Active-Directory
SSSD ActiveDirectory SSH SSO 不工作
我為 Ubuntu 14.04 提供了一個執行良好的 SSO 設置。不幸的是,我的設置不適用於 Ubuntu 16.04,我不知道為什麼。
我將 sssd-ad 與 ssh 結合使用進行單點登錄,我的問題是,自動登錄不起作用 - 我總是收到密碼提示,我可以使用密碼登錄,但這不是sso的目標…
krb5.conf
[libdefaults] default_realm = MY.DOMAIN.LOC dns_lookup_realm = true dns_lookup_kdc = true dns_fallback = yes ticket_lifetime = 24h renew_lifetime = 7d default_tkt_enctypes = aes256-cts-hmac-sha1-96 default_tgs_enctypes = aes256-cts-hmac-sha1-96 rdns = false ignore_acceptor_hostname = true # Needed with 16.04 - else I get the error: Unspecified GSS failure. Minor code may provide more information\nNo key table entry found matching host/HOSTNAME@
sssd.conf
[sssd] domains = MY.DOMAIN.LOC config_file_version = 2 services = nss, pam [domain/MY.DOMAIN.LOC] #debug_level = 0x0200 id_provider = ad access_provider = ad ad_domain = MY.DOMAIN.LOC krb5_realm = MY.DOMAIN.LOC # Uncomment if the client machine hostname doesn't match the computer object on the DC. # ad_hostname = HOSTNAME.MY.DOMAIN.LOC # Uncomment if DNS SRV resolution is not working # ad_server = DC.MY.DOMAIN.LOC realmd_tags = manages-system joined-with-adcli cache_credentials = True krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /home/%d/%u ad_access_filter = FOREST:MY.DOMAIN.LOC:(memberOf:1.2.840.113556.1.4.1941:=CN=RES Linux Login,OU=MGMGroups,DC=MY,DC=DOMAIN,DC=LOC)
/etc/ssh/sshd_config
Port 22 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key UsePrivilegeSeparation yes KeyRegenerationInterval 3600 ServerKeyBits 4096 SyslogFacility AUTH LogLevel DEBUG3 LoginGraceTime 120 PermitRootLogin prohibit-password StrictModes yes RSAAuthentication yes PubkeyAuthentication yes IgnoreRhosts yes RhostsRSAAuthentication no HostbasedAuthentication no PermitEmptyPasswords no X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server ChallengeResponseAuthentication yes GSSAPIAuthentication yes GSSAPICleanupCredentials yes UsePAM yes Ciphers +3des-cbc HostKeyAlgorithms +ssh-dss # Needed for Backup in Ubuntu 16.04 KexAlgorithms +diffie-hellman-group1-sha1
通過此設置,我可以通過 SSH(GSSAPI)從我的一個域加入工作站連接到我的 Ubuntu 14.04 伺服器之一
SSH 日誌 - Debuglevel3
Client protocol version 2.0; client software version PuTTY_Release_0.65 Enabling compatibility mode for protocol 2.0 Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1 list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth] userauth-request for user USERNAME service ssh-connection method none [preauth] input_userauth_request: try method none [preauth] userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive" [preauth] PAM: initializing for "USERNAME" PAM: setting PAM_RHOST to "10.99.99.99" PAM: setting PAM_TTY to "ssh" userauth-request for user USERNAME service ssh-connection method gssapi-with-mic [preauth] attempt 1 failures 0 [preauth] input_userauth_request: try method gssapi-with-mic [preauth] mm_request_send entering: type 42 [preauth] mm_request_receive_expect entering: type 43 [preauth] mm_request_receive entering [preauth] mm_request_receive entering monitor_read: checking request 42 mm_request_send entering: type 43 send packet: type 60 [preauth] Postponed gssapi-with-mic for USERNAME from 10.99.99.99 port 65071 ssh2 [preauth] receive packet: type 50 [preauth] userauth-request for user USERNAME service ssh-connection method keyboard-interactive [preauth] attempt 2 failures 0 [preauth] input_userauth_request: try method keyboard-interactive [preauth] keyboard-interactive devs [preauth] auth2_challenge: user=USERNAME devs= [preauth] kbdint_alloc: devices 'pam' [preauth] auth2_challenge_start: devices pam [preauth] kbdint_next_device: devices <empty> [preauth] auth2_challenge_start: trying authentication method 'pam' [preauth] mm_sshpam_init_ctx [preauth] mm_request_send entering: type 104 [preauth] mm_sshpam_init_ctx: waiting for MONITOR_ANS_PAM_INIT_CTX [preauth] mm_request_receive_expect entering: type 105 [preauth] mm_request_receive entering [preauth] mm_request_receive entering monitor_read: checking request 104 mm_answer_pam_init_ctx PAM: sshpam_init_ctx entering mm_request_send entering: type 105 mm_sshpam_query [preauth] mm_request_send entering: type 106 [preauth] mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY [preauth] mm_request_receive_expect entering: type 107 [preauth] mm_request_receive entering [preauth] mm_request_receive entering monitor_read: checking request 106 mm_answer_pam_query PAM: sshpam_query entering ssh_msg_recv entering PAM: sshpam_thread_conv entering, 1 messages ssh_msg_send: type 1 ssh_msg_recv entering mm_request_send entering: type 107 mm_sshpam_query: pam_query returned 0 [preauth] send packet: type 60 [preauth] Postponed keyboard-interactive for USERNAME from 10.99.99.99 port 65071 ssh2 [preauth]
知道為什麼在 ubuntu 16.04 中需要“ignore_acceptor_hostname”嗎?我看不出它不起作用的原因,知道原因可能是什麼或如何獲得好的錯誤消息?
加入廣告是一個問題,在 Ubuntu 16.04 中,“領域加入”無法辨識正確的 fqdn,因此 keytab 文件只有主機名,但沒有分配 fqdn。
解決方案是:
- 離開域
- 將主機名設置為 fqdn
- 重新加入域
這麼容易……