Active-Directory
Centos 7 加入 AWS 簡單廣告但無法查詢使用者
對於所有神聖的事物的愛 - 連續 12 個小時在此工作。
我已將我的 centos 機器添加到 AWS 中的簡單 AD 服務中。按照此處概述的步驟
https://docs.aws.amazon.com/directoryservice/latest/adminguide/join_windows_instance.html
然後添加了此處概述的“測試使用者” https://aws.amazon.com/blogs/security/how-to-manage-identities-in-simple-ad-directories/
我可以看到使用正確配置了領域
[root@testhost home]# realm discover corp.example.com type: kerberos realm-name: CORP.EXAMPLE.COM domain-name: corp.example.com configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools login-formats: %U@corp.example.com login-policy: allow-realm-logins
realm list
命令也可以工作並顯示相同的資訊我可以通過執行查看我的使用者
[root@testhost home]# net ads user -S corp.example.com AWSAdminD-97672D7BEE Administrator testuser krbtgt Guest
但是,當像這樣使用 id 命令查詢使用者時
[root@testhost home]# id testuser@corp.example.com id: testuser@corp.rise.com: no such user
我的 krb5.conf 是
[libdefaults] dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt default_ccache_name = KEYRING:persistent:%{uid} default_realm = CORP.EXAMPLE.COM [realms] CORP.EXAMPLE.COM = { default_domain = corp.example.com kdc = corp.example.com admin_server = corp.example.com } [domain_realm] corp.example.com = CORP.EXAMPLE.COM .corp.example.com = CORP.EXAMPLE.COM
我的 SSSD.conf 是
[sssd] domains = corp.example.com config_file_version = 2 services = nss, pam debug_level = 9 default_domain_suffix = corp.example.com [domain/corp.example.com] enumerate = True ad_server = corp.example.com ad_domain = corp.example.com krb5_realm = CORP.EXAMPLE.COM realmd_tags = manages-system joined-with-adcli cache_credentials = False id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = ad debug_level = 9
我的日誌在 /var/log/messages 中顯示了這一點 - 可能是一個紅鯡魚……不確定
固態硬碟$$ be[corp.example.com $$]:GSSAPI 錯誤:未指定的 GSS 故障。次要程式碼可能會提供更多資訊(在 Kerberos 數據庫中找不到伺服器)
/var/log/sssd/sssd_corp.example.com.log
當我為使用者發出 id 請求時,我顯示以下內容(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_attach_req] (0x0400): DP Request [Account #145]: New request. Flags [0x0001]. (Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_attach_req] (0x0400): Number of active DP request: 1 (Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [sss_domain_get_state] (0x1000): Domain corp.example.com is Active (Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [_dp_req_recv] (0x0400): DP Request [Account #145]: Receiving request data. (Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_req_reply_gen_error] (0x0080): DP Request [Account #145]: Finished. Backend is currently offline. (Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:1::corp.example.com:name=testuser@corp.example.com] from reply table (Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_req_destructor] (0x0400): DP Request [Account #145]: Request removed. (Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [sbus_dispatch] (0x4000): dbus conn: 0x56430d094580 (Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [sbus_dispatch] (0x4000): Dispatching. (Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_get_account_info_handler] (0x0200): Got request for [0x1][BE_REQ_USER][name=testuser@corp.example.com] (Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_attach_req] (0x0400): DP Request [Account #146]: New request. Flags [0x0001]. (Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_attach_req] (0x0400): Number of active DP request: 1 (Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [sss_domain_get_state] (0x1000): Domain corp.example.com is Active (Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [_dp_req_recv] (0x0400): DP Request [Account #146]: Receiving request data. (Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_req_reply_gen_error] (0x0080): DP Request [Account #146]: Finished. Backend is currently offline. (Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:1:U:corp.example.com:name=testuser@corp.example.com] from reply table
為什麼我添加到領域後無法從 AD 中列出使用者?
這已通過將 DNS 伺服器添加到
/etc/resolv.conf
nameserver <dns1> nameserver <dns2>
而不是將域corp.example.com映射到裡面的KDC/AD目錄地址的IP
/etc/hosts