SSSD、openLDAP、MIT Kerberos:“id 使用者名”在 LDAP 中找不到實體,但 ldapsearch 可以
我已經根據本教程Integrated Kerberos-OpenLDAP provider on Debian squeeze在 Debian 10 系統上安裝了 openLDAP、MIT Kerberos 和 SSD 。
這三個組件中的每一個都位於其自己的 Proxmox LXC 容器上。
ldap: 192.168.1.120 (ldap2)
Kerberos: 192.168.1.128 (kerb)
Client with SSD: 192.168.1.129 (test)
IPs可以通過DNS解析。
問題:
當我呼叫“id username”時,我沒有得到任何結果。
但是使用相同的過濾器,我得到了 ldapsearch 的結果。
在“id test05”之後登錄客戶端(SSD 日誌級別 6)
==> /var/log/sssd/sssd_nss.log <== (Thu Jan 16 16:03:48 2020) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jan 16 16:03:48 2020) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jan 16 16:03:48 2020) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jan 16 16:03:48 2020) [sssd[nss]] [nss_getby_name] (0x0400): Input name: test05 (Thu Jan 16 16:03:48 2020) [sssd[nss]] [cache_req_send] (0x0400): CR #1: New request 'User by name' (Thu Jan 16 16:03:48 2020) [sssd[nss]] [cache_req_process_input] (0x0400): CR #1: Parsing input name [test05] (Thu Jan 16 16:03:48 2020) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'test05' matched without domain, user is test05 (Thu Jan 16 16:03:48 2020) [sssd[nss]] [cache_req_set_name] (0x0400): CR #1: Setting name [test05] (Thu Jan 16 16:03:48 2020) [sssd[nss]] [cache_req_select_domains] (0x0400): CR #1: Performing a multi-domain search (Thu Jan 16 16:03:48 2020) [sssd[nss]] [cache_req_search_domains] (0x0400): CR #1: Search will check the cache and check the data provider (Thu Jan 16 16:03:48 2020) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #1: Using domain [xxxxxxx.net] (Thu Jan 16 16:03:48 2020) [sssd[nss]] [cache_req_prepare_domain_data] (0x0400): CR #1: Preparing input data for domain [xxxxxxx.net] rules (Thu Jan 16 16:03:48 2020) [sssd[nss]] [cache_req_search_send] (0x0400): CR #1: Looking up test05@xxxxxxx.net (Thu Jan 16 16:03:48 2020) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #1: Checking negative cache for [test05@xxxxxxx.net] (Thu Jan 16 16:03:48 2020) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #1: [test05@xxxxxxx.net] is not present in negative cache (Thu Jan 16 16:03:48 2020) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #1: Looking up [test05@xxxxxxx.net] in cache (Thu Jan 16 16:03:48 2020) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #1: Object [test05@xxxxxxx.net] was not found in cache (Thu Jan 16 16:03:48 2020) [sssd[nss]] [cache_req_search_dp] (0x0400): CR #1: Looking up [test05@xxxxxxx.net] in data provider (Thu Jan 16 16:03:48 2020) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x55bd0978aee0:1:test05@xxxxxxx.net@xxxxxxx.net] (Thu Jan 16 16:03:48 2020) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [xxxxxxx.net][0x1][BE_REQ_USER][name=test05@xxxxxxx.net:-] (Thu Jan 16 16:03:48 2020) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x55bd0978aee0:1:test05@xxxxxxx.net@xxxxxxx.net] ==> /var/log/sssd/sssd_xxxxxxx.net.log <== (Thu Jan 16 16:03:48 2020) [sssd[be[xxxxxxx.net]]] [dp_get_account_info_handler] (0x0200): Got request for [0x1][BE_REQ_USER][name=test05@xxxxxxx.net] (Thu Jan 16 16:03:48 2020) [sssd[be[xxxxxxx.net]]] [dp_attach_req] (0x0400): DP Request [Account #3]: New request. Flags [0x0001]. (Thu Jan 16 16:03:48 2020) [sssd[be[xxxxxxx.net]]] [dp_attach_req] (0x0400): Number of active DP request: 1 (Thu Jan 16 16:03:48 2020) [sssd[be[xxxxxxx.net]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [ou=users,dc=lan,dc=xxxxxxx,dc=net] (Thu Jan 16 16:03:48 2020) [sssd[be[xxxxxxx.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=test05)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][ou=users,dc=lan,dc=xxxxxxx,dc=net]. (Thu Jan 16 16:03:48 2020) [sssd[be[xxxxxxx.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: No such object(32), no errmsg set (Thu Jan 16 16:03:48 2020) [sssd[be[xxxxxxx.net]]] [sdap_search_user_process] (0x0400): Search for users, returned 0 results. (Thu Jan 16 16:03:48 2020) [sssd[be[xxxxxxx.net]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jan 16 16:03:48 2020) [sssd[be[xxxxxxx.net]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Thu Jan 16 16:03:48 2020) [sssd[be[xxxxxxx.net]]] [dp_req_done] (0x0400): DP Request [Account #3]: Request handler finished [0]: Success (Thu Jan 16 16:03:48 2020) [sssd[be[xxxxxxx.net]]] [_dp_req_recv] (0x0400): DP Request [Account #3]: Receiving request data. (Thu Jan 16 16:03:48 2020) [sssd[be[xxxxxxx.net]]] [dp_req_reply_list_success] (0x0400): DP Request [Account #3]: Finished. Success. (Thu Jan 16 16:03:48 2020) [sssd[be[xxxxxxx.net]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:1::xxxxxxx.net:name=test05@xxxxxxx.net] from reply table (Thu Jan 16 16:03:48 2020) [sssd[be[xxxxxxx.net]]] [dp_req_destructor] (0x0400): DP Request [Account #3]: Request removed. (Thu Jan 16 16:03:48 2020) [sssd[be[xxxxxxx.net]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 ==> /var/log/sssd/sssd_nss.log <== (Thu Jan 16 16:03:48 2020) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #1: Looking up [test05@xxxxxxx.net] in cache (Thu Jan 16 16:03:48 2020) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #1: Object [test05@xxxxxxx.net] was not found in cache (Thu Jan 16 16:03:48 2020) [sssd[nss]] [cache_req_search_ncache_add_to_domain] (0x0400): CR #1: Adding [test05@xxxxxxx.net] to negative cache (Thu Jan 16 16:03:48 2020) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/xxxxxxx.net/test05@xxxxxxx.net] to negative cache (Thu Jan 16 16:03:48 2020) [sssd[nss]] [cache_req_process_result] (0x0400): CR #1: Finished: Not found (Thu Jan 16 16:03:48 2020) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x55bd0978aee0:1:test05@xxxxxxx.net@xxxxxxx.net] (Thu Jan 16 16:03:48 2020) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
ldap2 主機上的 /var/log/syslog(只有 3 行日誌級別為 256)
Jan 16 16:03:48 ldap2 slapd[238]: conn=1067 op=6 SRCH base="ou=users,dc=lan,dc=xxxxxxx,dc=net" scope=2 deref=0 filter="(&(uid=test05)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))" Jan 16 16:03:48 ldap2 slapd[238]: conn=1067 op=6 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host rhost loginDisabled loginExpirationTime loginAllowedTimeMap sshPublicKey userCertificate;binary mail Jan 16 16:03:48 ldap2 slapd[238]: conn=1067 op=6 SEARCH RESULT tag=101 err=32 nentries=0 text=
如您所見,openLDAP 搜尋使用
base: ou=users,dc=lan,dc=xxxxxxx,dc=net
過濾器呼叫:
(&(uid=test05)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))
當我直接在 openLDAP 主機上進行此搜尋時,我得到一個結果:
ldapsearch -Y GSSAPI -b ou=users,dc=lan,dc=xxxxxxx,dc=net "(&(uid=test05)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))" cn uid SASL/GSSAPI authentication started SASL username: ldapadm@XXXXXXX.NET SASL SSF: 256 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <ou=users,dc=lan,dc=xxxxxxx,dc=net> with scope subtree # filter: (&(uid=test05)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0)))) # requesting: cn uid # . # test05, users, lan.xxxxxxx.net dn: uid=test05,ou=users,dc=lan,dc=xxxxxxx,dc=net cn: test05 uid: test05
ldap2 主機上的 /var/log/syslog
Jan 16 16:19:08 ldap2 slapd[238]: conn=1068 fd=24 ACCEPT from IP=[::1]:37252 (IP=[::]:389) Jan 16 16:19:08 ldap2 slapd[238]: conn=1068 op=0 BIND dn="" method=163 Jan 16 16:19:08 ldap2 slapd[238]: conn=1068 op=0 RESULT tag=97 err=14 text=SASL(0): successful result: Jan 16 16:19:08 ldap2 slapd[238]: conn=1068 op=1 BIND dn="" method=163 Jan 16 16:19:08 ldap2 slapd[238]: conn=1068 op=1 RESULT tag=97 err=14 text=SASL(0): successful result: Jan 16 16:19:08 ldap2 slapd[238]: conn=1068 op=2 BIND dn="" method=163 Jan 16 16:19:08 ldap2 slapd[238]: conn=1068 op=2 BIND authcid="ldapadm@XXXXXXX.NET" authzid="ldapadm@XXXXXXX.NET" Jan 16 16:19:08 ldap2 slapd[238]: conn=1068 op=2 BIND dn="cn=admin,dc=lan,dc=xxxxxxx,dc=net" mech=GSSAPI sasl_ssf=256 ssf=256 Jan 16 16:19:08 ldap2 slapd[238]: conn=1068 op=2 RESULT tag=97 err=0 text= Jan 16 16:19:08 ldap2 slapd[238]: conn=1068 op=3 SRCH base="ou=users,dc=lan,dc=xxxxxxx,dc=net" scope=2 deref=0 filter="(&(uid=test05)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))" Jan 16 16:19:08 ldap2 slapd[238]: conn=1068 op=3 SRCH attr=cn uid Jan 16 16:19:08 ldap2 slapd[238]: conn=1068 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 16 16:19:08 ldap2 slapd[238]: conn=1068 op=4 UNBIND Jan 16 16:19:08 ldap2 slapd[238]: conn=1068 fd=24 closed Jan 16 16:19:30 ldap2 slapd[238]: conn=1069 fd=24 ACCEPT from IP=[::1]:37254 (IP=[::]:389) Jan 16 16:19:30 ldap2 slapd[238]: conn=1069 op=0 BIND dn="" method=163 Jan 16 16:19:30 ldap2 slapd[238]: conn=1069 op=0 RESULT tag=97 err=14 text=SASL(0): successful result: Jan 16 16:19:30 ldap2 slapd[238]: conn=1069 op=1 BIND dn="" method=163 Jan 16 16:19:30 ldap2 slapd[238]: conn=1069 op=1 RESULT tag=97 err=14 text=SASL(0): successful result: Jan 16 16:19:30 ldap2 slapd[238]: conn=1069 op=2 BIND dn="" method=163 Jan 16 16:19:30 ldap2 slapd[238]: conn=1069 op=2 BIND authcid="ldapadm@XXXXXXX.NET" authzid="ldapadm@XXXXXXX.NET" Jan 16 16:19:30 ldap2 slapd[238]: conn=1069 op=2 BIND dn="cn=admin,dc=lan,dc=xxxxxxx,dc=net" mech=GSSAPI sasl_ssf=256 ssf=256 Jan 16 16:19:30 ldap2 slapd[238]: conn=1069 op=2 RESULT tag=97 err=0 text= Jan 16 16:19:30 ldap2 slapd[238]: conn=1069 op=3 SRCH base="ou=users,dc=lan,dc=xxxxxxx,dc=net" scope=2 deref=0 filter="(&(uid=test05)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))" Jan 16 16:19:30 ldap2 slapd[238]: conn=1069 op=3 SRCH attr=cn uid Jan 16 16:19:30 ldap2 slapd[238]: conn=1069 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 16 16:19:30 ldap2 slapd[238]: conn=1069 op=4 UNBIND Jan 16 16:19:30 ldap2 slapd[238]: conn=1069 fd=24 closed
我的 SSSD 配置
cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 services = nss, pam domains = xxxxxxx.net [nss] debug_level = 6 override_shell = /bin/bash filter_users = root filter_groups = root [pam] offline_credentials_expiration = 60 [domain/xxxxxxx.net] # A domain with identities provided by LDAP and authentication by Kerberos debug_level = 6 cache_credentials = true # -- Authentication provider -- auth_provider = krb5 krb5_server = kerb.xxxxxxx.net krb5_realm = XXXXXXX.NET krb5_ccachedir = /tmp # -- Access provider -- access_provider = permit # -- Change Password provider -- chpass_provider = krb5 # -- Identity provider -- id_provider = ldap ldap_uri = ldap://ldap2.xxxxxxx.net ldap_search_base = dc=lan,dc=xxxxxxx,dc=net ldap_user_search_base = ou=users,dc=lan,dc=xxxxxxx,dc=net ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/test.xxxxxxx.net ldap_krb5_keytab = /etc/ldap/ldap.keytab ldap_krb5_init_creds = true # -- SUDO provider -- sudo_provider = none
這是我的 LDAP 配置
# config dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcAuthzRegexp: {0}"uid=ldapadm,cn=XXXXXXX.NET,cn=gssapi,cn=auth" "cn=admin, dc=lan,dc=xxxxxxx,dc=net" olcAuthzRegexp: {1}"uid=([^,]+),cn=gssapi,cn=auth" "uid=$1,ou=users,dc=lan,dc= xxxxxxx,dc=net" olcAuthzRegexp: {2}"uid=([^,]+),cn=XXXXXXX.NET,cn=gssapi,cn=auth" "uid=$1,ou =users,dc=lan,dc=xxxxxxx,dc=net" olcAuthzRegexp: {3}"uid=host/([^,]+).XXXXXXX.NET,cn=xxxxxxx.net,cn=gssapi, cn=auth" "cn=$1,ou=hosts,dc=lan,dc=xxxxxxx,dc=net" olcDisallows: bind_anon olcLogLevel: 256 olcPidFile: /var/run/slapd/slapd.pid olcRequires: authc olcSaslHost: ldap2.xxxxxxx.net olcSaslRealm: XXXXXXX.NET olcTLSCACertificateFile: /etc/ssl/openldap/certs/ca-chain-cert.pem olcTLSCertificateFile: /etc/ssl/openldap/certs/ldap2-server-cert.pem olcTLSCertificateKeyFile: /etc/ssl/openldap/private/ldap2-server-key.pem olcTLSProtocolMin: 3.1 olcToolThreads: 1 # {0}config, config dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * break olcRootDN: cn=admin,cn=config # {1}mdb, config dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=lan,dc=xxxxxxx,dc=net olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=lan,dc =xxxxxxx,dc=net" write by dn="cn=sssdman,ou=manager,dc=lan,dc=xxxxxxx,dc= net" read by dn="cn=mailman,ou=vmail,ou=services,dc=lan,dc=xxxxxxx,dc=net" read by self write by anonymous auth by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to dn.subtree="ou=vmail,ou=services,dc=lan,dc=xxxxxxx,dc=net" by dn="cn=admin,dc=lan,dc=xxxxxxx,dc=net" write by dn="cn=mailman,ou=vmail, ou=services,dc=lan,dc=xxxxxxx,dc=net" read by self write by anonymous auth by * none olcAccess: {3}to dn.subtree="cn=krb5,ou=services,dc=lan,dc=xxxxxxx,dc=net" b y dn="cn=admin,dc=lan,dc=xxxxxxx,dc=net" write by dn="cn=adm-srv,cn=krb5,ou =services,dc=lan,dc=xxxxxxx,dc=net" write by dn="cn=kdc-srv,cn=krb5,ou=serv ices,dc=lan,dc=xxxxxxx,dc=net" read by * none olcAccess: {4}to * by dn="cn=admin,dc=lan,dc=xxxxxxx,dc=net" write by dn="cn =sssdman,ou=manager,dc=lan,dc=xxxxxxx,dc=net" read by self write by anonymo us auth by * none olcLastMod: TRUE olcRootDN: cn=admin,dc=lan,dc=xxxxxxx,dc=net olcRootPW: {SSHA}...
我現在正在為這個問題苦苦掙扎兩天。Google沒有幫助。
有人可以幫我解決這個問題嗎?
您的 olcAccess 語句過於嚴格,無法讓 sssd 使用的主體讀取您希望它看到的數據。
違規行是:
olcAccess: {4}to * by dn="cn=admin,dc=lan,dc=xxxxxxx,dc=net" write by dn="cn=sssdman,ou=manager,dc=lan,dc=xxxxxxx,dc=net" read by self write by anonymous auth by * none
你可能想要這樣的東西:
olcAccess: {4}to * by dn="cn=admin,dc=lan,dc=xxxxxxx,dc=net" write by dn="cn=sssdman,ou=manager,dc=lan,dc=xxxxxxx,dc=net" read by dn.one="ou=hosts,dc=lan,dc=xxxxxxx,dc=net" by self write by anonymous auth by * none
這假設您的
olcAuthzRegexp: {3}
陳述按您的意願工作,但我也會檢查以確保這一點。(kinit -k
並且ldapwhoami -Y
會成為你的朋友。)您還可以使用
to attrs=@posixAccount,@posixGroup by ...
.