服务器 Gind.cn
  1. 服务器 Gind.cn
  3. SSSD无法枚举辅助Active Directory组,“没有的tokenGroups条目”
Intereting Posts
Outlook 2011错误 HAProxy重新加载 – 旧的进程永远不会终止 如何使用相同的端口绑定网站及其SSL版本 预期脚本等待命令挂起 .NET Web和应用程序服务器configuration 新的第一层NTP服务器的实用性 我可以使用Fusion 3(Mac)创buildVMWare映像,并在Workstation 7(Windows)上加载吗? 哪些技术可以实现video的双向stream式传输? Surface Pro 3触摸和主页button驱动程序后,系统准备和捕获? 针对特定用户的mysqlconfiguration 如何启用MSS组策略设置Windows Server 2012 没有多播的Ganglia IIS表单身份validation(php,asp.net服务器端login) ServerAlias与SSL 如何在Windows Server中configuration授权时间服务器

SSSD无法枚举辅助Active Directory组,“没有的tokenGroups条目”

我一直在尝试使用Realmd / SSSD(SSSD版本1.13.4)在我的ubuntu 16.04主机上设置Active Directory集成。 我可以以AD用户的身份login到该框,枚举组使用命令“getent group”,但是,该设置没有通过命令“id [email protected]”正确枚举用户的组成员身份。

我将附上我的configuration文件和SSSD的相关日志文件(debugging级别设置为9)。 从parsing日志文件中可以看出,SSSD似乎无法为用户查询tokenGroups,声称查询不返回任何令牌组。

我已经validation了tokenGroups可以通过编写查询tokenGroups属性的一些基本.Net代码从Windows Active Directory服务器中检索,并且它正确地返回所有的组。 不过,由于某种原因,上海可持续发展处似乎遇到问题。 我相信我的活动目录使用架构rfc2307bis,我已经尝试了设置打开和closures,都与ldap_group_member = member / uniqueMember,但它没有改变任何东西(此外,我不认为这会影响组查找如果SSSD试图使用tokenGroups)。

SSSD.conf: 

[sssd] domains = my.domain config_file_version = 2 services = nss, pam debug_level = 9 [nss] debug_level = 9 [pam] debug_level = 9 [domain/mydomain] ad_domain = ad.utah.edu krb5_realm = AD.UTAH.EDU #Specifying the site is essential to avoid talking to firewalled DC servers dns_discovery_domain = CAMPUS._sites.my.domain realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_sasl_authid = AD-INTEGRATION-$ ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = simple simple_allow_users = user1, user2, user3 simple_allow_groups = $ debug_level = 9

SSSD活动目录日志文件: 

 (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [DC=myDC=domain] (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_print_server] (0x2000): Searching IP.IP.IP.IP (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=<myuserid>)(objectclass=user)(objectSID=*))][DC=myDC=domain]. (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword] (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory] (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName] (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name] (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID] (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID] (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [primaryGroupID] (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged] (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 14 (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_op_add] (0x2000): New operation 14 timeout 6 (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_process_result] (0x2000): Trace: sh[0x1d21d50], connected[1], ops[0x1d3c540], ldap[0x1d55a80] (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=<myuserid>,OU=People,DC=myDC=domain]. (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_parse_range] (0x2000): No sub-attributes for [name] (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectGUID] (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_parse_range] (0x2000): No sub-attributes for [primaryGroupID] (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectSid] (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_parse_range] (0x2000): No sub-attributes for [sAMAccountName] (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_parse_range] (0x2000): No sub-attributes for [userPrincipalName] (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_process_result] (0x2000): Trace: sh[0x1d21d50], connected[1], ops[0x1d3c540], ldap[0x1d55a80] (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_op_destructor] (0x2000): Operation 14 finished (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_get_initgr_user] (0x4000): Storing the user (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_save_user] (0x0400): Save user (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_get_primary_name] (0x0400): Processing object <myuserid> (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_save_user] (0x0400): Processing user <myuserid> (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_save_user] (0x1000): Mapping user [<myuserid>] objectSID [S-1-5-21-1599696121-1964574698-334091239-36222] to unix ID (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_save_user] (0x2000): Adding originalDN [CN=<myuserid>,OU=People,DC=myDC=domain] to attributes of [<myuserid>]. (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_save_user] (0x0400): Original memberOf is not available for [<myuserid>]. (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_attrs_add_ldap_attr] (0x2000): original mod-Timestamp is not available for [<myuserid>]. (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_save_user] (0x0400): Original USN value is not available for [<myuserid>]. (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_save_user] (0x0400): Adding user principal [<myuserid>@my.domain] to attributes of [<myuserid>]. (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowLastChange is not available for [<myuserid>]. (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMin is not available for [<myuserid>]. (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMax is not available for [<myuserid>]. (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowWarning is not available for [<myuserid>]. (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowInactive is not available for [<myuserid>]. (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowExpire is not available for [<myuserid>]. (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowFlag is not available for [<myuserid>]. (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_attrs_add_ldap_attr] (0x2000): krbLastPwdChange is not available for [<myuserid>]. (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_attrs_add_ldap_attr] (0x2000): krbPasswordExpiration is not available for [<myuserid>]. (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_attrs_add_ldap_attr] (0x2000): pwdAttribute is not available for [<myuserid>]. (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedService is not available for [<myuserid>]. (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_attrs_add_ldap_attr] (0x2000): adAccountExpires is not available for [<myuserid>]. (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_attrs_add_ldap_attr] (0x2000): adUserAccountControl is not available for [<myuserid>]. (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_attrs_add_ldap_attr] (0x2000): nsAccountLock is not available for [<myuserid>]. (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedHost is not available for [<myuserid>]. (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginDisabled is not available for [<myuserid>]. (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginExpirationTime is not available for [<myuserid>]. (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginAllowedTimeMap is not available for [<myuserid>]. (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_attrs_add_ldap_attr] (0x2000): sshPublicKey is not available for [<myuserid>]. (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_attrs_add_ldap_attr] (0x2000): authType is not available for [<myuserid>]. (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_attrs_add_ldap_attr] (0x2000): userCertificate is not available for [<myuserid>]. (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sysdb_attrs_get_aliases] (0x2000): Domain is case-insensitive; will add lowercased aliases (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_save_user] (0x0400): Storing info for user <myuserid> ... ... (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_get_initgr_user] (0x4000): Process user's groups (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_print_server] (0x2000): Searching IP.IP.IP.IP (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no filter][CN=<myuserid>,OU=People,DC=myDC=domain]. (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [tokenGroups] (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 13 (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_op_add] (0x2000): New operation 13 timeout 6 (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_process_result] (0x2000): Trace: sh[0x1d21d50], connected[1], ops[(nil)], ldap[0x1d55a80] (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_process_result] (0x2000): Trace: sh[0x1d22e00], connected[1], ops[0x1dcd720], ldap[0x1d23110] (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=<myuserid>,OU=People,DC=myDC=domain]. (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_parse_entry] (0x1000): Entry has no attributes [0(Success)]!? (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_process_result] (0x2000): Trace: sh[0x1d22e00], connected[1], ops[0x1dcd720], ldap[0x1d23110] (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_op_destructor] (0x2000): Operation 13 finished (Fri Nov 10 16:49:34 2017) [sssd[be[my.domain]]] [sdap_get_ad_tokengroups_done] (0x1000): No tokenGroups entries for [<myuserid>]

我也很乐意提供更多的日志。 我也试过做一个wireshark转储,但是LDAP数据包是用SASLencryption的,我没有运气给KRB5 keytab去wireshark解密(可能keytab文件是encryption的?或者wireshark需要服务器keytab文件?我很难破译关于这个问题的wireshark文档)。