SSSD拒绝使用su：不正确密码的LDAPlogin

我已经build立了一个使用用户帐户的LDAP服务器。我已经成功地configuration了一个Rails应用程序来对这个LDAP服务器进行身份validation。我正在尝试configurationSSSD以对LDAP进行身份validation，但不喜欢单个用户的密码。

错误：

$ su - leopetr4 Password: su: incorrect password

SSSD识别用户，但不是密码：

 $ id leopetr4 uid=9583(leopetr4) gid=9583(leopetr4) groups=9583(leopetr4)

以下是用户logging的样子：

 # ldapsearch -x -W -D "cn=admin,dc=my_domain,dc=com" -H ldaps://my_hostname.my_domain.com "(uid=leopetr4)" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=my_domain,dc=com> (default) with scope subtree # filter: (uid=leopetr4) # requesting: ALL # # leopetr4, People, my_domain.com dn: uid=leopetr4,ou=People,dc=my_domain,dc=com uid: leopetr4 cn: Leo Petr 40 sn: 40 objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: inetOrgPerson shadowLastChange: 16736 shadowMin: 1 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 9583 gidNumber: 9583 homeDirectory: /mnt/home/leopetr4 mail: [email protected] gecos: Leo Petr 40 userPassword:: e1NIQX1vUk5PMWozMXdtdDVIVkVhZmNtNWYvU1Jmam89 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1

这是base64解码之后的用户密码散列：

 {SHA}oRNO1j31wmt5HVEafcm5f/SRfjo=

它完全匹配slappaswd -c {SHA} "that_password"的输出slappaswd -c {SHA} "that_password"

这是SSSDconfiguration：

 # cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = LOCAL,LDAP debug_level = 5 [nss] filter_groups = root filter_users = root reconnection_retries = 3 entry_cache_timeout = 300 entry_cache_nowait_percentage = 75 [pam] reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5 [domain/LDAP] cache_credentials = true id_provider = ldap auth_provider = ldap ldap_uri = ldaps://my_hostname.my_domain.com ldap_search_base = dc=my_domain,dc=com ldap_id_use_start_tls = true ldap_tls_reqcert = never ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt debug_level = 5

当我尝试su - leopetr4时，这里是SSSD日志：

 # tail -f /var/log/secure /var/log/sssd/*.log ==> /var/log/sssd/sssd_LDAP.log <== (Mon Nov 30 12:32:10 2015) [sssd[be[LDAP]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=leopetr4] (Mon Nov 30 12:32:10 2015) [sssd[be[LDAP]]] [sdap_save_user] (0x0080): Failed to retrieve UUID [22][Invalid argument]. (Mon Nov 30 12:32:10 2015) [sssd[be[LDAP]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success ==> /var/log/sssd/sssd.log <== (Mon Nov 30 12:32:12 2015) [sssd] [service_send_ping] (0x0100): Pinging LDAP (Mon Nov 30 12:32:12 2015) [sssd] [service_send_ping] (0x0100): Pinging nss (Mon Nov 30 12:32:12 2015) [sssd] [service_send_ping] (0x0100): Pinging pam (Mon Nov 30 12:32:12 2015) [sssd] [ping_check] (0x0100): Service LDAP replied to ping (Mon Nov 30 12:32:12 2015) [sssd] [ping_check] (0x0100): Service nss replied to ping (Mon Nov 30 12:32:12 2015) [sssd] [ping_check] (0x0100): Service pam replied to ping ==> /var/log/secure <== Nov 30 12:32:12 my_domain su: pam_unix(su-l:auth): authentication failure; logname=root uid=1004 euid=0 tty=pts/3 ruser=leonsp rhost= user=leopetr4 ==> /var/log/sssd/sssd_LDAP.log <== (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=leopetr4] (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [sdap_save_user] (0x0080): Failed to retrieve UUID [22][Invalid argument]. (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [sdap_process_group_send] (0x0040): No Members. Done! (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [sdap_save_group] (0x0080): Failed to retrieve UUID [22][Invalid argument]. (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [be_pam_handler] (0x0100): Got request with the following data (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): domain: LDAP (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): user: leopetr4 (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): service: su-l (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): tty: pts/3 (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): ruser: leonsp (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): rhost: (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): authtok type: 0 (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): priv: 0 (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): cli_pid: 1586655 (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): logon name: not set (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 7, <NULL>) [Success] (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [be_pam_handler_callback] (0x0100): Sending result [7][LDAP] (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [be_pam_handler_callback] (0x0100): Sent result [7][LDAP] ==> /var/log/secure <== Nov 30 12:32:12 my_domain su: pam_sss(su-l:auth): authentication failure; logname=root uid=1004 euid=0 tty=pts/3 ruser=leonsp rhost= user=leopetr4 Nov 30 12:32:12 my_domain su: pam_sss(su-l:auth): received for user leopetr4: 7 (Authentication failure)

当我尝试su - leopetr4时，这里是LDAP服务器日志：

 Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 1 descriptor Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on: Nov 27 21:21:08 my_hostname slapd[15353]: Nov 27 21:21:08 my_hostname slapd[15353]: slap_listener_activate(9): Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 busy Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: >>> slap_listener(ldaps:///) Nov 27 21:21:08 my_hostname slapd[15353]: daemon: listen=9, new connection on 31 Nov 27 21:21:08 my_hostname slapd[15353]: daemon: added 31r (active) listener=(nil) Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 fd=31 ACCEPT from IP=256.256.256.256:29338 (IP=0.0.0.0:636) Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 2 descriptors Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on: Nov 27 21:21:08 my_hostname slapd[15353]: 31r Nov 27 21:21:08 my_hostname slapd[15353]: Nov 27 21:21:08 my_hostname slapd[15353]: daemon: read active on 31 Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: connection_get(31) Nov 27 21:21:08 my_hostname slapd[15353]: connection_get(31): got connid=3358 Nov 27 21:21:08 my_hostname slapd[15353]: connection_read(31): checking for input on id=3358 Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 1 descriptor Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on: Nov 27 21:21:08 my_hostname slapd[15353]: Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 1 descriptor Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on: Nov 27 21:21:08 my_hostname slapd[15353]: 31r Nov 27 21:21:08 my_hostname slapd[15353]: Nov 27 21:21:08 my_hostname slapd[15353]: daemon: read active on 31 Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: connection_get(31) Nov 27 21:21:08 my_hostname slapd[15353]: connection_get(31): got connid=3358 Nov 27 21:21:08 my_hostname slapd[15353]: connection_read(31): checking for input on id=3358 Nov 27 21:21:08 my_hostname slapd[15353]: connection_read(31): unable to get TLS client DN, error=49 id=3358 Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 fd=31 TLS established tls_ssf=256 ssf=256 Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 1 descriptor Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on: Nov 27 21:21:08 my_hostname slapd[15353]: Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 1 descriptor Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on: Nov 27 21:21:08 my_hostname slapd[15353]: 31r Nov 27 21:21:08 my_hostname slapd[15353]: Nov 27 21:21:08 my_hostname slapd[15353]: daemon: read active on 31 Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: connection_get(31) Nov 27 21:21:08 my_hostname slapd[15353]: connection_get(31): got connid=3358 Nov 27 21:21:08 my_hostname slapd[15353]: connection_read(31): checking for input on id=3358 Nov 27 21:21:08 my_hostname slapd[15353]: op tag 0x77, time 1448680868 Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 op=0 do_extended Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Nov 27 21:21:08 my_hostname slapd[15353]: do_extended: oid=1.3.6.1.4.1.1466.20037 Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 op=0 STARTTLS Nov 27 21:21:08 my_hostname slapd[15353]: send_ldap_extended: err=1 oid= len=0 Nov 27 21:21:08 my_hostname slapd[15353]: send_ldap_response: msgid=1 tag=120 err=1 Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 op=0 RESULT oid= err=1 text=TLS already started Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 1 descriptor Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on: Nov 27 21:21:08 my_hostname slapd[15353]: Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 1 descriptor Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on: Nov 27 21:21:08 my_hostname slapd[15353]: 31r Nov 27 21:21:08 my_hostname slapd[15353]: Nov 27 21:21:08 my_hostname slapd[15353]: daemon: read active on 31 Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: connection_get(31) Nov 27 21:21:08 my_hostname slapd[15353]: connection_get(31): got connid=3358 Nov 27 21:21:08 my_hostname slapd[15353]: connection_read(31): checking for input on id=3358 Nov 27 21:21:08 my_hostname slapd[15353]: op tag 0x42, time 1448680868 Nov 27 21:21:08 my_hostname slapd[15353]: ber_get_next on fd 31 failed errno=0 (Success) Nov 27 21:21:08 my_hostname slapd[15353]: connection_read(31): input error=-2 id=3358, closing. Nov 27 21:21:08 my_hostname slapd[15353]: connection_closing: readying conn=3358 sd=31 for close Nov 27 21:21:08 my_hostname slapd[15353]: connection_close: deferring conn=3358 sd=31 Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 op=1 do_unbind Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 op=1 UNBIND Nov 27 21:21:08 my_hostname slapd[15353]: connection_resched: attempting closing conn=3358 sd=31 Nov 27 21:21:08 my_hostname slapd[15353]: connection_close: conn=3358 sd=31 Nov 27 21:21:08 my_hostname slapd[15353]: daemon: removing 31 Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 fd=31 closed Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 1 descriptor Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on: Nov 27 21:21:08 my_hostname slapd[15353]: Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL Nov 27 21:21:09 my_hostname slapd[15353]: daemon: activity on 1 descriptor Nov 27 21:21:09 my_hostname slapd[15353]: daemon: activity on: Nov 27 21:21:09 my_hostname slapd[15353]: 26r Nov 27 21:21:09 my_hostname slapd[15353]: Nov 27 21:21:09 my_hostname slapd[15353]: daemon: read active on 26 Nov 27 21:21:09 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Nov 27 21:21:09 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Nov 27 21:21:09 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL Nov 27 21:21:09 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL Nov 27 21:21:09 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL Nov 27 21:21:09 my_hostname slapd[15353]: connection_get(26) Nov 27 21:21:09 my_hostname slapd[15353]: connection_get(26): got connid=3331 Nov 27 21:21:09 my_hostname slapd[15353]: connection_read(26): checking for input on id=3331 Nov 27 21:21:09 my_hostname slapd[15353]: op tag 0x63, time 1448680869 Nov 27 21:21:09 my_hostname slapd[15353]: conn=3331 op=122 do_search Nov 27 21:21:09 my_hostname slapd[15353]: >>> dnPrettyNormal: <dc=my_domain,dc=com> Nov 27 21:21:09 my_hostname slapd[15353]: <<< dnPrettyNormal: <dc=my_domain,dc=com>, <dc=my_domain,dc=com> Nov 27 21:21:09 my_hostname slapd[15353]: SRCH "dc=my_domain,dc=com" 2 0 Nov 27 21:21:09 my_hostname slapd[15353]: 0 0 0 Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter Nov 27 21:21:09 my_hostname slapd[15353]: AND Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter_list Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter Nov 27 21:21:09 my_hostname slapd[15353]: EQUALITY Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter 0 Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter Nov 27 21:21:09 my_hostname slapd[15353]: EQUALITY Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter 0 Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter Nov 27 21:21:09 my_hostname slapd[15353]: AND Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter_list Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter Nov 27 21:21:09 my_hostname slapd[15353]: PRESENT Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter 0 Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter Nov 27 21:21:09 my_hostname slapd[15353]: NOT Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter Nov 27 21:21:09 my_hostname slapd[15353]: EQUALITY Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter 0 Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter 0 Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter_list Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter 0 Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter_list Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter 0 Nov 27 21:21:09 my_hostname slapd[15353]: filter: (&(uid=leopetr4)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0)))) Nov 27 21:21:09 my_hostname slapd[15353]: attrs: Nov 27 21:21:09 my_hostname slapd[15353]: objectClass Nov 27 21:21:09 my_hostname slapd[15353]: uid Nov 27 21:21:09 my_hostname slapd[15353]: userPassword Nov 27 21:21:09 my_hostname slapd[15353]: uidNumber Nov 27 21:21:09 my_hostname slapd[15353]: gidNumber Nov 27 21:21:09 my_hostname slapd[15353]: gecos Nov 27 21:21:09 my_hostname slapd[15353]: homeDirectory Nov 27 21:21:09 my_hostname slapd[15353]: loginShell Nov 27 21:21:09 my_hostname slapd[15353]: krbPrincipalName Nov 27 21:21:09 my_hostname slapd[15353]: cn Nov 27 21:21:09 my_hostname slapd[15353]: modifyTimestamp Nov 27 21:21:09 my_hostname slapd[15353]: modifyTimestamp Nov 27 21:21:09 my_hostname slapd[15353]: shadowLastChange Nov 27 21:21:09 my_hostname slapd[15353]: shadowMin Nov 27 21:21:09 my_hostname slapd[15353]: shadowMax Nov 27 21:21:09 my_hostname slapd[15353]: shadowWarning Nov 27 21:21:09 my_hostname slapd[15353]: shadowInactive Nov 27 21:21:09 my_hostname slapd[15353]: shadowExpire Nov 27 21:21:09 my_hostname slapd[15353]: shadowFlag Nov 27 21:21:09 my_hostname slapd[15353]: krbLastPwdChange Nov 27 21:21:09 my_hostname slapd[15353]: krbPasswordExpiration Nov 27 21:21:09 my_hostname slapd[15353]: pwdAttribute Nov 27 21:21:09 my_hostname slapd[15353]: authorizedService Nov 27 21:21:09 my_hostname slapd[15353]: accountExpires Nov 27 21:21:09 my_hostname slapd[15353]: userAccountControl Nov 27 21:21:09 my_hostname slapd[15353]: nsAccountLock Nov 27 21:21:09 my_hostname slapd[15353]: host Nov 27 21:21:09 my_hostname slapd[15353]: loginDisabled Nov 27 21:21:09 my_hostname slapd[15353]: loginExpirationTime Nov 27 21:21:09 my_hostname slapd[15353]: loginAllowedTimeMap Nov 27 21:21:09 my_hostname slapd[15353]: sshPublicKey Nov 27 21:21:09 my_hostname slapd[15353]: Nov 27 21:21:09 my_hostname slapd[15353]: conn=3331 op=122 SRCH base="dc=my_domain,dc=com" scope=2 deref=0 filter="(&(uid=leopetr4)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))" Nov 27 21:21:09 my_hostname slapd[15353]: conn=3331 op=122 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublicKey Nov 27 21:21:09 my_hostname slapd[15353]: ==> limits_get: conn=3331 op=122 self="[anonymous]" this="dc=my_domain,dc=com" Nov 27 21:21:09 my_hostname slapd[15353]: => hdb_search

编辑：这里的/var/log/secure用于login尝试：

 Nov 28 13:09:10 my_hostname su: pam_unix(su-l:auth): authentication failure; logname=root uid=1004 euid=0 tty=pts/1 ruser=leonsp rhost= user=leopetr4 Nov 28 13:09:10 my_hostname su: pam_sss(su-l:auth): authentication failure; logname=root uid=1004 euid=0 tty=pts/1 ruser=leonsp rhost= user=leopetr4 Nov 28 13:09:10 my_hostname su: pam_sss(su-l:auth): received for user leopetr4: 7 (Authentication failure)

这是pamconfiguration：

 # cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 dcredit=-1 ucredit=0 lcredit=-1 ocredit=0 type= reject_username password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so session optional pam_ldap.so

PAM LDAPconfiguration：

 # cat /etc/pam_ldap.conf | grep -v '^#' | grep -v '^$' base dc=my_domain,dc=com uri ldaps://my_hostname.my_domain.com ssl start_tls tls_cacertdir /etc/openldap/cacerts pam_password md5

也：

 # authconfig --test | grep hashing password hashing algorithm is sha512

编辑2 ：validation通过pamtester工程，但它继续不工作通过苏：

 [leonsp@my_hostname ~]$ pamtester login leopetr4 authenticate Password: pamtester: successfully authenticated [leonsp@my_hostname ~]$ pamtester su leopetr4 authenticate Password: pamtester: Authentication failure [leonsp@my_hostname ~]$ pamtester su-l leopetr4 authenticate Password: pamtester: successfully authenticated

为什么SSSD不让我以这个用户身份login？
有什么我需要做的configurationSSSD匹配基本{SHA}哈希？
如何计算su / su-l身份validation和身份validation之间的区别？

对不起，我不得不用答案来问这些问题…

什么是输出： authconfig --probe和getent passwd leopetr4

你的系统authentication和你的密码authentication一样吗？你能提供你的PAMlogin文件吗？

您可能还想尝试在sssd.conf中设置cache_credentials = false，并在使用sss_cache -E进行testing时清除caching

这是不令人满意的，但是su - leopetr4和ssh leopetr4@my_hostname在我设置了这个问题的赏金之后不久就开始工作了。我花了一些时间思考为什么没有得出一个明确的结论，因为它在开始时会突然停止工作是不好的。

我记得的一个变化是将/etc/pam_ldap.conf的pam_password设置从md5切换到exop ：

 #pam_password md5 pam_password exop

然而，从破产到工作的转变并不是立竿见影，所以我毫不犹豫地将其归因于这种变化。