El servidor Centos 7 está unido a abc.com y la autenticación funciona en abc.com con authlite para la autenticación de dos factores. Se creó un dominio secundario a.abc.com pero la autenticación no funciona en el dominio secundario. ¿Se puede unir el servidor a dos dominios?
[root@server01 sssd]# more /etc/sssd/sssd.conf
[sssd]
domains = abc.com
config_file_version = 2
services = nss, pam
[domain/abc.com]
id_provider = ad
access_provider = simple
realmd_tags = manages-system joined-with-samba
ad_domain = abc.com
ad_server = serverdc01.abc.com,serverdc02.abc.com,_srv_
!adding in subdomain line below - SG 1-20-2017
subdomain_enumerate = all
krb5_realm = ABC.COM
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
simple_allow_groups = TDI Remote Access [email protected]
debug_level = 0x07F0
[domain/a.abc.com]
ad_server = aserverdc01.a.abc.com,aserver02.a.abc.com,_srv_
Puede verificar que la cuenta de usuario se ve en el dominio secundario.
[root@server01 bin]# id [email protected]
uid=1915601610([email protected]) gid=1915601610([email protected]) groups=1915601610([email protected]),1213401243(tdi remote access users),1915601332(authlite 1f [email protected]),1915601331(authlite [email protected]),1915601110([email protected]),1915601606([email protected]),1915600513(domain [email protected])
Reino:
[root@server01 bin]# realm list
abc.com
type: kerberos
realm-name: ABC.COM
domain-name: abc.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common
login-formats: %U
login-policy: allow-permitted-logins
permitted-logins:
permitted-groups: TDI Remote Access [email protected]
Desde el registro seguro:
Jan 20 15:46:35 server01 cw[22854]: pam_sss(conwrks:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= [email protected]
Jan 20 15:46:35 server01 cw[22854]: pam_sss(conwrks:auth): received for user [email protected]: 4 (System error)
De krb5_child.log:
(Fri Jan 20 15:46:33 2017) [[sssd[krb5_child[23048]]]] [unpack_buffer] (0x0100): cmd [241] uid [1915601610] gid [1915601610] validate [true] enterprise principal [true] offline [false] UPN [[email protected]]
(Fri Jan 20 15:46:33 2017) [[sssd[krb5_child[23048]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:1915601610] old_ccname: [not set] keytab: [/etc/krb5.keytab]
(Fri Jan 20 15:46:33 2017) [[sssd[krb5_child[23048]]]] [check_use_fast] (0x0100): Not using FAST.
(Fri Jan 20 15:46:33 2017) [[sssd[krb5_child[23048]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
(Fri Jan 20 15:46:33 2017) [[sssd[krb5_child[23048]]]] [become_user] (0x0200): Trying to become user [1915601610][1915601610].
(Fri Jan 20 15:46:33 2017) [[sssd[krb5_child[23048]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Fri Jan 20 15:46:33 2017) [[sssd[krb5_child[23048]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
(Fri Jan 20 15:46:33 2017) [[sssd[krb5_child[23048]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Fri Jan 20 15:46:33 2017) [[sssd[krb5_child[23048]]]] [main] (0x0400): Will perform online auth
(Fri Jan 20 15:46:33 2017) [[sssd[krb5_child[23048]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [ABC.COM]
(Fri Jan 20 15:46:35 2017) [[sssd[krb5_child[23048]]]] [get_and_save_tgt] (0x0020): 1234: [-1765328372][KDC policy rejects request]
(Fri Jan 20 15:46:35 2017) [[sssd[krb5_child[23048]]]] [map_krb5_error] (0x0020): 1303: [-1765328372][KDC policy rejects request]
(Fri Jan 20 15:46:35 2017) [[sssd[krb5_child[23048]]]] [k5c_send_data] (0x0200): Received error code 1432158209
(Fri Jan 20 15:46:35 2017) [[sssd[krb5_child[23048]]]] [main] (0x0400): krb5_child completed successfully
De sssd_abc.com.log:
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=user]
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [be_req_set_domain] (0x0400): Changing request domain from [abc.com] to [a.abc.com]
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [dc=a,dc=a,dc=hawaiian,dc=aero]
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=user)(objectclass=user)(sAMAccountName=*)(objectSID=*))][dc=a,dc=a].
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sdap_search_user_process] (0x0400): Search for users, returned 1 results.
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sdap_save_user] (0x0400): Save user
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sdap_get_primary_name] (0x0400): Processing object [email protected]
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sdap_save_user] (0x0400): Processing user [email protected]
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sdap_save_user] (0x0400): Adding original memberOf attributes to [[email protected]].
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sdap_save_user] (0x0400): Adding user principal [[email protected]] to attributes of [[email protected]].
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sdap_save_user] (0x0400): Storing info for user [email protected]
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sysdb_search_by_name] (0x0400): No such entry
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sysdb_search_by_name] (0x0400): No such entry
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sysdb_search_user_by_uid] (0x0400): No such entry
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success)