Ldap
SSSD 拒絕使用 su: 不正確密碼的 LDAP 登錄
我已經使用使用者帳戶設置了 LDAP 伺服器。我已經成功地配置了一個 Rails 應用程序來針對這個 LDAP 伺服器進行身份驗證。我現在正在嘗試將 SSSD 配置為針對 LDAP 進行身份驗證,但它不喜歡單個使用者密碼。
錯誤:
$ su - leopetr4 Password: su: incorrect password
SSSD 能辨識使用者,但不能辨識密碼:
$ id leopetr4 uid=9583(leopetr4) gid=9583(leopetr4) groups=9583(leopetr4)
使用者記錄如下所示:
# ldapsearch -x -W -D "cn=admin,dc=my_domain,dc=com" -H ldaps://my_hostname.my_domain.com "(uid=leopetr4)" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=my_domain,dc=com> (default) with scope subtree # filter: (uid=leopetr4) # requesting: ALL # # leopetr4, People, my_domain.com dn: uid=leopetr4,ou=People,dc=my_domain,dc=com uid: leopetr4 cn: Leo Petr 40 sn: 40 objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: inetOrgPerson shadowLastChange: 16736 shadowMin: 1 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 9583 gidNumber: 9583 homeDirectory: /mnt/home/leopetr4 mail: leo.petr+40@example.com gecos: Leo Petr 40 userPassword:: e1NIQX1vUk5PMWozMXdtdDVIVkVhZmNtNWYvU1Jmam89 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
這是對上述內容進行 base64 解碼後的使用者密碼雜湊:
{SHA}oRNO1j31wmt5HVEafcm5f/SRfjo=
它與輸出完全匹配
slappaswd -c {SHA} "that_password"
這是 SSSD 配置:
# cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = LOCAL,LDAP debug_level = 5 [nss] filter_groups = root filter_users = root reconnection_retries = 3 entry_cache_timeout = 300 entry_cache_nowait_percentage = 75 [pam] reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5 [domain/LDAP] cache_credentials = true id_provider = ldap auth_provider = ldap ldap_uri = ldaps://my_hostname.my_domain.com ldap_search_base = dc=my_domain,dc=com ldap_id_use_start_tls = true ldap_tls_reqcert = never ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt debug_level = 5
這是我嘗試時的 SSSD 日誌
su - leopetr4
:# tail -f /var/log/secure /var/log/sssd/*.log ==> /var/log/sssd/sssd_LDAP.log <== (Mon Nov 30 12:32:10 2015) [sssd[be[LDAP]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=leopetr4] (Mon Nov 30 12:32:10 2015) [sssd[be[LDAP]]] [sdap_save_user] (0x0080): Failed to retrieve UUID [22][Invalid argument]. (Mon Nov 30 12:32:10 2015) [sssd[be[LDAP]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success ==> /var/log/sssd/sssd.log <== (Mon Nov 30 12:32:12 2015) [sssd] [service_send_ping] (0x0100): Pinging LDAP (Mon Nov 30 12:32:12 2015) [sssd] [service_send_ping] (0x0100): Pinging nss (Mon Nov 30 12:32:12 2015) [sssd] [service_send_ping] (0x0100): Pinging pam (Mon Nov 30 12:32:12 2015) [sssd] [ping_check] (0x0100): Service LDAP replied to ping (Mon Nov 30 12:32:12 2015) [sssd] [ping_check] (0x0100): Service nss replied to ping (Mon Nov 30 12:32:12 2015) [sssd] [ping_check] (0x0100): Service pam replied to ping ==> /var/log/secure <== Nov 30 12:32:12 my_domain su: pam_unix(su-l:auth): authentication failure; logname=root uid=1004 euid=0 tty=pts/3 ruser=leonsp rhost= user=leopetr4 ==> /var/log/sssd/sssd_LDAP.log <== (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=leopetr4] (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [sdap_save_user] (0x0080): Failed to retrieve UUID [22][Invalid argument]. (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [sdap_process_group_send] (0x0040): No Members. Done! (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [sdap_save_group] (0x0080): Failed to retrieve UUID [22][Invalid argument]. (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [be_pam_handler] (0x0100): Got request with the following data (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): domain: LDAP (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): user: leopetr4 (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): service: su-l (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): tty: pts/3 (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): ruser: leonsp (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): rhost: (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): authtok type: 0 (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): priv: 0 (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): cli_pid: 1586655 (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): logon name: not set (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 7, <NULL>) [Success] (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [be_pam_handler_callback] (0x0100): Sending result [7][LDAP] (Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [be_pam_handler_callback] (0x0100): Sent result [7][LDAP] ==> /var/log/secure <== Nov 30 12:32:12 my_domain su: pam_sss(su-l:auth): authentication failure; logname=root uid=1004 euid=0 tty=pts/3 ruser=leonsp rhost= user=leopetr4 Nov 30 12:32:12 my_domain su: pam_sss(su-l:auth): received for user leopetr4: 7 (Authentication failure)
這是我嘗試時的 LDAP 伺服器日誌
su - leopetr4
:Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 1 descriptor Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on: Nov 27 21:21:08 my_hostname slapd[15353]: Nov 27 21:21:08 my_hostname slapd[15353]: slap_listener_activate(9): Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 busy Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: >>> slap_listener(ldaps:///) Nov 27 21:21:08 my_hostname slapd[15353]: daemon: listen=9, new connection on 31 Nov 27 21:21:08 my_hostname slapd[15353]: daemon: added 31r (active) listener=(nil) Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 fd=31 ACCEPT from IP=256.256.256.256:29338 (IP=0.0.0.0:636) Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 2 descriptors Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on: Nov 27 21:21:08 my_hostname slapd[15353]: 31r Nov 27 21:21:08 my_hostname slapd[15353]: Nov 27 21:21:08 my_hostname slapd[15353]: daemon: read active on 31 Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: connection_get(31) Nov 27 21:21:08 my_hostname slapd[15353]: connection_get(31): got connid=3358 Nov 27 21:21:08 my_hostname slapd[15353]: connection_read(31): checking for input on id=3358 Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 1 descriptor Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on: Nov 27 21:21:08 my_hostname slapd[15353]: Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 1 descriptor Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on: Nov 27 21:21:08 my_hostname slapd[15353]: 31r Nov 27 21:21:08 my_hostname slapd[15353]: Nov 27 21:21:08 my_hostname slapd[15353]: daemon: read active on 31 Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: connection_get(31) Nov 27 21:21:08 my_hostname slapd[15353]: connection_get(31): got connid=3358 Nov 27 21:21:08 my_hostname slapd[15353]: connection_read(31): checking for input on id=3358 Nov 27 21:21:08 my_hostname slapd[15353]: connection_read(31): unable to get TLS client DN, error=49 id=3358 Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 fd=31 TLS established tls_ssf=256 ssf=256 Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 1 descriptor Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on: Nov 27 21:21:08 my_hostname slapd[15353]: Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 1 descriptor Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on: Nov 27 21:21:08 my_hostname slapd[15353]: 31r Nov 27 21:21:08 my_hostname slapd[15353]: Nov 27 21:21:08 my_hostname slapd[15353]: daemon: read active on 31 Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: connection_get(31) Nov 27 21:21:08 my_hostname slapd[15353]: connection_get(31): got connid=3358 Nov 27 21:21:08 my_hostname slapd[15353]: connection_read(31): checking for input on id=3358 Nov 27 21:21:08 my_hostname slapd[15353]: op tag 0x77, time 1448680868 Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 op=0 do_extended Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Nov 27 21:21:08 my_hostname slapd[15353]: do_extended: oid=1.3.6.1.4.1.1466.20037 Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 op=0 STARTTLS Nov 27 21:21:08 my_hostname slapd[15353]: send_ldap_extended: err=1 oid= len=0 Nov 27 21:21:08 my_hostname slapd[15353]: send_ldap_response: msgid=1 tag=120 err=1 Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 op=0 RESULT oid= err=1 text=TLS already started Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 1 descriptor Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on: Nov 27 21:21:08 my_hostname slapd[15353]: Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 1 descriptor Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on: Nov 27 21:21:08 my_hostname slapd[15353]: 31r Nov 27 21:21:08 my_hostname slapd[15353]: Nov 27 21:21:08 my_hostname slapd[15353]: daemon: read active on 31 Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: connection_get(31) Nov 27 21:21:08 my_hostname slapd[15353]: connection_get(31): got connid=3358 Nov 27 21:21:08 my_hostname slapd[15353]: connection_read(31): checking for input on id=3358 Nov 27 21:21:08 my_hostname slapd[15353]: op tag 0x42, time 1448680868 Nov 27 21:21:08 my_hostname slapd[15353]: ber_get_next on fd 31 failed errno=0 (Success) Nov 27 21:21:08 my_hostname slapd[15353]: connection_read(31): input error=-2 id=3358, closing. Nov 27 21:21:08 my_hostname slapd[15353]: connection_closing: readying conn=3358 sd=31 for close Nov 27 21:21:08 my_hostname slapd[15353]: connection_close: deferring conn=3358 sd=31 Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 op=1 do_unbind Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 op=1 UNBIND Nov 27 21:21:08 my_hostname slapd[15353]: connection_resched: attempting closing conn=3358 sd=31 Nov 27 21:21:08 my_hostname slapd[15353]: connection_close: conn=3358 sd=31 Nov 27 21:21:08 my_hostname slapd[15353]: daemon: removing 31 Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 fd=31 closed Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 1 descriptor Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on: Nov 27 21:21:08 my_hostname slapd[15353]: Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL Nov 27 21:21:09 my_hostname slapd[15353]: daemon: activity on 1 descriptor Nov 27 21:21:09 my_hostname slapd[15353]: daemon: activity on: Nov 27 21:21:09 my_hostname slapd[15353]: 26r Nov 27 21:21:09 my_hostname slapd[15353]: Nov 27 21:21:09 my_hostname slapd[15353]: daemon: read active on 26 Nov 27 21:21:09 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Nov 27 21:21:09 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Nov 27 21:21:09 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL Nov 27 21:21:09 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL Nov 27 21:21:09 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL Nov 27 21:21:09 my_hostname slapd[15353]: connection_get(26) Nov 27 21:21:09 my_hostname slapd[15353]: connection_get(26): got connid=3331 Nov 27 21:21:09 my_hostname slapd[15353]: connection_read(26): checking for input on id=3331 Nov 27 21:21:09 my_hostname slapd[15353]: op tag 0x63, time 1448680869 Nov 27 21:21:09 my_hostname slapd[15353]: conn=3331 op=122 do_search Nov 27 21:21:09 my_hostname slapd[15353]: >>> dnPrettyNormal: <dc=my_domain,dc=com> Nov 27 21:21:09 my_hostname slapd[15353]: <<< dnPrettyNormal: <dc=my_domain,dc=com>, <dc=my_domain,dc=com> Nov 27 21:21:09 my_hostname slapd[15353]: SRCH "dc=my_domain,dc=com" 2 0 Nov 27 21:21:09 my_hostname slapd[15353]: 0 0 0 Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter Nov 27 21:21:09 my_hostname slapd[15353]: AND Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter_list Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter Nov 27 21:21:09 my_hostname slapd[15353]: EQUALITY Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter 0 Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter Nov 27 21:21:09 my_hostname slapd[15353]: EQUALITY Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter 0 Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter Nov 27 21:21:09 my_hostname slapd[15353]: AND Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter_list Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter Nov 27 21:21:09 my_hostname slapd[15353]: PRESENT Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter 0 Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter Nov 27 21:21:09 my_hostname slapd[15353]: NOT Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter Nov 27 21:21:09 my_hostname slapd[15353]: EQUALITY Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter 0 Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter 0 Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter_list Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter 0 Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter_list Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter 0 Nov 27 21:21:09 my_hostname slapd[15353]: filter: (&(uid=leopetr4)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0)))) Nov 27 21:21:09 my_hostname slapd[15353]: attrs: Nov 27 21:21:09 my_hostname slapd[15353]: objectClass Nov 27 21:21:09 my_hostname slapd[15353]: uid Nov 27 21:21:09 my_hostname slapd[15353]: userPassword Nov 27 21:21:09 my_hostname slapd[15353]: uidNumber Nov 27 21:21:09 my_hostname slapd[15353]: gidNumber Nov 27 21:21:09 my_hostname slapd[15353]: gecos Nov 27 21:21:09 my_hostname slapd[15353]: homeDirectory Nov 27 21:21:09 my_hostname slapd[15353]: loginShell Nov 27 21:21:09 my_hostname slapd[15353]: krbPrincipalName Nov 27 21:21:09 my_hostname slapd[15353]: cn Nov 27 21:21:09 my_hostname slapd[15353]: modifyTimestamp Nov 27 21:21:09 my_hostname slapd[15353]: modifyTimestamp Nov 27 21:21:09 my_hostname slapd[15353]: shadowLastChange Nov 27 21:21:09 my_hostname slapd[15353]: shadowMin Nov 27 21:21:09 my_hostname slapd[15353]: shadowMax Nov 27 21:21:09 my_hostname slapd[15353]: shadowWarning Nov 27 21:21:09 my_hostname slapd[15353]: shadowInactive Nov 27 21:21:09 my_hostname slapd[15353]: shadowExpire Nov 27 21:21:09 my_hostname slapd[15353]: shadowFlag Nov 27 21:21:09 my_hostname slapd[15353]: krbLastPwdChange Nov 27 21:21:09 my_hostname slapd[15353]: krbPasswordExpiration Nov 27 21:21:09 my_hostname slapd[15353]: pwdAttribute Nov 27 21:21:09 my_hostname slapd[15353]: authorizedService Nov 27 21:21:09 my_hostname slapd[15353]: accountExpires Nov 27 21:21:09 my_hostname slapd[15353]: userAccountControl Nov 27 21:21:09 my_hostname slapd[15353]: nsAccountLock Nov 27 21:21:09 my_hostname slapd[15353]: host Nov 27 21:21:09 my_hostname slapd[15353]: loginDisabled Nov 27 21:21:09 my_hostname slapd[15353]: loginExpirationTime Nov 27 21:21:09 my_hostname slapd[15353]: loginAllowedTimeMap Nov 27 21:21:09 my_hostname slapd[15353]: sshPublicKey Nov 27 21:21:09 my_hostname slapd[15353]: Nov 27 21:21:09 my_hostname slapd[15353]: conn=3331 op=122 SRCH base="dc=my_domain,dc=com" scope=2 deref=0 filter="(&(uid=leopetr4)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))" Nov 27 21:21:09 my_hostname slapd[15353]: conn=3331 op=122 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublicKey Nov 27 21:21:09 my_hostname slapd[15353]: ==> limits_get: conn=3331 op=122 self="[anonymous]" this="dc=my_domain,dc=com" Nov 27 21:21:09 my_hostname slapd[15353]: => hdb_search
編輯:這
/var/log/secure
是登錄嘗試:Nov 28 13:09:10 my_hostname su: pam_unix(su-l:auth): authentication failure; logname=root uid=1004 euid=0 tty=pts/1 ruser=leonsp rhost= user=leopetr4 Nov 28 13:09:10 my_hostname su: pam_sss(su-l:auth): authentication failure; logname=root uid=1004 euid=0 tty=pts/1 ruser=leonsp rhost= user=leopetr4 Nov 28 13:09:10 my_hostname su: pam_sss(su-l:auth): received for user leopetr4: 7 (Authentication failure)
這是pam配置:
# cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 dcredit=-1 ucredit=0 lcredit=-1 ocredit=0 type= reject_username password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so session optional pam_ldap.so
PAM LDAP 配置:
# cat /etc/pam_ldap.conf | grep -v '^#' | grep -v '^$' base dc=my_domain,dc=com uri ldaps://my_hostname.my_domain.com ssl start_tls tls_cacertdir /etc/openldap/cacerts pam_password md5
還:
# authconfig --test | grep hashing password hashing algorithm is sha512
編輯 2:通過 pamtester 進行身份驗證有效,但通過 su 繼續無效:
[leonsp@my_hostname ~]$ pamtester login leopetr4 authenticate Password: pamtester: successfully authenticated [leonsp@my_hostname ~]$ pamtester su leopetr4 authenticate Password: pamtester: Authentication failure [leonsp@my_hostname ~]$ pamtester su-l leopetr4 authenticate Password: pamtester: successfully authenticated
- 為什麼 SSSD 不讓我以該使用者身份登錄?
- 我需要做些什麼來配置 SSSD 以匹配基本
{SHA}
雜湊?- 我如何找出認證 for
login
和認證 forsu
/之間的區別su-l
?
這令人不滿意,但是在我為這個問題設置賞金後不久就開始工作了
su - leopetr4
。ssh leopetr4@my_hostname
我花了一些時間思考為什麼沒有得出明確的結論,因為如果它開始時突然停止工作會很糟糕。我記得所做的一項更改是從and切換
pam_password
設置:/etc/pam_ldap.conf``md5``exop
#pam_password md5 pam_password exop
然而,從損壞到工作的變化並不是立即的,所以我猶豫將其歸因於這種變化。