Active-Directory

使用 SSSD 自動更新 Kerberos 主機密鑰表

  • November 10, 2020

這裡有沒有人看到他們的 Linux 伺服器由於機器憑據過期而從 AD 域中刪除?我們正在使用帶有 sssd-1.13.3-56.el6 (Centos 6) 的 AD 身份驗證

根據“ https://bugzilla.redhat.com/show_bug.cgi?id=1290761 ”,sssd 應該能夠自動更新主機憑據。根據相關的 Red Hat 文件(“Integrating Red Hat Enterprise Linux 6 with Active Directory”),沒有提及在加入 AD 時應採取的任何額外配置步驟。

根據我的搜尋,有些確實執行 cron 作業來更新主機憑據“ https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/thread/CRA43XHHDBPAENAYJ3INUWSCE2Q2NB5W/

SSSD Kerberos AD Centos 故障排除

我們是否需要執行 cron 作業:“msktutil –auto-update”和“kinit -k $”?

或者 sssd 應該能夠處理這個?

您是在 sssd.conf 中設置“ad_maximum_machine_account_password_age”還是預設保留 30 天。

乾杯,

更新:@jhrozek,感謝您的評論。

我的配置仍然存在同樣的問題。

看起來票在 5 月 28 日沒有更新,伺服器退出域:

   # net ads testjoin   
kerberos_kinit_password I-12345CV3EABF$@STAGE.example.com failed: Preauthentication failed     
kerberos_kinit_password I-12345CV3EABF$@STAGE.example.com failed: Preauthentication failed     
Join to domain is not valid: Logon failure    

鍵標籤狀態:

# klist -kt
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
  2 04/28/17 02:57:54 host/i-12345cv3eabf.stage.example.com@STAGE.example.com
  2 04/28/17 02:57:54 host/i-12345cv3eabf.stage.example.com@STAGE.example.com
  2 04/28/17 02:57:54 host/i-12345cv3eabf.stage.example.com@STAGE.example.com
  2 04/28/17 02:57:54 host/i-12345cv3eabf.stage.example.com@STAGE.example.com
  2 04/28/17 02:57:54 host/i-12345cv3eabf.stage.example.com@STAGE.example.com
  2 04/28/17 02:57:54 host/I-12345CV3EABF@STAGE.example.com
  2 04/28/17 02:57:54 host/I-12345CV3EABF@STAGE.example.com
  2 04/28/17 02:57:54 host/I-12345CV3EABF@STAGE.example.com
  2 04/28/17 02:57:55 host/I-12345CV3EABF@STAGE.example.com
  2 04/28/17 02:57:55 host/I-12345CV3EABF@STAGE.example.com
  2 04/28/17 02:57:55 I-12345CV3EABF$@STAGE.example.com
  2 04/28/17 02:57:55 I-12345CV3EABF$@STAGE.example.com
  2 04/28/17 02:57:55 I-12345CV3EABF$@STAGE.example.com
  2 04/28/17 02:57:55 I-12345CV3EABF$@STAGE.example.com
  2 04/28/17 02:57:55 I-12345CV3EABF$@STAGE.example.com
  3 05/28/17 14:01:39 I-12345CV3EABF$@STAGE.example.com
  3 05/28/17 14:01:39 I-12345CV3EABF$@STAGE.example.com
  3 05/28/17 14:01:39 I-12345CV3EABF$@STAGE.example.com
  3 05/28/17 14:01:39 I-12345CV3EABF$@STAGE.example.com
  3 05/28/17 14:01:39 I-12345CV3EABF$@STAGE.example.com
  3 05/28/17 14:01:39 host/i-12345cv3eabf.stage.example.com@STAGE.example.com
  3 05/28/17 14:01:39 host/i-12345cv3eabf.stage.example.com@STAGE.example.com
  3 05/28/17 14:01:39 host/i-12345cv3eabf.stage.example.com@STAGE.example.com
  3 05/28/17 14:01:39 host/i-12345cv3eabf.stage.example.com@STAGE.example.com
  3 05/28/17 14:01:39 host/i-12345cv3eabf.stage.example.com@STAGE.example.com
  3 05/28/17 14:01:39 host/I-12345CV3EABF@STAGE.example.com
  3 05/28/17 14:01:39 host/I-12345CV3EABF@STAGE.example.com
  3 05/28/17 14:01:39 host/I-12345CV3EABF@STAGE.example.com
  3 05/28/17 14:01:39 host/I-12345CV3EABF@STAGE.example.com
  3 05/28/17 14:01:39 host/I-12345CV3EABF@STAGE.example.com

這看起來像是在 5/28 更新了一張票,但不知何故刪除了伺服器帳戶?

已安裝 SSSD 和 ADCLI 軟體包:

# rpm -qa | grep sssd
sssd-client-1.13.3-56.el6.x86_64
sssd-ipa-1.13.3-56.el6.x86_64
sssd-proxy-1.13.3-56.el6.x86_64
python-sssdconfig-1.13.3-56.el6.noarch
sssd-common-pac-1.13.3-56.el6.x86_64
sssd-krb5-1.13.3-56.el6.x86_64
sssd-krb5-common-1.13.3-56.el6.x86_64
sssd-ldap-1.13.3-56.el6.x86_64
sssd-common-1.13.3-56.el6.x86_64
sssd-ad-1.13.3-56.el6.x86_64
sssd-1.13.3-56.el6.x86_64


# rpm -qa | grep adcli
adcli-0.8.1-1.el6.x86_64

而且,sssd.conf:

[sssd]
domains = stage.example.com
services = nss, pam, ssh
config_file_version = 2
default_domain_suffix = main.example.com
full_name_format = %1$s@%2$s

re_expression = (((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))

[domain/stage.example.com
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
cache_credentials = false
ad_domain = stage.example.com
ldap_id_mapping = true
krb5_realm = STAGE.example.com
default_shell = /bin/bash
ad_gpo_access_control = permissive
override_homedir = /home/admin/%u

和 krb5.conf:

[logging]


default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = STAGE.EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = true


clockskew = true
proxiable = true

[realms]

STAGE.EXAMPLE.COM = {
 kdc = 172.31.1.252
 kdc = 172.31.0.252

 admin_server = 172.31.1.252
 admin_server = 172.31.0.252
}

[domain_realm]
stage.example.com = STAGE.EXAMPLE.COM
.stage.example.com = STAGE.EXAMPLE.COM

有什麼建議可以解決這個問題嗎?

這應該會自動發生,但您需要安裝 adcli。sssd 只是分叉並執行 adcli 以執行更新。

在遇到這個問題幾個月後,我才弄清楚我的問題是什麼。

我沒有命名我的伺服器server.my.domain.com,而只是server. 更改名稱後,離開和重新加入領域,adcli update執行沒有問題。

引用自:https://serverfault.com/questions/852032