我正在使用 Centos 7 使用 kerberos 對本機 Active Directory 使用者進行身份驗證。我用管理員加入了領域,我可以透過它/用它登入/ssh,查詢工作正常,並且 adcli訊息工作中。當我建立另一個名為 test 的使用者並嘗試透過 Centos 登入時,我得到以下資訊:
id: test: no such user
取得密碼測試不回任何內容
這是我的設定檔:
SSD設定檔
domains = gio.server
config_file_version = 2
services = nss, pam
[domain/gio.server]
ad_domain = gio.server
krb5_realm = GIO.SERVER
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad
這裡是krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default = GIO.SERVER
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
# default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = GIO.SERVER
[realms]
GIO.SERVER = {
kdc = gio.server:88
default_domain = gio.server
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
}
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
.gio.server = GIO.SERVER
gio.server = GIO.SERVER
但是當我使用故障排除時sssctl 用戶檢查測試它會傳回以下錯誤:
user: test
action: acct
service: system-auth
sss_getpwnam_r failed with [0].
User name lookup with [test] failed.
Unable to get user objectInfoPipe User lookup with [test] failed.
testing pam_acct_mgmt
pam_acct_mgmt: User not known to the underlying authentication module
PAM Environment:
- no env -
如果缺少什麼,請告訴我。
答案1
根本問題是電腦帳戶缺乏 AD 中使用者帳戶所需的特定屬性的讀取權限。
將使用者新增至網域管理員後,權限繼承將被停用,並且某些權限將明確授予經過驗證的使用者。這允許伺服器提取必要的屬性來對管理員進行身份驗證,但不能對普通用戶進行身份驗證。
若要解決此問題,請向經過驗證的使用者或專門建立的安全群組授予套用於“後代使用者物件”的網域根目錄上的“列出內容”、“讀取所有屬性”和“讀取權限”權限。