您好,我正在尝试设置SSSDauthentication到AD上的RHEL。
我能够用我的AD用户和密码login,并看到我的团队,当我运行id 。 但是,当我尝试使用sudo,它只是不断提示我的密码( Sorry, please try again )。 任何想法为什么? 我知道这不是sudoers文件,因为当我运行sudo -U myUser -l我see (root) ALL但是我可以su到root没有问题,我不会提示input密码。
我的假设是它与PAM有关。
pam.d /系统AUTH-AC
auth required pam_env.so auth sufficient pam_localuser.so auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password sufficient pam_krb5.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so session optional pam_krb5.so
pam.d /密码authentication – 交stream
auth required pam_env.so auth [default=1 success=ok] pam_localuser.so auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
sssd.conf
[sssd] config_file_version = 2 domains = myDomain services = nss, pam, pac [domain/myDomain] id_provider = ad access_provider = ad ad_server = adSer2.ca,adSer1.ca ad_access_filter = memberOf=CN=IT - Shared Services,OU=Infrastructure,OU=CompanyGrps,DC=company,DC=ca default_shell = /bin/bash fallback_homedir = /home/%u ignore_group_members = true debug_level = 1 [nss] [pam] debug_level = 1 pam_verbosity = 3 [pac]
的nsswitch.conf
passwd: files sss ldap shadow: files sss ldap group: files sss ldap #initgroups: files #hosts: db files nisplus nis dns hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: files sss ldap publickey: nisplus automount: files sss ldap aliases: files nisplus
sudoers文件
root ALL=(ALL) ALL %it\ -\ shared\ services ALL = (root) ALL
更新
我通过从PAMconfiguration中删除Kerberos来实现它,但是如果我引入了安全风险,我不确定这样做。
根据我的经验,我必须在/etc/sudoers限定组的域名
所以我的sudoers宣言看起来更像这样:
%[email protected] ALL = (root) ALL
既然你在组名中有空格,就像:
%it\ -\ shared\ [email protected] ALL = (root) ALL