Ldap

SSSD 拒絕使用 su: 不正確密碼的 LDAP 登錄

  • December 8, 2015

我已經使用使用者帳戶設置了 LDAP 伺服器。我已經成功地配置了一個 Rails 應用程序來針對這個 LDAP 伺服器進行身份驗證。我現在正在嘗試將 SSSD 配置為針對 LDAP 進行身份驗證,但它不喜歡單個使用者密碼。

錯誤:

$ su - leopetr4
Password:
su: incorrect password

SSSD 能辨識使用者,但不能辨識密碼:

$ id leopetr4
uid=9583(leopetr4) gid=9583(leopetr4) groups=9583(leopetr4)

使用者記錄如下所示:

# ldapsearch -x -W -D "cn=admin,dc=my_domain,dc=com"  -H ldaps://my_hostname.my_domain.com "(uid=leopetr4)"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=my_domain,dc=com> (default) with scope subtree
# filter: (uid=leopetr4)
# requesting: ALL
#

# leopetr4, People, my_domain.com
dn: uid=leopetr4,ou=People,dc=my_domain,dc=com
uid: leopetr4
cn: Leo Petr 40
sn: 40
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: inetOrgPerson
shadowLastChange: 16736
shadowMin: 1
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 9583
gidNumber: 9583
homeDirectory: /mnt/home/leopetr4
mail: leo.petr+40@example.com
gecos: Leo Petr 40
userPassword:: e1NIQX1vUk5PMWozMXdtdDVIVkVhZmNtNWYvU1Jmam89

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

這是對上述內容進行 base64 解碼後的使用者密碼雜湊:

{SHA}oRNO1j31wmt5HVEafcm5f/SRfjo=

它與輸出完全匹配slappaswd -c {SHA} "that_password"

這是 SSSD 配置:

# cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = LOCAL,LDAP
debug_level = 5

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5

[domain/LDAP]
cache_credentials = true

id_provider = ldap
auth_provider = ldap

ldap_uri = ldaps://my_hostname.my_domain.com
ldap_search_base = dc=my_domain,dc=com
ldap_id_use_start_tls = true
ldap_tls_reqcert = never
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt

debug_level = 5

這是我嘗試時的 SSSD 日誌su - leopetr4

# tail -f /var/log/secure /var/log/sssd/*.log

==> /var/log/sssd/sssd_LDAP.log <==
(Mon Nov 30 12:32:10 2015) [sssd[be[LDAP]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=leopetr4]
(Mon Nov 30 12:32:10 2015) [sssd[be[LDAP]]] [sdap_save_user] (0x0080): Failed to retrieve UUID [22][Invalid argument].
(Mon Nov 30 12:32:10 2015) [sssd[be[LDAP]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success

==> /var/log/sssd/sssd.log <==
(Mon Nov 30 12:32:12 2015) [sssd] [service_send_ping] (0x0100): Pinging LDAP
(Mon Nov 30 12:32:12 2015) [sssd] [service_send_ping] (0x0100): Pinging nss
(Mon Nov 30 12:32:12 2015) [sssd] [service_send_ping] (0x0100): Pinging pam
(Mon Nov 30 12:32:12 2015) [sssd] [ping_check] (0x0100): Service LDAP replied to ping
(Mon Nov 30 12:32:12 2015) [sssd] [ping_check] (0x0100): Service nss replied to ping
(Mon Nov 30 12:32:12 2015) [sssd] [ping_check] (0x0100): Service pam replied to ping

==> /var/log/secure <==
Nov 30 12:32:12 my_domain su: pam_unix(su-l:auth): authentication failure; logname=root uid=1004 euid=0 tty=pts/3 ruser=leonsp rhost=  user=leopetr4

==> /var/log/sssd/sssd_LDAP.log <==
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=leopetr4]
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [sdap_save_user] (0x0080): Failed to retrieve UUID [22][Invalid argument].
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [sdap_process_group_send] (0x0040): No Members. Done!
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [sdap_save_group] (0x0080): Failed to retrieve UUID [22][Invalid argument].
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [be_pam_handler] (0x0100): Got request with the following data
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): domain: LDAP
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): user: leopetr4
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): service: su-l
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): tty: pts/3
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): ruser: leonsp
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): rhost:
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): authtok type: 0
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): newauthtok type: 0
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): priv: 0
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): cli_pid: 1586655
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): logon name: not set
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 7, <NULL>) [Success]
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [be_pam_handler_callback] (0x0100): Sending result [7][LDAP]
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [be_pam_handler_callback] (0x0100): Sent result [7][LDAP]

==> /var/log/secure <==
Nov 30 12:32:12 my_domain su: pam_sss(su-l:auth): authentication failure; logname=root uid=1004 euid=0 tty=pts/3 ruser=leonsp rhost= user=leopetr4
Nov 30 12:32:12 my_domain su: pam_sss(su-l:auth): received for user leopetr4: 7 (Authentication failure)

這是我嘗試時的 LDAP 伺服器日誌su - leopetr4

Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 1 descriptor
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on:
Nov 27 21:21:08 my_hostname slapd[15353]:
Nov 27 21:21:08 my_hostname slapd[15353]: slap_listener_activate(9):
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 busy
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: >>> slap_listener(ldaps:///)
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: listen=9, new connection on 31
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: added 31r (active) listener=(nil)
Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 fd=31 ACCEPT from IP=256.256.256.256:29338 (IP=0.0.0.0:636)
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 2 descriptors
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on:
Nov 27 21:21:08 my_hostname slapd[15353]:  31r
Nov 27 21:21:08 my_hostname slapd[15353]:
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: read active on 31
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: connection_get(31)
Nov 27 21:21:08 my_hostname slapd[15353]: connection_get(31): got connid=3358
Nov 27 21:21:08 my_hostname slapd[15353]: connection_read(31): checking for input on id=3358
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 1 descriptor
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on:
Nov 27 21:21:08 my_hostname slapd[15353]:
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 1 descriptor
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on:
Nov 27 21:21:08 my_hostname slapd[15353]:  31r
Nov 27 21:21:08 my_hostname slapd[15353]:
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: read active on 31
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: connection_get(31)
Nov 27 21:21:08 my_hostname slapd[15353]: connection_get(31): got connid=3358
Nov 27 21:21:08 my_hostname slapd[15353]: connection_read(31): checking for input on id=3358
Nov 27 21:21:08 my_hostname slapd[15353]: connection_read(31): unable to get TLS client DN, error=49 id=3358
Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 fd=31 TLS established tls_ssf=256 ssf=256
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 1 descriptor
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on:
Nov 27 21:21:08 my_hostname slapd[15353]:
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 1 descriptor
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on:
Nov 27 21:21:08 my_hostname slapd[15353]:  31r
Nov 27 21:21:08 my_hostname slapd[15353]:
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: read active on 31
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: connection_get(31)
Nov 27 21:21:08 my_hostname slapd[15353]: connection_get(31): got connid=3358
Nov 27 21:21:08 my_hostname slapd[15353]: connection_read(31): checking for input on id=3358
Nov 27 21:21:08 my_hostname slapd[15353]: op tag 0x77, time 1448680868
Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 op=0 do_extended
Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Nov 27 21:21:08 my_hostname slapd[15353]: do_extended: oid=1.3.6.1.4.1.1466.20037
Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 op=0 STARTTLS
Nov 27 21:21:08 my_hostname slapd[15353]: send_ldap_extended: err=1 oid= len=0
Nov 27 21:21:08 my_hostname slapd[15353]: send_ldap_response: msgid=1 tag=120 err=1
Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 op=0 RESULT oid= err=1 text=TLS already started
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 1 descriptor
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on:
Nov 27 21:21:08 my_hostname slapd[15353]:
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 1 descriptor
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on:
Nov 27 21:21:08 my_hostname slapd[15353]:  31r
Nov 27 21:21:08 my_hostname slapd[15353]:
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: read active on 31
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: connection_get(31)
Nov 27 21:21:08 my_hostname slapd[15353]: connection_get(31): got connid=3358
Nov 27 21:21:08 my_hostname slapd[15353]: connection_read(31): checking for input on id=3358
Nov 27 21:21:08 my_hostname slapd[15353]: op tag 0x42, time 1448680868
Nov 27 21:21:08 my_hostname slapd[15353]: ber_get_next on fd 31 failed errno=0 (Success)
Nov 27 21:21:08 my_hostname slapd[15353]: connection_read(31): input error=-2 id=3358, closing.
Nov 27 21:21:08 my_hostname slapd[15353]: connection_closing: readying conn=3358 sd=31 for close
Nov 27 21:21:08 my_hostname slapd[15353]: connection_close: deferring conn=3358 sd=31
Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 op=1 do_unbind
Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 op=1 UNBIND
Nov 27 21:21:08 my_hostname slapd[15353]: connection_resched: attempting closing conn=3358 sd=31
Nov 27 21:21:08 my_hostname slapd[15353]: connection_close: conn=3358 sd=31
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: removing 31
Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 fd=31 closed
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 1 descriptor
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on:
Nov 27 21:21:08 my_hostname slapd[15353]:
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL
Nov 27 21:21:09 my_hostname slapd[15353]: daemon: activity on 1 descriptor
Nov 27 21:21:09 my_hostname slapd[15353]: daemon: activity on:
Nov 27 21:21:09 my_hostname slapd[15353]:  26r
Nov 27 21:21:09 my_hostname slapd[15353]:
Nov 27 21:21:09 my_hostname slapd[15353]: daemon: read active on 26
Nov 27 21:21:09 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Nov 27 21:21:09 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Nov 27 21:21:09 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL
Nov 27 21:21:09 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL
Nov 27 21:21:09 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL
Nov 27 21:21:09 my_hostname slapd[15353]: connection_get(26)
Nov 27 21:21:09 my_hostname slapd[15353]: connection_get(26): got connid=3331
Nov 27 21:21:09 my_hostname slapd[15353]: connection_read(26): checking for input on id=3331
Nov 27 21:21:09 my_hostname slapd[15353]: op tag 0x63, time 1448680869
Nov 27 21:21:09 my_hostname slapd[15353]: conn=3331 op=122 do_search
Nov 27 21:21:09 my_hostname slapd[15353]: >>> dnPrettyNormal: <dc=my_domain,dc=com>
Nov 27 21:21:09 my_hostname slapd[15353]: <<< dnPrettyNormal: <dc=my_domain,dc=com>, <dc=my_domain,dc=com>
Nov 27 21:21:09 my_hostname slapd[15353]: SRCH "dc=my_domain,dc=com" 2 0
Nov 27 21:21:09 my_hostname slapd[15353]:     0 0 0
Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter
Nov 27 21:21:09 my_hostname slapd[15353]: AND
Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter_list
Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter
Nov 27 21:21:09 my_hostname slapd[15353]: EQUALITY
Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter 0
Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter
Nov 27 21:21:09 my_hostname slapd[15353]: EQUALITY
Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter 0
Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter
Nov 27 21:21:09 my_hostname slapd[15353]: AND
Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter_list
Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter
Nov 27 21:21:09 my_hostname slapd[15353]: PRESENT
Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter 0
Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter
Nov 27 21:21:09 my_hostname slapd[15353]: NOT
Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter
Nov 27 21:21:09 my_hostname slapd[15353]: EQUALITY
Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter 0
Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter 0
Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter_list
Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter 0
Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter_list
Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter 0
Nov 27 21:21:09 my_hostname slapd[15353]:     filter: (&(uid=leopetr4)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))
Nov 27 21:21:09 my_hostname slapd[15353]:     attrs:
Nov 27 21:21:09 my_hostname slapd[15353]:  objectClass
Nov 27 21:21:09 my_hostname slapd[15353]:  uid
Nov 27 21:21:09 my_hostname slapd[15353]:  userPassword
Nov 27 21:21:09 my_hostname slapd[15353]:  uidNumber
Nov 27 21:21:09 my_hostname slapd[15353]:  gidNumber
Nov 27 21:21:09 my_hostname slapd[15353]:  gecos
Nov 27 21:21:09 my_hostname slapd[15353]:  homeDirectory
Nov 27 21:21:09 my_hostname slapd[15353]:  loginShell
Nov 27 21:21:09 my_hostname slapd[15353]:  krbPrincipalName
Nov 27 21:21:09 my_hostname slapd[15353]:  cn
Nov 27 21:21:09 my_hostname slapd[15353]:  modifyTimestamp
Nov 27 21:21:09 my_hostname slapd[15353]:  modifyTimestamp
Nov 27 21:21:09 my_hostname slapd[15353]:  shadowLastChange
Nov 27 21:21:09 my_hostname slapd[15353]:  shadowMin
Nov 27 21:21:09 my_hostname slapd[15353]:  shadowMax
Nov 27 21:21:09 my_hostname slapd[15353]:  shadowWarning
Nov 27 21:21:09 my_hostname slapd[15353]:  shadowInactive
Nov 27 21:21:09 my_hostname slapd[15353]:  shadowExpire
Nov 27 21:21:09 my_hostname slapd[15353]:  shadowFlag
Nov 27 21:21:09 my_hostname slapd[15353]:  krbLastPwdChange
Nov 27 21:21:09 my_hostname slapd[15353]:  krbPasswordExpiration
Nov 27 21:21:09 my_hostname slapd[15353]:  pwdAttribute
Nov 27 21:21:09 my_hostname slapd[15353]:  authorizedService
Nov 27 21:21:09 my_hostname slapd[15353]:  accountExpires
Nov 27 21:21:09 my_hostname slapd[15353]:  userAccountControl
Nov 27 21:21:09 my_hostname slapd[15353]:  nsAccountLock
Nov 27 21:21:09 my_hostname slapd[15353]:  host
Nov 27 21:21:09 my_hostname slapd[15353]:  loginDisabled
Nov 27 21:21:09 my_hostname slapd[15353]:  loginExpirationTime
Nov 27 21:21:09 my_hostname slapd[15353]:  loginAllowedTimeMap
Nov 27 21:21:09 my_hostname slapd[15353]:  sshPublicKey
Nov 27 21:21:09 my_hostname slapd[15353]:
Nov 27 21:21:09 my_hostname slapd[15353]: conn=3331 op=122 SRCH base="dc=my_domain,dc=com" scope=2 deref=0 filter="(&(uid=leopetr4)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))"
Nov 27 21:21:09 my_hostname slapd[15353]: conn=3331 op=122 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublicKey
Nov 27 21:21:09 my_hostname slapd[15353]: ==> limits_get: conn=3331 op=122 self="[anonymous]" this="dc=my_domain,dc=com"
Nov 27 21:21:09 my_hostname slapd[15353]: => hdb_search

編輯:這/var/log/secure是登錄嘗試:

Nov 28 13:09:10 my_hostname su: pam_unix(su-l:auth): authentication failure; logname=root uid=1004 euid=0 tty=pts/1 ruser=leonsp rhost=  user=leopetr4
Nov 28 13:09:10 my_hostname su: pam_sss(su-l:auth): authentication failure; logname=root uid=1004 euid=0 tty=pts/1 ruser=leonsp rhost= user=leopetr4
Nov 28 13:09:10 my_hostname su: pam_sss(su-l:auth): received for user leopetr4: 7 (Authentication failure)

這是pam配置:

# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 minlen=8 dcredit=-1 ucredit=0 lcredit=-1 ocredit=0 type= reject_username
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so
session     optional      pam_ldap.so

PAM LDAP 配置:

# cat /etc/pam_ldap.conf | grep -v '^#' | grep -v '^$'
base dc=my_domain,dc=com
uri ldaps://my_hostname.my_domain.com
ssl start_tls
tls_cacertdir /etc/openldap/cacerts
pam_password md5

還:

# authconfig --test | grep hashing
password hashing algorithm is sha512

編輯 2:通過 pamtester 進行身份驗證有效,但通過 su 繼續無效:

[leonsp@my_hostname ~]$ pamtester login leopetr4 authenticate
Password:
pamtester: successfully authenticated

[leonsp@my_hostname ~]$ pamtester su leopetr4 authenticate
Password:
pamtester: Authentication failure

[leonsp@my_hostname ~]$ pamtester su-l leopetr4 authenticate
Password:
pamtester: successfully authenticated
  1. 為什麼 SSSD 不讓我以該使用者身份登錄?
  2. 我需要做些什麼來配置 SSSD 以匹配基本{SHA}雜湊?
  3. 我如何找出認證 forlogin和認證 for su/之間的區別su-l

這令人不滿意,但是在我為這個問題設置賞金後不久就開始工作了su - leopetr4ssh leopetr4@my_hostname我花了一些時間思考為什麼沒有得出明確的結論,因為如果它開始時突然停止工作會很糟糕。

我記得所做的一項更改是從and切換pam_password設置:/etc/pam_ldap.conf``md5``exop

#pam_password md5
pam_password exop

然而,從損壞到工作的變化並不是立即的,所以我猶豫將其歸因於這種變化。

引用自:https://serverfault.com/questions/739431