Active-Directory

Centos 7 加入 AWS 簡單廣告但無法查詢使用者

  • June 30, 2019

對於所有神聖的事物的愛 - 連續 12 個小時在此工作。

我已將我的 centos 機器添加到 AWS 中的簡單 AD 服務中。按照此處概述的步驟

https://docs.aws.amazon.com/directoryservice/latest/adminguide/join_windows_instance.html

然後添加了此處概述的“測試使用者” https://aws.amazon.com/blogs/security/how-to-manage-identities-in-simple-ad-directories/

我可以看到使用正確配置了領域

[root@testhost home]# realm discover corp.example.com
 type: kerberos
 realm-name: CORP.EXAMPLE.COM
 domain-name: corp.example.com
 configured: kerberos-member
 server-software: active-directory
 client-software: sssd
 required-package: oddjob
 required-package: oddjob-mkhomedir
 required-package: sssd
 required-package: adcli
 required-package: samba-common-tools
 login-formats: %U@corp.example.com
 login-policy: allow-realm-logins

realm list命令也可以工作並顯示相同的資訊

我可以通過執行查看我的使用者

[root@testhost home]# net ads user -S corp.example.com
AWSAdminD-97672D7BEE
Administrator
testuser
krbtgt
Guest

但是,當像這樣使用 id 命令查詢使用者時

[root@testhost home]# id testuser@corp.example.com
id: testuser@corp.rise.com: no such user

我的 krb5.conf 是

[libdefaults]
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
 default_ccache_name = KEYRING:persistent:%{uid}
 default_realm = CORP.EXAMPLE.COM

[realms]
  CORP.EXAMPLE.COM = {
   default_domain = corp.example.com
     kdc = corp.example.com
     admin_server = corp.example.com
  }

 [domain_realm]
   corp.example.com = CORP.EXAMPLE.COM
  .corp.example.com = CORP.EXAMPLE.COM

我的 SSSD.conf 是

[sssd]
domains = corp.example.com
config_file_version = 2
services = nss, pam
debug_level = 9
default_domain_suffix = corp.example.com

[domain/corp.example.com]
enumerate = True
ad_server = corp.example.com
ad_domain = corp.example.com
krb5_realm = CORP.EXAMPLE.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = False
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
debug_level = 9

我的日誌在 /var/log/messages 中顯示了這一點 - 可能是一個紅鯡魚……不確定

固態硬碟$$ be[corp.example.com $$]:GSSAPI 錯誤:未指定的 GSS 故障。次要程式碼可能會提供更多資訊(在 Kerberos 數據庫中找不到伺服器)

/var/log/sssd/sssd_corp.example.com.log當我為使用者發出 id 請求時,我顯示以下內容

(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_attach_req] (0x0400): DP Request [Account #145]: New request. Flags [0x0001].
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_attach_req] (0x0400): Number of active DP request: 1
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [sss_domain_get_state] (0x1000): Domain corp.example.com is Active
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [_dp_req_recv] (0x0400): DP Request [Account #145]: Receiving request data.
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_req_reply_gen_error] (0x0080): DP Request [Account #145]: Finished. Backend is currently offline.
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:1::corp.example.com:name=testuser@corp.example.com] from reply table
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_req_destructor] (0x0400): DP Request [Account #145]: Request removed.
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_req_destructor] (0x0400): Number of active DP request: 0
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [sbus_dispatch] (0x4000): dbus conn: 0x56430d094580
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [sbus_dispatch] (0x4000): Dispatching.
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_get_account_info_handler] (0x0200): Got request for [0x1][BE_REQ_USER][name=testuser@corp.example.com]
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_attach_req] (0x0400): DP Request [Account #146]: New request. Flags [0x0001].
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_attach_req] (0x0400): Number of active DP request: 1
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [sss_domain_get_state] (0x1000): Domain corp.example.com is Active
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [_dp_req_recv] (0x0400): DP Request [Account #146]: Receiving request data.
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_req_reply_gen_error] (0x0080): DP Request [Account #146]: Finished. Backend is currently offline.
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:1:U:corp.example.com:name=testuser@corp.example.com] from reply table

為什麼我添加到領域後無法從 AD 中列出使用者?

這已通過將 DNS 伺服器添加到

/etc/resolv.conf

nameserver <dns1>
nameserver <dns2>

而不是將域corp.example.com映射到裡面的KDC/AD目錄地址的IP/etc/hosts

引用自:https://serverfault.com/questions/973373