Active-Directory

SSSD ActiveDirectory SSH SSO 不工作

  • September 21, 2016

我為 Ubuntu 14.04 提供了一個執行良好的 SSO 設置。不幸的是,我的設置不適用於 Ubuntu 16.04,我不知道為什麼。

我將 sssd-ad 與 ssh 結合使用進行單點登錄,我的問題是,自動登錄不起作用 - 我總是收到密碼提示,我可以使用密碼登錄,但這不是sso的目標…

krb5.conf

[libdefaults]
default_realm = MY.DOMAIN.LOC
dns_lookup_realm = true
dns_lookup_kdc = true
dns_fallback = yes

ticket_lifetime = 24h
renew_lifetime = 7d
default_tkt_enctypes = aes256-cts-hmac-sha1-96
default_tgs_enctypes = aes256-cts-hmac-sha1-96
rdns = false

ignore_acceptor_hostname = true  # Needed with 16.04 - else I get the error: Unspecified GSS failure.  Minor code may provide more information\nNo key table entry found matching host/HOSTNAME@ 

sssd.conf

[sssd]
domains = MY.DOMAIN.LOC
config_file_version = 2
services = nss, pam

[domain/MY.DOMAIN.LOC]
#debug_level = 0x0200
id_provider = ad
access_provider = ad

ad_domain = MY.DOMAIN.LOC
krb5_realm = MY.DOMAIN.LOC

# Uncomment if the client machine hostname doesn't match the computer object on the DC.
# ad_hostname = HOSTNAME.MY.DOMAIN.LOC

# Uncomment if DNS SRV resolution is not working
# ad_server = DC.MY.DOMAIN.LOC

realmd_tags = manages-system joined-with-adcli
cache_credentials = True
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False

fallback_homedir = /home/%d/%u

ad_access_filter = FOREST:MY.DOMAIN.LOC:(memberOf:1.2.840.113556.1.4.1941:=CN=RES Linux Login,OU=MGMGroups,DC=MY,DC=DOMAIN,DC=LOC)

/etc/ssh/sshd_config

Port 22
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 4096
SyslogFacility AUTH
LogLevel DEBUG3
LoginGraceTime 120
PermitRootLogin prohibit-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server

ChallengeResponseAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
Ciphers +3des-cbc
HostKeyAlgorithms +ssh-dss
# Needed for Backup in Ubuntu 16.04
KexAlgorithms +diffie-hellman-group1-sha1

通過此設置,我可以通過 SSH(GSSAPI)從我的一個域加入工作站連接到我的 Ubuntu 14.04 伺服器之一

SSH 日誌 - Debuglevel3

Client protocol version 2.0; client software version PuTTY_Release_0.65
Enabling compatibility mode for protocol 2.0
Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]
userauth-request for user USERNAME service ssh-connection method none [preauth]
input_userauth_request: try method none [preauth]
userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive" [preauth]
PAM: initializing for "USERNAME"
PAM: setting PAM_RHOST to "10.99.99.99"
PAM: setting PAM_TTY to "ssh"
userauth-request for user USERNAME service ssh-connection method gssapi-with-mic [preauth]
attempt 1 failures 0 [preauth]
input_userauth_request: try method gssapi-with-mic [preauth]
mm_request_send entering: type 42 [preauth]
mm_request_receive_expect entering: type 43 [preauth]
mm_request_receive entering [preauth]
mm_request_receive entering
monitor_read: checking request 42
mm_request_send entering: type 43
send packet: type 60 [preauth]
Postponed gssapi-with-mic for USERNAME from 10.99.99.99 port 65071 ssh2 [preauth]
receive packet: type 50 [preauth]
userauth-request for user USERNAME service ssh-connection method keyboard-interactive [preauth]
attempt 2 failures 0 [preauth]
input_userauth_request: try method keyboard-interactive [preauth]
keyboard-interactive devs  [preauth]
auth2_challenge: user=USERNAME devs= [preauth]
kbdint_alloc: devices 'pam' [preauth]
auth2_challenge_start: devices pam [preauth]
kbdint_next_device: devices <empty> [preauth]
auth2_challenge_start: trying authentication method 'pam' [preauth]
mm_sshpam_init_ctx [preauth]
mm_request_send entering: type 104 [preauth]
mm_sshpam_init_ctx: waiting for MONITOR_ANS_PAM_INIT_CTX [preauth]
mm_request_receive_expect entering: type 105 [preauth]
mm_request_receive entering [preauth]
mm_request_receive entering
monitor_read: checking request 104
mm_answer_pam_init_ctx
PAM: sshpam_init_ctx entering
mm_request_send entering: type 105
mm_sshpam_query [preauth]
mm_request_send entering: type 106 [preauth]
mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY [preauth]
mm_request_receive_expect entering: type 107 [preauth]
mm_request_receive entering [preauth]
mm_request_receive entering
monitor_read: checking request 106
mm_answer_pam_query
PAM: sshpam_query entering
ssh_msg_recv entering
PAM: sshpam_thread_conv entering, 1 messages
ssh_msg_send: type 1
ssh_msg_recv entering
mm_request_send entering: type 107
mm_sshpam_query: pam_query returned 0 [preauth]
send packet: type 60 [preauth]
Postponed keyboard-interactive for USERNAME from 10.99.99.99 port 65071 ssh2 [preauth]

知道為什麼在 ubuntu 16.04 中需要“ignore_acceptor_hostname”嗎?我看不出它不起作用的原因,知道原因可能是什麼或如何獲得好的錯誤消息?

加入廣告是一個問題,在 Ubuntu 16.04 中,“領域加入”無法辨識正確的 fqdn,因此 keytab 文件只有主機名,但沒有分配 fqdn。

解決方案是:

  1. 離開域
  2. 將主機名設置為 fqdn
  3. 重新加入域

這麼容易……

引用自:https://serverfault.com/questions/803868