Active-Directory
無法使用來自 FreeBSD 埠的 security/sssd 在 Active Directory 中進行身份驗證
我正在嘗試
security/sssd
在 FreeBSD 10.0 系統中實現埠。我的主要目標是對執行在 Windows Server 2012 R2 上的 Active Directory 的使用者進行身份驗證。我想知道是否有人成功使用了這個埠(或包)。我什至無法讓調試正常工作,日誌文件中沒有出現任何錯誤。我的配置文件和調試資訊在這裡:
文件內容:
/usr/local/etc/sssd/sssd.conf
[sssd] config_file_version = 2 services = nss, pam # SSSD will not start if you do not configure any domains. # Add new domain configurations as [domain/<NAME>] sections, and # then add the list of domains (in the order you want them to be # queried) to the "domains" attribute below and uncomment it. ; domains = LDAP domains = local.iq.ufrj.br [nss] [pam] [domain/local.iq.ufrj.br] # Uncomment if you need offline logins #cache_credentials = true debug_level = 5 id_provider = ad auth_provider = ad access_provider = ad chpass_provider = ad #ad_hostname = sssd-test.local.iq.ufrj.br #ad_domain = local.iq.ufrj.br #ldap_search_base = dc=local,dc=iq,dc=ufrj,dc=br # Uncomment if service discovery is not working ad_server = pewter.local.iq.ufrj.br # # Uncomment if you want to use POSIX UIDs and GIDs set on the AD side #ldap_id_mapping = False # # Comment out if the users have the shell and home dir set on the AD side default_shell = /bin/tcsh fallback_homedir = /home/%d/%u # Uncomment and adjust if the default principal SHORTNAME$@REALM is not available ldap_sasl_mech = GSSAPI ldap_sasl_authid = SSSD-TEST$@LOCAL.IQ.UFRJ.BR # # Comment out if you prefer to user shortnames. #use_fully_qualified_names = True[/code]
文件內容:
/etc/krb5.conf
root@sssd-test:/usr/local/etc/sssd # cat /etc/krb5.conf [logging] # The logging is not really required as this host is not # using kadmin. Kept in as it does no harm. # Debugging, if required, will be set in the # /etc/pam.d/ files. default = FILE:/var/log/krb5libs.log #kdc = FILE:/var/log/krb5kdc.log #admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = LOCAL.IQ.UFRJ.BR dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = yes
我可以確認 Kerberos 和 keytab 正在工作:
root@sssd-test:/usr/local/etc/sssd # kdestroy root@sssd-test:/usr/local/etc/sssd # kinit -k SSSD-TEST$ root@sssd-test:/usr/local/etc/sssd # klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: SSSD-TEST$@LOCAL.IQ.UFRJ.BR Issued Expires Principal May 22 18:15:32 2014 May 23 04:15:32 2014 krbtgt/LOCAL.IQ.UFRJ.BR@LOCAL.IQ.UFRJ.BR
最後,我可以
ldapsearch
毫無問題地使用 GSSAPI 進行搜尋:root@sssd-test:/usr/local/etc/sssd # ldapsearch -H ldap://pewter.local.iq.ufrj.br/ -Y GSSAPI -N -b "dc=local,dc=iq,dc=ufrj,dc=br" "(&(objectClass=user)(sAMAccountName=ferrao))" SASL/GSSAPI authentication started SASL username: SSSD-TEST$@LOCAL.IQ.UFRJ.BR SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <dc=local,dc=iq,dc=ufrj,dc=br> with scope subtree # filter: (&(objectClass=user)(sAMAccountName=ferrao)) # requesting: ALL ... CUT ...
在
/var/log/sssd/*
之後查看日誌service sssd restart
。(Thu May 22 18:20:05 2014) [sssd[be[local.iq.ufrj.br]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching. (Thu May 22 18:20:05 2014) [sssd[be[local.iq.ufrj.br]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching. (Thu May 22 18:20:05 2014) [sssd[be[local.iq.ufrj.br]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/run/sss/kdcinfo.LOCAL.IQ.UFRJ.BR], [2][No such file or directory] (Thu May 22 18:20:05 2014) [sssd[be[local.iq.ufrj.br]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/run/sss/kpasswdinfo.LOCAL.IQ.UFRJ.BR], [2][No such file or directory] (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sysdb_domain_init_internal] (0x0200): DB File for local.iq.ufrj.br: /var/db/sss/cache_local.iq.ufrj.br.ldb (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sbus_init_connection] (0x0200): Adding connection 805C43500 (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [monitor_common_send_id] (0x0100): Sending ID: (%BE_local.iq.ufrj.br,1) (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sss_names_init] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))]. (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [ad_get_common_options] (0x0100): Setting ad_hostname to [sssd-test.iq.ufrj.br]. (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [ad_get_common_options] (0x0100): Setting domain case-insensitive (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [fo_add_server] (0x0080): Adding new server 'pewter.local.iq.ufrj.br', to service 'AD' (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [ad_servers_init] (0x0100): Added failover server pewter.local.iq.ufrj.br (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [ad_set_search_bases] (0x0100): Search base not set. SSSD will attempt to discover it later, when connecting to the LDAP server. (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [ad_get_id_options] (0x0100): Option krb5_realm set to LOCAL.IQ.UFRJ.BR (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sdap_set_sasl_options] (0x0100): Will look for SSSD-TEST$@LOCAL.IQ.UFRJ.BR in default keytab (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [select_principal_from_keytab] (0x0200): Selected primary: SSSD-TEST$ (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [select_principal_from_keytab] (0x0200): Selected realm: LOCAL.IQ.UFRJ.BR (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to SSSD-TEST$ (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to LOCAL.IQ.UFRJ.BR (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [ad_get_auth_options] (0x0100): Option krb5_server set to pewter.local.iq.ufrj.br (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [ad_get_auth_options] (0x0100): Option krb5_realm set to LOCAL.IQ.UFRJ.BR (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [check_and_export_lifetime] (0x0200): No lifetime configured. (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [check_and_export_lifetime] (0x0200): No lifetime configured. (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [check_and_export_options] (0x0100): No kpasswd server explicitly configured, using the KDC or defaults. (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [check_and_export_options] (0x0100): ccache is of type FILE (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [be_process_init] (0x0080): No SUDO module provided for [local.iq.ufrj.br] !! (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [load_backend_module] (0x0200): no module name found in confdb, using [ad]. (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [be_process_init] (0x0080): No autofs module provided for [local.iq.ufrj.br] !! (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [load_backend_module] (0x0200): no module name found in confdb, using [ad]. (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [be_process_init] (0x0020): No selinux module provided for [local.iq.ufrj.br] !! (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [load_backend_module] (0x0200): no module name found in confdb, using [ad]. (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [be_process_init] (0x0020): No host info module provided for [local.iq.ufrj.br] !! (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [load_backend_module] (0x0200): no module name found in confdb, using [ad]. (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [be_process_init] (0x0020): Subdomains are not supported for [local.iq.ufrj.br] !! (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sbus_server_init_new_connection] (0x0200): Entering. (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0x805c43b40. (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sbus_init_connection] (0x0200): Adding connection 805C43B40 (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sbus_server_init_new_connection] (0x0200): Got a connection (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0x805c2c1a0] (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [client_registration] (0x0100): Cancel DP ID timeout [0x805c2c1a0] (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [client_registration] (0x0100): Added Frontend client [PAM] (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sbus_server_init_new_connection] (0x0200): Entering. (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0x805c43c80. (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sbus_init_connection] (0x0200): Adding connection 805C43C80 (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sbus_server_init_new_connection] (0x0200): Got a connection (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0x805c2cb60] (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [client_registration] (0x0100): Cancel DP ID timeout [0x805c2cb60] (Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [client_registration] (0x0100): Added Frontend client [NSS]
兩分鐘後……
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [be_get_account_info] (0x0100): Got request for [4099][1][name=operator] (Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [resolv_is_address] (0x0040): getaddrinfo failed [8]: hostname nor servname provided, or not known (Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'pewter.local.iq.ufrj.br' in files (Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [set_server_common_status] (0x0100): Marking server 'pewter.local.iq.ufrj.br' as 'resolving name' (Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'pewter.local.iq.ufrj.br' in files (Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry (Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'pewter.local.iq.ufrj.br' in DNS (Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [set_server_common_status] (0x0100): Marking server 'pewter.local.iq.ufrj.br' as 'name resolved' (Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [be_resolve_server_process] (0x0200): Found address for server pewter.local.iq.ufrj.br: [10.7.0.2] TTL 1200 (Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://pewter.local.iq.ufrj.br' (Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [get_naming_context] (0x0200): Using value from [defaultNamingContext] as naming context. (Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [sdap_set_search_base] (0x0100): Setting option [ldap_search_base] to [DC=local,DC=iq,DC=ufrj,DC=br]. (Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [common_parse_search_base] (0x0100): Search base added: [DEFAULT][DC=local,DC=iq,DC=ufrj,DC=br][SUBTREE][] (Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [sdap_set_search_base] (0x0100): Setting option [ldap_user_search_base] to [DC=local,DC=iq,DC=ufrj,DC=br]. (Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [common_parse_search_base] (0x0100): Search base added: [USER][DC=local,DC=iq,DC=ufrj,DC=br][SUBTREE][] (Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [sdap_set_search_base] (0x0100): Setting option [ldap_group_search_base] to [DC=local,DC=iq,DC=ufrj,DC=br]. (Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [common_parse_search_base] (0x0100): Search base added: [GROUP][DC=local,DC=iq,DC=ufrj,DC=br][SUBTREE][] (Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [sdap_set_search_base] (0x0100): Setting option [ldap_netgroup_search_base] to [DC=local,DC=iq,DC=ufrj,DC=br]. (Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [common_parse_search_base] (0x0100): Search base added: [NETGROUP][DC=local,DC=iq,DC=ufrj,DC=br][SUBTREE][] (Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [sdap_set_search_base] (0x0100): Setting option [ldap_sudo_search_base] to [DC=local,DC=iq,DC=ufrj,DC=br]. (Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [common_parse_search_base] (0x0100): Search base added: [SUDO][DC=local,DC=iq,DC=ufrj,DC=br][SUBTREE][] (Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [sdap_set_search_base] (0x0100): Setting option [ldap_service_search_base] to [DC=local,DC=iq,DC=ufrj,DC=br]. (Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [common_parse_search_base] (0x0100): Search base added: [SERVICE][DC=local,DC=iq,DC=ufrj,DC=br][SUBTREE][] (Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [sdap_set_search_base] (0x0100): Setting option [ldap_autofs_search_base] to [DC=local,DC=iq,DC=ufrj,DC=br]. (Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [common_parse_search_base] (0x0100): Search base added: [AUTOFS][DC=local,DC=iq,DC=ufrj,DC=br][SUBTREE][] (Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [sdap_get_server_opts_from_rootdse] (0x0080): Received invalid value for AD compatibility level. Continuing without AD performance enhancements (Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [be_resolve_server_process] (0x0200): Found address for server pewter.local.iq.ufrj.br: [10.7.0.2] TTL 1200 ==> /var/log/sssd/ldap_child.log <== (Thu May 22 18:22:00 2014) [[sssd[ldap_child[8071]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [SSSD-TEST$@LOCAL.IQ.UFRJ.BR] (Thu May 22 18:22:00 2014) [[sssd[ldap_child[8071]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [default] ==> /var/log/sssd/sssd_local.iq.ufrj.br.log <== (Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: SSSD-TEST$ (Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [child_sig_handler] (0x0100): child [8071] finished successfully. (Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'pewter.local.iq.ufrj.br' as 'working' (Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [set_server_common_status] (0x0100): Marking server 'pewter.local.iq.ufrj.br' as 'working' (Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
所以它似乎有效,但事實並非如此。當我發出 a 時,
getent passwd
我沒有從 AD 獲得任何資訊。最後,這是我
/etc/nsswitch.conf
的以防萬一:root@sssd-test:/usr/local/etc/sssd # cat /etc/nsswitch.conf # # nsswitch.conf(5) - name service switch configuration file # $FreeBSD: release/10.0.0/etc/nsswitch.conf 224765 2011-08-10 20:52:02Z dougb $ # group: files sss group_compat: nis hosts: files dns networks: files passwd: files sss passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files
提前致謝。
我認為你做得對,可能它正在工作而你不知道。
預設情況下,所有使用者的 getent 不顯示 ID,但執行 getent passwd 使用者名會返回您所期望的。
再檢查一遍
SSSD 與基於 Windows server 2012R2 的 AD DC-s 存在問題。我送出了這張票: https ://fedorahosted.org/sssd/ticket/2418