Redhat
LDAP 找到使用者,但登錄時“權限被拒絕”
我正在 Red Hat 8 中設置 LDAP 客戶端。
設置配置文件後,我做了一個 LDAP 使用者測試,它成功返回:
# id myusername uid=666(myusername) gid=510(active_users) groups=510(active_users)
如果我執行
ldapsearch
它,它會成功返回預期的結果:# ldapsearch -x -ZZ -h ldap.example.com -b dc=example,dc=com
但是,如果我嘗試
ssh
從另一台機器訪問 Red Hat 8 機器,則會收到以下錯誤:# ssh myusername@xxx.xxx.xxx.xxx myusername@xxx.xxx.xxx.xxx's password: Permission denied, please try again.
我用不同的使用者帳戶嘗試了幾台不同的機器,並得到了相同的結果。
這是我的設置:
/etc/sssd/sssd.conf
[domain/default] ldap_tls_reqcert = demand cache_credentials = False ldap_search_base = dc=example,dc=com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldaps://ldap.example.com/ ldap_id_use_start_tls = False ldap_tls_cacert = /etc/sssd/ca-bundle.crt [sssd] config_file_version = 2 services = nss, pam, ssh domains = default [nss] homedir_substring = /home
/etc/openldap/ldap.conf
TLS_CACERT /etc/sssd/ca-bundle.crt #BASE dc=example,dc=com #URI ldap://ldap.example.com/ SASL_NOCANON on URI ldaps://ldap.example.com/ BASE dc=example,dc=com TLS_CACERTDIR /etc/sssd
/etc/nsswitch.conf
# Generated by authselect on Thu Jan 27 15:22:08 2022 # Do not modify this file manually. passwd: sss files systemd group: sss files systemd netgroup: sss files automount: sss files services: sss files # passwd: db files # shadow: db files # group: db files # In order of likelihood of use to accelerate lookup. shadow: files sss hosts: files dns myhostname aliases: files ethers: files gshadow: files # Allow initgroups to default to the setting for group. # initgroups: files networks: files dns protocols: files publickey: files rpc: files
/etc/sysconfig/authconfig
USELDAP=yes USELDAPAUTH=yes
/etc/pam.d/password-auth
# Generated by authselect on Thu Jan 27 15:22:08 2022 # Do not modify this file manually. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_usertype.so issystem account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so local_users_only password sufficient pam_unix.so sha512 shadow nullok use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
/etc/pam.d/system-auth
# Generated by authselect on Thu Jan 27 15:22:08 2022 # Do not modify this file manually. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_usertype.so issystem account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so local_users_only password sufficient pam_unix.so sha512 shadow nullok use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
/etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key # Logging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO # Authentication: PermitRootLogin yes AuthorizedKeysFile .ssh/authorized_keys # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no PasswordAuthentication yes # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no # GSSAPI options GSSAPIAuthentication yes GSSAPICleanupCredentials no #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no #GSSAPIEnablek5users no UsePAM yes X11Forwarding yes # It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd, # as it is more configurable and versatile than the built-in version. PrintMotd no ClientAliveInterval 600 ClientAliveCountMax 0 # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server
/var/log/安全
Jan 28 08:35:39 opal sshd[206875]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.xxx user=myusername Jan 28 08:35:40 opal sshd[206875]: Failed password for myusername from xxx.xxx.xxx.xxx port 60384 ssh2
嘗試
我嘗試了以下方法:
- 在中禁用 selinux
/etc/selinux/config
- 停止 iptables.service
- 添加
PermitRootLogin yes
和UsePAM yes
到 Red Hat 8/etc/ssh/sshd_conf
文件- 反复嘗試
authselect select sssd
,然後重啟sssd.service- 加入
FORCELEGACY=yes
_/etc/sysconfig/authconfig
問題
誰能幫我弄清楚為什麼使用者不能使用 SSH 登錄到這個伺服器?
我終於找到了一個解決方案,通過使用 custom 、和files創建自定義
authselect
配置文件。password-auth``system-auth``nsswitch.conf
1. 基於 sssd 創建自定義配置文件
authselect create-profile user-profile -b sssd
2.覆蓋
/etc/authselect/custom/user-profile/password-auth
並/etc/authselect/custom/user-profile/system-auth
使用以下設置auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth sufficient pam_sss.so auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so account required pam_unix.so account sufficient pam_sss.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_sss.so password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session sufficient pam_sss.so session required pam_unix.so
/etc/authselect/custom/user-profile/nsswitch.conf
3.用以下設置覆蓋passwd: files sss {exclude if "with-custom-passwd"} shadow: files sss group: files sss {exclude if "with-custom-group"} netmasks: files networks: files netgroup: files sss {exclude if "with-custom-netgroup"} automount: files sss {exclude if "with-custom-automount"} services: files sss {exclude if "with-custom-services"} sudoers: files sss {exclude if "with-sudo"}
4.選擇新的個人資料
authselect select custom/user-profile
5.重啟sssd
systemctrl restart sssd