背景

我试图以我在AWS Directory Services Simple AD中创build的用户身份login（通过SSH，运行到运行sssd的Amazon Linux EC2实例）。 我使用Kerberos进行身份validation，并使用LDAP（通过sssd ）来识别用户。我通过ELB通过多个代理服务器连接到简单AD。

问题

当我将ELBconfiguration为使用TLS作为Kerberos端口时， sssd无法连接到Kerberos服务器，login失败。 没有TLS，它工作得很好，一旦我login没有TLS的证书caching和login继续工作时，我再次打开TLS。

RFC 6251介绍了如何通过TLS传输Kerberos V5，所以假设这应该是可能的，对吗？ 我不确定我是否没有正确地执行此操作，或者如果sssd不支持通过TLS的Kerberos。 谷歌search没有产生任何成果，手册页没有任何看似与他们有关的东西。

请注意，我的LDAPS通过ELB完美工作，所以我至less知道我并不完全偏离轨道。

• 如何阻止来自特定用户代理的Nginx访问日志语句
• 该网站正在使用过时的安全设置，可能会阻止未来版本的Chrome能够安全地访问它
• 如何在使用Real-IP时logging$ remote_addr的原始值
• Amazon ELB HTTPS无法正常工作
• 使用AWS ELB的无尽redirect循环和使用wordpress https插件的wordpress网站

TL; DR如何回答我的问题

告诉我：

• 在通过TLS或Kerberos设置Kerberos时，我所做的是错误的
• sssd不支持通过TLS的Kerberos

---

错误信息

这是从sssd的输出。 请注意，我编辑了IP地址。

 (Thu Dec 31 18:36:43 2015) [[sssd[krb5_child[2780]]]] [sss_child_krb5_trace_cb] (0x4000): [2780] 1451587003.307171: Sending request (218 bytes) to MYTEAM.MYCOMPANY.INTERNAL (Thu Dec 31 18:36:43 2015) [[sssd[krb5_child[2780]]]] [sss_child_krb5_trace_cb] (0x4000): [2780] 1451587003.307390: Initiating TCP connection to stream 1.2.3.4:88 (Thu Dec 31 18:36:43 2015) [[sssd[krb5_child[2780]]]] [sss_child_krb5_trace_cb] (0x4000): [2780] 1451587003.309053: Sending TCP request to stream 1.2.3.4:88 (Thu Dec 31 18:36:43 2015) [[sssd[krb5_child[2780]]]] [sss_child_krb5_trace_cb] (0x4000): [2780] 1451587003.310487: TCP error receiving from stream 1.2.3.4:88: 104/Connection reset by peer (Thu Dec 31 18:36:43 2015) [[sssd[krb5_child[2780]]]] [sss_child_krb5_trace_cb] (0x4000): [2780] 1451587003.310609: Terminating TCP connection to stream 1.2.3.4:88 (Thu Dec 31 18:36:43 2015) [[sssd[krb5_child[2780]]]] [sss_child_krb5_trace_cb] (0x4000): [2780] 1451587003.310729: Sending initial UDP request to dgram 1.2.3.4:88 # Lots of other output... (Thu Dec 31 18:36:58 2015) [sssd[be[myteam]]] [krb5_child_timeout] (0x0040): Timeout for child [2780] reached. In case KDC is distant or network is slow you may consider increasing value of krb5_auth_timeout. (Thu Dec 31 18:36:58 2015) [sssd[be[myteam]]] [krb5_auth_done] (0x0020): child timed out! 

build筑

以下是我简单AD的架构：

即使AWS的简单AD不支持此设置，也可以使用LDAPS。 我认为它也可以让我在TLS上使用Kerberos。

ELB的route53logging是directory.myteam.mycompany.com ，但是我用于Simple AD的域是myteam.mycompany.internal 。

ELBconfiguration

我用terraform来创build架构。 这里只是ELB资源的定义，因为其余部分是不相关的：

 resource "aws_elb" "proxy" { name = "directory-proxy-pub" subnets = ["${split(",", module.vpc.public_subnet_ids_dsv)}}"] cross_zone_load_balancing = true security_groups = [ "${aws_security_group.elb-proxy.id}" ] listener { lb_port = 636 lb_protocol = "ssl" instance_port = 389 instance_protocol = "tcp" ssl_certificate_id = "${var.my_cert}" } listener { lb_port = 88 lb_protocol = "ssl" instance_port = 88 instance_protocol = "tcp" ssl_certificate_id = "${var.my_cert}" } health_check { interval = 15 timeout = 5 unhealthy_threshold = 2 healthy_threshold = 3 target = "TCP:389" } tags { Name = "directory-proxy" } } 

请注意，我正在使用的证书来自受信任的CA，并为*.myteam.mycompany.com指定。

在运行sssd的机器上进行configuration

/etc/sssd/sssd.conf ：

 [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = myteam [nss] default_shell = /bin/bash fallback_homedir = /home/%u ldap_user_home_directory = unixHomeDirectory [pam] reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5 [domain/myteam] enumerate = true cache_credentials = TRUE id_provider = ldap ldap_uri = ldaps://directory.myteam.mycompany.com ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt ldap_default_bind_dn = CN=test-user,CN=users,DC=myteam,DC=mycompany,DC=internal ldap_default_authtok = REDACTED_PASSWORD ldap_id_use_start_tls = true ldap_schema = AD ldap_force_upper_case_realm = true ldap_id_mapping = true ldap_search_base = CN=users,DC=myteam,DC=mycompany,DC=internal ldap_user_uuid = none ldap_group_uuid = none chpass_provider = krb5 auth_provider = krb5 krb5_server = directory.myteam.mycompany.com krb5_realm = MYTEAM.MYCOMPANY.INTERNAL krb5_changepw_principal = kadmin/changepw krb5_ccachedir = /tmp krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX krb5_auth_timeout = 15 krb5_canonicalize = True 

/etc/sysconfig/authconfig ：

 IPADOMAINJOINED=no USEMKHOMEDIR=yes USEPAMACCESS=no CACHECREDENTIALS=yes USESSSDAUTH=yes USESHADOW=yes USEWINBIND=no PASSWDALGORITHM=sha512 FORCELEGACY=yes USEFPRINTD=no FORCESMARTCARD=no USEDB=no USELDAPAUTH=no USEPASSWDQC=no IPAV2NONTP=no WINBINDKRB5=no USELOCAUTHORIZE=yes USEECRYPTFS=no USECRACKLIB=yes USEIPAV2=no USEWINBINDAUTH=no USESMARTCARD=no USELDAP=yes USENIS=no USEKERBEROS=no USESYSNETAUTH=no USESSSD=yes USEPWQUALITY=yes USEHESIOD=no 

除了这两个文件之外，我还确保在sshd_config启用密码authentication，并在sudo authconfig --updateall --enablesssd --enablesssdauth pam模块中的sssd。

/etc/pam.d/system-auth ：

 auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet_success auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so 

软件版本

• uname -a ： Linux ip-172-31-31-2 4.1.10-17.31.amzn1.x86_64 #1 SMP Sat Oct 24 01:31:37 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
• sssd 1.12.2