我已经安装了Debian Squeeze和sssd。 当我尝试通过SSH用户“alexwinner”login到服务器时,我在日志中看到:
(Fri May 11 18:56:03 2012) [[sssd[krb5_child[26281]]]] [get_and_save_tgt] (1): 523: [-1765328360][Preauthentication failed] 但是当我执行kinit alexwinner一切正常,我收到票。 这是我的sssd.conf
[sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = MYDOMAIN.COM [nss] filter_groups = root filter_users = root reconnection_retries = 3 ; entry_cache_timeout = 600 ; entry_cache_nowait_timeout = 300 [pam] reconnection_retries = 3 [domain/MYDOMAIN.COM] description = LDAP domain with AD server enumerate = true min_id = 1000 cache_credentials = false id_provider = ldap auth_provider = krb5 chpass_provider = krb5 krb5_realm = MYDOMAIN.COM krb5_kdcip = 172.27.250.141 krb5_kpasswd = 172.27.250.141 ldap_pwd_policy = none ldap_id_use_start_tls = false ldap_tls_reqcert = never ldap_uri = ldap://172.27.250.141:3268/ ldap_schema = rfc2307bis ldap_default_bind_dn = [email protected] ldap_default_authtok_type = password ldap_default_authtok = veryhardpassword ldap_user_search_base = ou=linux,ou=users,ou=pro,dc=mydomain,DC=com ldap_user_object_class = user ldap_user_uid_number = uidNumber ldap_user_gid_number = GIDNumber ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_user_principal = userPrincipalName ldap_user_name = sAMAccountName ldap_user_gecos = displayName ldap_user_uuid = objectGUID ldap_group_search_base = OU=Linux,OU=Roles,DC=mydomain,DC=com ldap_group_object_class = group ldap_group_name = Name ldap_group_gid_number = GidNumber ldap_force_upper_case_realm = True
这是我的krb5.conf
[libdefaults] default_realm = MYDOMAIN.COM forwardable = true [realms] MYDOMAIN.COM = { kdc = 172.27.250.141 admin_server = 172.27.250.141 }
我试图看到tcpdump的kerberos包,看到padata是不同的login和kinit。
我能做什么?
尝试下面的设置,他们在我的环境中工作得很好。
对/etc/sssd/sssd.conf进行更改
[root@localhost ~]# cat /etc/sssd/sssd.conf |grep -v ^# |grep -v ^$ [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = default [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 [domain/default] ldap_default_authtok_type = password ldap_id_use_start_tls = False cache_credentials = True ldap_group_object_class = group ldap_search_base = dc=example,dc=com chpass_provider = krb5 ldap_default_authtok = RedHat1! id_provider = ldap auth_provider = krb5 ldap_default_bind_dn = cn=Administrator,cn=Users,dc=example,dc=com ldap_user_gecos = displayName debug_level = 0 ldap_uri = ldap://10.65.208.43/ krb5_realm = EXAMPLE.COM krb5_kpasswd = 10.65.208.43 ldap_schema = rfc2307bis ldap_force_upper_case_realm = True ldap_user_object_class = person ldap_tls_cacertdir = /etc/openldap/cacerts krb5_server = 10.65.208.43
这将导致重新启动sssd守护进程。
validation: –
[root@localhost ~]# id user1
确保你的AD框上安装了IDMU,并且用户已经设置了unix属性。