使用 SSSD 自動更新 Kerberos 主機密鑰表
這裡有沒有人看到他們的 Linux 伺服器由於機器憑據過期而從 AD 域中刪除?我們正在使用帶有 sssd-1.13.3-56.el6 (Centos 6) 的 AD 身份驗證
根據“ https://bugzilla.redhat.com/show_bug.cgi?id=1290761 ”,sssd 應該能夠自動更新主機憑據。根據相關的 Red Hat 文件(“Integrating Red Hat Enterprise Linux 6 with Active Directory”),沒有提及在加入 AD 時應採取的任何額外配置步驟。
根據我的搜尋,有些確實執行 cron 作業來更新主機憑據“ https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/thread/CRA43XHHDBPAENAYJ3INUWSCE2Q2NB5W/ ”
我們是否需要執行 cron 作業:“msktutil –auto-update”和“kinit -k $”?
或者 sssd 應該能夠處理這個?
您是在 sssd.conf 中設置“ad_maximum_machine_account_password_age”還是預設保留 30 天。
乾杯,
更新:@jhrozek,感謝您的評論。
我的配置仍然存在同樣的問題。
看起來票在 5 月 28 日沒有更新,伺服器退出域:
# net ads testjoin kerberos_kinit_password I-12345CV3EABF$@STAGE.example.com failed: Preauthentication failed kerberos_kinit_password I-12345CV3EABF$@STAGE.example.com failed: Preauthentication failed Join to domain is not valid: Logon failure
鍵標籤狀態:
# klist -kt Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 2 04/28/17 02:57:54 host/i-12345cv3eabf.stage.example.com@STAGE.example.com 2 04/28/17 02:57:54 host/i-12345cv3eabf.stage.example.com@STAGE.example.com 2 04/28/17 02:57:54 host/i-12345cv3eabf.stage.example.com@STAGE.example.com 2 04/28/17 02:57:54 host/i-12345cv3eabf.stage.example.com@STAGE.example.com 2 04/28/17 02:57:54 host/i-12345cv3eabf.stage.example.com@STAGE.example.com 2 04/28/17 02:57:54 host/I-12345CV3EABF@STAGE.example.com 2 04/28/17 02:57:54 host/I-12345CV3EABF@STAGE.example.com 2 04/28/17 02:57:54 host/I-12345CV3EABF@STAGE.example.com 2 04/28/17 02:57:55 host/I-12345CV3EABF@STAGE.example.com 2 04/28/17 02:57:55 host/I-12345CV3EABF@STAGE.example.com 2 04/28/17 02:57:55 I-12345CV3EABF$@STAGE.example.com 2 04/28/17 02:57:55 I-12345CV3EABF$@STAGE.example.com 2 04/28/17 02:57:55 I-12345CV3EABF$@STAGE.example.com 2 04/28/17 02:57:55 I-12345CV3EABF$@STAGE.example.com 2 04/28/17 02:57:55 I-12345CV3EABF$@STAGE.example.com 3 05/28/17 14:01:39 I-12345CV3EABF$@STAGE.example.com 3 05/28/17 14:01:39 I-12345CV3EABF$@STAGE.example.com 3 05/28/17 14:01:39 I-12345CV3EABF$@STAGE.example.com 3 05/28/17 14:01:39 I-12345CV3EABF$@STAGE.example.com 3 05/28/17 14:01:39 I-12345CV3EABF$@STAGE.example.com 3 05/28/17 14:01:39 host/i-12345cv3eabf.stage.example.com@STAGE.example.com 3 05/28/17 14:01:39 host/i-12345cv3eabf.stage.example.com@STAGE.example.com 3 05/28/17 14:01:39 host/i-12345cv3eabf.stage.example.com@STAGE.example.com 3 05/28/17 14:01:39 host/i-12345cv3eabf.stage.example.com@STAGE.example.com 3 05/28/17 14:01:39 host/i-12345cv3eabf.stage.example.com@STAGE.example.com 3 05/28/17 14:01:39 host/I-12345CV3EABF@STAGE.example.com 3 05/28/17 14:01:39 host/I-12345CV3EABF@STAGE.example.com 3 05/28/17 14:01:39 host/I-12345CV3EABF@STAGE.example.com 3 05/28/17 14:01:39 host/I-12345CV3EABF@STAGE.example.com 3 05/28/17 14:01:39 host/I-12345CV3EABF@STAGE.example.com
這看起來像是在 5/28 更新了一張票,但不知何故刪除了伺服器帳戶?
已安裝 SSSD 和 ADCLI 軟體包:
# rpm -qa | grep sssd sssd-client-1.13.3-56.el6.x86_64 sssd-ipa-1.13.3-56.el6.x86_64 sssd-proxy-1.13.3-56.el6.x86_64 python-sssdconfig-1.13.3-56.el6.noarch sssd-common-pac-1.13.3-56.el6.x86_64 sssd-krb5-1.13.3-56.el6.x86_64 sssd-krb5-common-1.13.3-56.el6.x86_64 sssd-ldap-1.13.3-56.el6.x86_64 sssd-common-1.13.3-56.el6.x86_64 sssd-ad-1.13.3-56.el6.x86_64 sssd-1.13.3-56.el6.x86_64 # rpm -qa | grep adcli adcli-0.8.1-1.el6.x86_64
而且,sssd.conf:
[sssd] domains = stage.example.com services = nss, pam, ssh config_file_version = 2 default_domain_suffix = main.example.com full_name_format = %1$s@%2$s re_expression = (((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$)) [domain/stage.example.com id_provider = ad auth_provider = ad access_provider = ad chpass_provider = ad cache_credentials = false ad_domain = stage.example.com ldap_id_mapping = true krb5_realm = STAGE.example.com default_shell = /bin/bash ad_gpo_access_control = permissive override_homedir = /home/admin/%u
和 krb5.conf:
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = STAGE.EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = true clockskew = true proxiable = true [realms] STAGE.EXAMPLE.COM = { kdc = 172.31.1.252 kdc = 172.31.0.252 admin_server = 172.31.1.252 admin_server = 172.31.0.252 } [domain_realm] stage.example.com = STAGE.EXAMPLE.COM .stage.example.com = STAGE.EXAMPLE.COM
有什麼建議可以解決這個問題嗎?
這應該會自動發生,但您需要安裝 adcli。sssd 只是分叉並執行 adcli 以執行更新。
在遇到這個問題幾個月後,我才弄清楚我的問題是什麼。
我沒有命名我的伺服器
server.my.domain.com
,而只是server
. 更改名稱後,離開和重新加入領域,adcli update
執行沒有問題。