有没有人看到他们的Linux服务器由于过期的机器凭据而从AD域中删除? 我们使用sssd-1.13.3-56.el6(Centos 6)
根据“ https://bugzilla.redhat.com/show_bug.cgi?id=1290761”,sssd应该能够自动更新主机凭证。 没有提到在每个相关红帽文档(“将红帽企业Linux 6与Active Directory集成”)joinAD时应该采取的额外configuration步骤。
根据我的search,一些运行cron作业来更新主机凭据“ https://lists.fedorahosted.org/archives/list/[email protected]/thread/CRA43XHHDBPAENAYJ3INUWSCE2Q2NB5W/ ”
SSSD Kerberos AD Centos故障排除
我们是否需要一个cron作业来运行:“msktutil –auto-update”和“kinit -k $”?
或者sssd应该可以处理这个?
您是否在sssd.conf中设置了“ad_maximum_machine_account_password_age”,或者将其保留默认30天。
干杯,
更新:@jhrozek,谢谢你的评论。
我仍然看到与我的configuration相同的问题。
看起来票5月28日没有得到更新,服务器退出了领域:
# net ads testjoin kerberos_kinit_password [email protected] failed: Preauthentication failed kerberos_kinit_password [email protected] failed: Preauthentication failed Join to domain is not valid: Logon failure 密钥表状态:
# klist -kt Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 2 04/28/17 02:57:54 host/[email protected] 2 04/28/17 02:57:54 host/[email protected] 2 04/28/17 02:57:54 host/[email protected] 2 04/28/17 02:57:54 host/[email protected] 2 04/28/17 02:57:54 host/[email protected] 2 04/28/17 02:57:54 host/[email protected] 2 04/28/17 02:57:54 host/[email protected] 2 04/28/17 02:57:54 host/[email protected] 2 04/28/17 02:57:55 host/[email protected] 2 04/28/17 02:57:55 host/[email protected] 2 04/28/17 02:57:55 [email protected] 2 04/28/17 02:57:55 [email protected] 2 04/28/17 02:57:55 [email protected] 2 04/28/17 02:57:55 [email protected] 2 04/28/17 02:57:55 [email protected] 3 05/28/17 14:01:39 [email protected] 3 05/28/17 14:01:39 [email protected] 3 05/28/17 14:01:39 [email protected] 3 05/28/17 14:01:39 [email protected] 3 05/28/17 14:01:39 [email protected] 3 05/28/17 14:01:39 host/[email protected] 3 05/28/17 14:01:39 host/[email protected] 3 05/28/17 14:01:39 host/[email protected] 3 05/28/17 14:01:39 host/[email protected] 3 05/28/17 14:01:39 host/[email protected] 3 05/28/17 14:01:39 host/[email protected] 3 05/28/17 14:01:39 host/[email protected] 3 05/28/17 14:01:39 host/[email protected] 3 05/28/17 14:01:39 host/[email protected] 3 05/28/17 14:01:39 host/[email protected]
这看起来像5月28日更新了一张票,但不知何故有服务器帐户删除?
SSSD和ADCLI软件包已安装:
# rpm -qa | grep sssd sssd-client-1.13.3-56.el6.x86_64 sssd-ipa-1.13.3-56.el6.x86_64 sssd-proxy-1.13.3-56.el6.x86_64 python-sssdconfig-1.13.3-56.el6.noarch sssd-common-pac-1.13.3-56.el6.x86_64 sssd-krb5-1.13.3-56.el6.x86_64 sssd-krb5-common-1.13.3-56.el6.x86_64 sssd-ldap-1.13.3-56.el6.x86_64 sssd-common-1.13.3-56.el6.x86_64 sssd-ad-1.13.3-56.el6.x86_64 sssd-1.13.3-56.el6.x86_64 # rpm -qa | grep adcli adcli-0.8.1-1.el6.x86_64
而且,sssd.conf:
[sssd] domains = stage.example.com services = nss, pam, ssh config_file_version = 2 default_domain_suffix = main.example.com full_name_format = %1$s@%2$s re_expression = (((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$)) [domain/stage.example.com id_provider = ad auth_provider = ad access_provider = ad chpass_provider = ad cache_credentials = false ad_domain = stage.example.com ldap_id_mapping = true krb5_realm = STAGE.example.com default_shell = /bin/bash ad_gpo_access_control = permissive override_homedir = /home/admin/%u
和krb5.conf:
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = STAGE.EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = true clockskew = true proxiable = true [realms] STAGE.EXAMPLE.COM = { kdc = 172.31.1.252 kdc = 172.31.0.252 admin_server = 172.31.1.252 admin_server = 172.31.0.252 } [domain_realm] stage.example.com = STAGE.EXAMPLE.COM .stage.example.com = STAGE.EXAMPLE.COM
任何build议来解决这个问题?
这应该会自动发生,但是您需要安装adcli。 sssd只是叉和执行adcli为了执行更新。