我已经搜索了stackoverflow,但是没有找到解决方法。
我在一个林中有两个域(domain1和domain2)。我可以使用domain1使用ssh登录,而不能使用domain2登录。我可以从domain2初始化一张票。
以下是一些配置:
[sssd]
debug_level = 3
services = nss, pam
config_file_version = 2
domains = DOMAIN1.TEST.NET, DOMAIN2.TEST.NET
[domain/DOMAIN1.TEST.NET]
debug_level = 3
override_homedir = /home/%u
create_homedir = true
override_gid = 100
default_shell = /bin/bash
id_provider = ad
auth_provider = ad
access_provider = ad
ldap_id_mapping = true
ldap_schema = ad
dyndns_update = false
ad_gpo_access_control = disabled
#ad_enabled_domains = DOMAIN1.TEST.NET, DOMAIN2.TEST.NET
ldap_idmap_range_size = 1000000
subdomain_enumerate = all
use_fully_qualified_names = false
ad_domain = DOMAIN1.TEST.NET
[domain/DOMAIN2.TEST.NET]
debug_level = 10
override_homedir = /home/%u
create_homedir = true
override_gid = 100
default_shell = /bin/bash
id_provider = ad
auth_provider = ad
access_provider = ad
ldap_id_mapping = true
ldap_schema = ad
dyndns_update = false
ad_gpo_access_control = disabled
#ad_enabled_domains = DOMAIN1.TEST.NET, DOMAIN2.TEST.NET
ldap_idmap_range_size = 1000000
subdomain_enumerate = all
use_fully_qualified_names = false
ad_domain = DOMAIN2.TEST.NET
[nss]
filter_users = root
filter_groups = root
在领域列表中,我看到了两个领域。使用domain2中的kinit,我得到了票。域连接与域1的用户一起在域2上工作,当我加入时,他告诉我我已经加入。 尽管我可以登录第一个域,但systemtctl状态sssd引发了错误。在klist -k中,我仅从Domain1中看到KEYTAB,而不能使其在密钥表中具有domain2。
sssd[ldap_child[18103]]][18103]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'host/server01.domain1.test.net@ST...onnection.
sssd_be[17222]: GSSAPI client step 1
ssd_be[17222]: GSSAPI client step 1
[be[DOMAIN1.TEST.NET]][17222]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
还有来自domain2的一些sssd日志。
Tue Jun 4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'atsvtroot1.domain2.test.net' as 'not working'
(Tue Jun 4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [sdap_handle_release] (0x2000): Trace: sh[0x55feb6513de0], connected[1], ops[(nil)], ldap[0x55feb64b3e70], destructor_lock[0], release_memory[0]
(Tue Jun 4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [remove_connection_callback] (0x4000): Successfully removed connection callback.
(Tue Jun 4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [sdap_id_op_connect_done] (0x4000): attempting failover retry on op #1
(Tue Jun 4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [sdap_id_op_connect_step] (0x4000): beginning to connect
(Tue Jun 4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'
(Tue Jun 4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [get_server_status] (0x1000): Status of server 'atsvtroot2.domain2.test.net' is 'name resolved'
(Tue Jun 4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [get_port_status] (0x1000): Port status of port 389 for server 'atsvtroot2.domain2.test.net' is 'not working'
(Tue Jun 4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [get_port_status] (0x0080): SSSD is unable to complete the full connection request, this internal status does not necessarily indicate network port issues.
(Tue Jun 4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [get_server_status] (0x1000): Status of server 'atsvtroot1.domain2.test.net' is 'name resolved'
(Tue Jun 4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [get_port_status] (0x1000): Port status of port 389 for server 'atsvtroot1.domain2.test.net' is 'not working'
(Tue Jun 4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [get_port_status] (0x0080): SSSD is unable to complete the full connection request, this internal status does not necessarily indicate network port issues.
(Tue Jun 4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD'
(Tue Jun 4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [sdap_id_release_conn_data] (0x4000): releasing unused connection
(Tue Jun 4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [be_resolve_server_done] (0x1000): Server resolution failed: [5]: Input/output error
(Tue Jun 4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error])
(Tue Jun 4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [be_mark_offline] (0x2000): Going offline!
(Tue Jun 4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [be_mark_offline] (0x2000): Enable check_if_online_ptask.
(Tue Jun 4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [be_ptask_enable] (0x0400): Task [Check if online (periodic)]: enabling task
(Tue Jun 4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [be_ptask_schedule] (0x0400): Task [Check if online (periodic)]: scheduling task 67 seconds from now [1559627215]
(Tue Jun 4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks.
(Tue Jun 4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [sdap_id_op_connect_done] (0x4000): notify offline to op #1
(Tue Jun 4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [ad_subdomains_refresh_connect_done] (0x0020): Unable to connect to LDAP [11]: Resource temporarily unavailable
(Tue Jun 4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [ad_subdomains_refresh_connect_done] (0x0080): No AD server is available, cannot get the subdomain list while offline
(Tue Jun 4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [be_ptask_done] (0x0040): Task [Subdomains Refresh]: failed with [1432158212]: SSSD is offline
(Tue Jun 4 10:48:15 2019) [sssd[be[domain2.test.net]]] [be_ptask_execute] (0x0400): Task [Subdomains Refresh]: executing task, timeout 14400 seconds
(Tue Jun 4 10:48:15 2019) [sssd[be[domain2.test.net]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'
(Tue Jun 4 10:48:15 2019) [sssd[be[domain2.test.net]]] [set_server_common_status] (0x0100): Marking server '10.51.51.222' as 'resolving name'
(Tue Jun 4 10:48:15 2019) [sssd[be[domain2.test.net]]] [set_server_common_status] (0x0100): Marking server '10.x.x.x.' as 'name resolved'
(Tue Jun 4 10:48:15 2019) [sssd[be[domain2.test.net]]] [be_resolve_server_process] (0x0200): Found address for server 10.x.x.x.x: [10.51.51.222] TTL 7200
(Tue Jun 4 10:48:15 2019) [sssd[be[domain2.test.net]]] [sssd_async_socket_init_send] (0x0400): Setting 6 seconds timeout for connecting
(Tue Jun 4 10:48:15 2019) [sssd[be[domain2.test.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][].
(Tue Jun 4 10:48:15 2019) [sssd[be[domain2.test.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Tue Jun 4 10:48:15 2019) [sssd[be[domain2.test.net]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [4]
(Tue Jun 4 10:48:15 2019) [sssd[be[domain2.test.net]]] [sdap_get_server_opts_from_rootdse] (0x0100): Will look for schema at [CN=Schema,CN=Configuration,DC=domain1,DC=test,DC=net]
(Tue Jun 4 10:48:15 2019) [sssd[be[domain2.test.net]]] [sdap_kinit_send] (0x0400): Attempting kinit (default, host/server01.domain1.test.net, domain1.test.net, 86400)
(Tue Jun 4 10:48:15 2019) [sssd[be[domain2.test.net]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'
(Tue Jun 4 10:48:15 2019) [sssd[be[domain2.test.net]]] [be_resolve_server_process] (0x0200): Found address for server 10.x.x.x.x.: [10.x.x.x.x] TTL 7200
(Tue Jun 4 10:48:15 2019) [sssd[be[domain2.test.net]]] [create_tgt_req_send_buffer] (0x0400): buffer size: 68
(Tue Jun 4 10:48:15 2019) [sssd[be[domain2.test.net]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for TGT child
(Tue Jun 4 10:48:15 2019) [sssd[be[domain2.test.net]]] [write_pipe_handler] (0x0400): All data has been sent!
(Tue Jun 4 10:48:15 2019) [sssd[be[domain2.test.net]]] [child_sig_handler] (0x0100): child [18330] finished successfully.
(Tue Jun 4 10:48:15 2019) [sssd[be[domain2.test.net]]] [read_pipe_handler] (0x0400): EOF received, client finished
(Tue Jun 4 10:48:15 2019) [sssd[be[domain2.test.net]]] [sdap_get_tgt_recv] (0x0400): Child responded: 14 [Client 'host/server01.domain1.test.net@DOMAIN1.TEST.NET' not found in Kerberos database], expired on [0]
(Tue Jun 4 10:48:15 2019) [sssd[be[domain2.test.net]]] [sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad address]
(Tue Jun 4 10:48:15 2019) [sssd[be[domain2.test.net]]] [sdap_cli_kinit_done] (0x0400): Cannot get a TGT: ret [1432158226](Authentication Failed)
(Tue Jun 4 10:48:15 2019) [sssd[be[domain2.test.net]]] [sdap_cli_connect_recv] (0x0040): Unable to establish connection [13]: Permission denied
在krb5.conf中,我具有所有的REALM。
我想念的是什么。为什么我不能使用SSH登录。
谢谢。
答案 0 :(得分:0)
在krb5.conf中,您必须添加公用父域的条目,即TEST.NET。
因为Kerberos客户端库必须“知道”如何从授予TGT (domain2)的域跳转到将为目标服务器授予服务票证的域,类型为host SSH,HTTP用于SPNego等。
要么显式设置[capath]规则,要么让Kerberos将隐式依赖关系路径回绕到公共父级,然后回滚到目标。 cf. krb5.conf
对于SSSD,我不知道它是使用基本Kerberos conf还是需要自定义conf。