Centos

為什麼 sssd 會打破加入 AD 的 CentOS 的 PTR 記錄

  • September 19, 2018

我有一個加入 AD 域的 CENTOS 7 框 - 稱之為centosbox

每當 SSSD 啟動時,它都會更新 DNS 記錄,這對我來說很好,除了它通過使 PTR 記錄指向 justcentosbox.而不是 來破壞 PTR 記錄centosbox.my.domain.ext.,這會破壞大量與 kerberos 相關的東西,因為反向 DNS 已經破壞。

此框中主機名的輸出為:

#hostname -f
centosbox.my.domain.ext

我怎樣才能讓它為 PTR 記錄註冊正確的值?

sssd.conf:

[sssd]
domains = my.domain.ext
config_file_version = 2
services = nss, pam, sudo

[domain/my.domain.ext]
ad_domain = my.domain.ext
krb5_realm = MY.DOMAIN.EXT
realmd_tags = joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad
sudo_provider = ldap

ldap_uri = ldap://my.domain.ext
ldap_tls_cacert = /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
ldap_group_search_base = DC=my,DC=domain,DC=ext    
ldap_sudo_search_base = OU=sudoers,DC=my,DC=domain,DC=ext
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = CENTOSBOX$@MY.DOMAIN.EXT

[sudo]

krb5.conf:

includedir /etc/krb5.conf.d/

includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = true
default_ccache_name = KEYRING:persistent:%{uid}

default_realm = MY.DOMAIN.EXT
[realms]
MY.DOMAIN.EXT = {
}

[domain_realm]
my.domain.ext = MY.DOMAIN.EXT
.my.domain.ext = MY.DOMAIN.EXT

附加資訊:

sssd ldap_child.log 文件包含大量內容:

(Mon Jun 18 21:01:40 2018) [[sssd[ldap_child[2245]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/centosbox.my.domain.ext@MY.DOMAIN.EXT' not found in Kerberos database
(Mon Jun 18 21:01:40 2018) [[sssd[ldap_child[2246]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/centosbox.my.domain.ext@MY.DOMAIN.EXT' not found in Kerberos database
(Mon Jun 18 21:01:40 2018) [[sssd[ldap_child[2247]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/centosbox.my.domain.ext@MY.DOMAIN.EXT' not found in Kerberos database
(Mon Jun 18 21:02:51 2018) [[sssd[ldap_child[2256]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/centosbox.my.domain.ext@MY.DOMAIN.EXT' not found in Kerberos database
(Mon Jun 18 21:02:51 2018) [[sssd[ldap_child[2257]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/centosbox.my.domain.ext@MY.DOMAIN.EXT' not found in Kerberos database
(Mon Jun 18 21:02:51 2018) [[sssd[ldap_child[2258]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/centosbox.my.domain.ext@MY.DOMAIN.EXT' not found in Kerberos database

好的,這是公然錯誤的,因為:

[root@centosbox sssd]#klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
  4 centosbox$@MY.DOMAIN.EXT (arcfour-hmac)
  4 centosbox$@MY.DOMAIN.EXT (aes128-cts-hmac-sha1-96)
  4 centosbox$@MY.DOMAIN.EXT (aes256-cts-hmac-sha1-96)
  4 host/centosbox.my.domain.ext@MY.DOMAIN.EXT (arcfour-hmac)
  4 host/centosbox.my.domain.ext@MY.DOMAIN.EXT (aes128-cts-hmac-sha1-96)
  4 host/centosbox.my.domain.ext@MY.DOMAIN.EXT (aes256-cts-hmac-sha1-96)
  4 host/centosbox@MY.DOMAIN.EXT (arcfour-hmac)
  4 host/centosbox@MY.DOMAIN.EXT (aes128-cts-hmac-sha1-96)
  4 host/centosbox@MY.DOMAIN.EXT (aes256-cts-hmac-sha1-96)

這是怎麼回事?

我懷疑您遇到了要求 FQDN 設置主機名的 redhat 建議:https ://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/networking_guide/ch-configure_host_names

SSSD 似乎需要從沒有 -f 標誌的主機名函式返回 FQDN。

這是一個類似的問題 https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/thread/QHBRCO2JR36PT5F4ZPZNGUHCEE5E4G42/

引用自:https://serverfault.com/questions/917204