0x0200): Received error code 0 (Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [main] (0x0400): krb5_child completed successfully

/var/log/sssd/ldap_child.log 

 (Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1956]]]] [main] (0x0020): ldap_child_get_tgt_sync failed. (Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1956]]]] [prepare_response] (0x0400): Building response for result [-1765328360] (Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1956]]]] [pack_buffer] (0x1000): result [14] krberr [-1765328360] msgsize [24] msg [Preauthentication failed] (Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1956]]]] [main] (0x0400): ldap_child completed successfully (Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [main] (0x0400): ldap_child started. (Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [unpack_buffer] (0x1000): total buffer size: 31 (Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [unpack_buffer] (0x1000): realm_str size: 8 (Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [unpack_buffer] (0x1000): got realm_str: BKCCO.RU (Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [unpack_buffer] (0x1000): princ_str size: 7 (Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [unpack_buffer] (0x1000): got princ_str: BKC480$ (Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [unpack_buffer] (0x1000): keytab_name size: 0 (Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [unpack_buffer] (0x1000): lifetime: 86400 (Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [[email protected]] (Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [default] (Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Preauthentication failed (Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [main] (0x0020): ldap_child_get_tgt_sync failed. (Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [prepare_response] (0x0400): Building response for result [-1765328360] (Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [pack_buffer] (0x1000): result [14] krberr [-1765328360] msgsize [24] msg [Preauthentication failed] (Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [main] (0x0400): ldap_child completed successfully

/var/log/sssd/sssd_nss.log 

 (Tue Jul 4 13:22:31 2017) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Tue Jul 4 13:22:31 2017) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Tue Jul 4 13:22:31 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Tue Jul 4 13:22:31 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Tue Jul 4 13:22:31 2017) [sssd[nss]] [nss_cmd_endpwent] (0x0100): Terminating request info for all accounts (Tue Jul 4 13:22:31 2017) [sssd[nss]] [nss_cmd_endgrent] (0x0100): Terminating request info for all groups (Tue Jul 4 13:22:31 2017) [sssd[nss]] [nss_cmd_endpwent] (0x0100): Terminating request info for all accounts (Tue Jul 4 13:22:31 2017) [sssd[nss]] [nss_cmd_endgrent] (0x0100): Terminating request info for all groups (Tue Jul 4 13:22:31 2017) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Tue Jul 4 13:23:09 2017) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Tue Jul 4 13:23:09 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Tue Jul 4 13:23:09 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Tue Jul 4 13:23:09 2017) [sssd[nss]] [nss_cmd_endpwent] (0x0100): Terminating request info for all accounts (Tue Jul 4 13:23:09 2017) [sssd[nss]] [nss_cmd_endgrent] (0x0100): Terminating request info for all groups (Tue Jul 4 13:23:09 2017) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Tue Jul 4 13:23:09 2017) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Tue Jul 4 13:23:09 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Tue Jul 4 13:23:09 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Tue Jul 4 13:23:09 2017) [sssd[nss]] [nss_cmd_endpwent] (0x0100): Terminating request info for all accounts (Tue Jul 4 13:23:09 2017) [sssd[nss]] [nss_cmd_endgrent] (0x0100): Terminating request info for all groups (Tue Jul 4 13:23:09 2017) [sssd[nss]] [nss_cmd_endpwent] (0x0100): Terminating request info for all accounts (Tue Jul 4 13:23:09 2017) [sssd[nss]] [nss_cmd_endgrent] (0x0100): Terminating request info for all groups (Tue Jul 4 13:23:09 2017) [sssd[nss]] [client_recv] (0x0200): Client disconnected!