Назад | Перейти на главную страницу

Невозможно пройти аутентификацию в Active Directory с использованием security / sssd из портов FreeBSD

Я пытаюсь реализовать security/sssd порт в системе FreeBSD 10.0. Моя основная цель - аутентифицировать пользователей из Active Directory, работающих на Windows Server 2012 R2.

Я хотел бы знать, удалось ли кому-нибудь использовать этот порт (или пакет). Я даже не могу заставить отладку работать правильно, в файлах журнала ничего неправильного не отображается. Мои файлы конфигурации и отладочная информация находятся здесь:

Содержание файла: /usr/local/etc/sssd/sssd.conf

[sssd]
config_file_version = 2
services = nss, pam
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
; domains = LDAP
domains = local.iq.ufrj.br

[nss]

[pam]

[domain/local.iq.ufrj.br]
# Uncomment if you need offline logins
#cache_credentials = true
debug_level = 5

id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad

#ad_hostname = sssd-test.local.iq.ufrj.br
#ad_domain = local.iq.ufrj.br
#ldap_search_base = dc=local,dc=iq,dc=ufrj,dc=br

# Uncomment if service discovery is not working
ad_server = pewter.local.iq.ufrj.br
#
# Uncomment if you want to use POSIX UIDs and GIDs set on the AD side
#ldap_id_mapping = False
#
# Comment out if the users have the shell and home dir set on the AD side
default_shell = /bin/tcsh
fallback_homedir = /home/%d/%u

# Uncomment and adjust if the default principal SHORTNAME$@REALM is not available
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = SSSD-TEST$@LOCAL.IQ.UFRJ.BR
#
# Comment out if you prefer to user shortnames.
#use_fully_qualified_names = True[/code]

Содержание файла: /etc/krb5.conf

root@sssd-test:/usr/local/etc/sssd # cat /etc/krb5.conf
[logging]
# The logging is not really required as this host is not
# using kadmin. Kept in as it does no harm.
# Debugging, if required, will be set in the
# /etc/pam.d/ files.
default = FILE:/var/log/krb5libs.log
#kdc = FILE:/var/log/krb5kdc.log
#admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = LOCAL.IQ.UFRJ.BR
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = yes

Я могу подтвердить, что Kerberos и keytab работают:

root@sssd-test:/usr/local/etc/sssd # kdestroy
root@sssd-test:/usr/local/etc/sssd # kinit -k SSSD-TEST$
root@sssd-test:/usr/local/etc/sssd # klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: SSSD-TEST$@LOCAL.IQ.UFRJ.BR

  Issued                Expires               Principal
May 22 18:15:32 2014  May 23 04:15:32 2014  krbtgt/LOCAL.IQ.UFRJ.BR@LOCAL.IQ.UFRJ.BR

И, наконец, я могу выполнить поиск, используя ldapsearch с GSSAPI без проблем:

root@sssd-test:/usr/local/etc/sssd # ldapsearch -H ldap://pewter.local.iq.ufrj.br/ -Y GSSAPI -N -b "dc=local,dc=iq,dc=ufrj,dc=br" "(&(objectClass=user)(sAMAccountName=ferrao))"
SASL/GSSAPI authentication started
SASL username: SSSD-TEST$@LOCAL.IQ.UFRJ.BR
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=local,dc=iq,dc=ufrj,dc=br> with scope subtree
# filter: (&(objectClass=user)(sAMAccountName=ferrao))
# requesting: ALL

... CUT ...

Заглядывая в журналы /var/log/sssd/* после service sssd restart.

(Thu May 22 18:20:05 2014) [sssd[be[local.iq.ufrj.br]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching.
(Thu May 22 18:20:05 2014) [sssd[be[local.iq.ufrj.br]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching.
(Thu May 22 18:20:05 2014) [sssd[be[local.iq.ufrj.br]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/run/sss/kdcinfo.LOCAL.IQ.UFRJ.BR], [2][No such file or directory]
(Thu May 22 18:20:05 2014) [sssd[be[local.iq.ufrj.br]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/run/sss/kpasswdinfo.LOCAL.IQ.UFRJ.BR], [2][No such file or directory]
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sysdb_domain_init_internal] (0x0200): DB File for local.iq.ufrj.br: /var/db/sss/cache_local.iq.ufrj.br.ldb
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sbus_init_connection] (0x0200): Adding connection 805C43500
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [monitor_common_send_id] (0x0100): Sending ID: (%BE_local.iq.ufrj.br,1)
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sss_names_init] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))].
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [ad_get_common_options] (0x0100): Setting ad_hostname to [sssd-test.iq.ufrj.br].
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [ad_get_common_options] (0x0100): Setting domain case-insensitive
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [fo_add_server] (0x0080): Adding new server 'pewter.local.iq.ufrj.br', to service 'AD'
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [ad_servers_init] (0x0100): Added failover server pewter.local.iq.ufrj.br
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [ad_set_search_bases] (0x0100): Search base not set. SSSD will attempt to discover it later, when connecting to the LDAP server.
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [ad_get_id_options] (0x0100): Option krb5_realm set to LOCAL.IQ.UFRJ.BR
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sdap_set_sasl_options] (0x0100): Will look for SSSD-TEST$@LOCAL.IQ.UFRJ.BR in default keytab
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [select_principal_from_keytab] (0x0200): Selected primary: SSSD-TEST$
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [select_principal_from_keytab] (0x0200): Selected realm: LOCAL.IQ.UFRJ.BR
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to SSSD-TEST$
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to LOCAL.IQ.UFRJ.BR
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [ad_get_auth_options] (0x0100): Option krb5_server set to pewter.local.iq.ufrj.br
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [ad_get_auth_options] (0x0100): Option krb5_realm set to LOCAL.IQ.UFRJ.BR
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [check_and_export_lifetime] (0x0200): No lifetime configured.
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [check_and_export_lifetime] (0x0200): No lifetime configured.
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [check_and_export_options] (0x0100): No kpasswd server explicitly configured, using the KDC or defaults.
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [check_and_export_options] (0x0100): ccache is of type FILE
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [be_process_init] (0x0080): No SUDO module provided for [local.iq.ufrj.br] !!
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [load_backend_module] (0x0200): no module name found in confdb, using [ad].
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [be_process_init] (0x0080): No autofs module provided for [local.iq.ufrj.br] !!
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [load_backend_module] (0x0200): no module name found in confdb, using [ad].
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [be_process_init] (0x0020): No selinux module provided for [local.iq.ufrj.br] !!
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [load_backend_module] (0x0200): no module name found in confdb, using [ad].
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [be_process_init] (0x0020): No host info module provided for [local.iq.ufrj.br] !!
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [load_backend_module] (0x0200): no module name found in confdb, using [ad].
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [be_process_init] (0x0020): Subdomains are not supported for [local.iq.ufrj.br] !!
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [id_callback] (0x0100): Got id ack and version (1) from Monitor
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sbus_server_init_new_connection] (0x0200): Entering.
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0x805c43b40.
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sbus_init_connection] (0x0200): Adding connection 805C43B40
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sbus_server_init_new_connection] (0x0200): Got a connection
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0x805c2c1a0]
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [client_registration] (0x0100): Cancel DP ID timeout [0x805c2c1a0]
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [client_registration] (0x0100): Added Frontend client [PAM]
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sbus_server_init_new_connection] (0x0200): Entering.
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0x805c43c80.
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sbus_init_connection] (0x0200): Adding connection 805C43C80
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sbus_server_init_new_connection] (0x0200): Got a connection
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0x805c2cb60]
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [client_registration] (0x0100): Cancel DP ID timeout [0x805c2cb60]
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [client_registration] (0x0100): Added Frontend client [NSS]

Через две минуты ...

(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [be_get_account_info] (0x0100): Got request for [4099][1][name=operator]
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [resolv_is_address] (0x0040): getaddrinfo failed [8]: hostname nor servname provided, or not known
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'pewter.local.iq.ufrj.br' in files
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [set_server_common_status] (0x0100): Marking server 'pewter.local.iq.ufrj.br' as 'resolving name'
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'pewter.local.iq.ufrj.br' in files
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'pewter.local.iq.ufrj.br' in DNS
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [set_server_common_status] (0x0100): Marking server 'pewter.local.iq.ufrj.br' as 'name resolved'
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [be_resolve_server_process] (0x0200): Found address for server pewter.local.iq.ufrj.br: [10.7.0.2] TTL 1200
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://pewter.local.iq.ufrj.br'
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [get_naming_context] (0x0200): Using value from [defaultNamingContext] as naming context.
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [sdap_set_search_base] (0x0100): Setting option [ldap_search_base] to [DC=local,DC=iq,DC=ufrj,DC=br].
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [common_parse_search_base] (0x0100): Search base added: [DEFAULT][DC=local,DC=iq,DC=ufrj,DC=br][SUBTREE][]
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [sdap_set_search_base] (0x0100): Setting option [ldap_user_search_base] to [DC=local,DC=iq,DC=ufrj,DC=br].
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [common_parse_search_base] (0x0100): Search base added: [USER][DC=local,DC=iq,DC=ufrj,DC=br][SUBTREE][]
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [sdap_set_search_base] (0x0100): Setting option [ldap_group_search_base] to [DC=local,DC=iq,DC=ufrj,DC=br].
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [common_parse_search_base] (0x0100): Search base added: [GROUP][DC=local,DC=iq,DC=ufrj,DC=br][SUBTREE][]
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [sdap_set_search_base] (0x0100): Setting option [ldap_netgroup_search_base] to [DC=local,DC=iq,DC=ufrj,DC=br].
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [common_parse_search_base] (0x0100): Search base added: [NETGROUP][DC=local,DC=iq,DC=ufrj,DC=br][SUBTREE][]
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [sdap_set_search_base] (0x0100): Setting option [ldap_sudo_search_base] to [DC=local,DC=iq,DC=ufrj,DC=br].
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [common_parse_search_base] (0x0100): Search base added: [SUDO][DC=local,DC=iq,DC=ufrj,DC=br][SUBTREE][]
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [sdap_set_search_base] (0x0100): Setting option [ldap_service_search_base] to [DC=local,DC=iq,DC=ufrj,DC=br].
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [common_parse_search_base] (0x0100): Search base added: [SERVICE][DC=local,DC=iq,DC=ufrj,DC=br][SUBTREE][]
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [sdap_set_search_base] (0x0100): Setting option [ldap_autofs_search_base] to [DC=local,DC=iq,DC=ufrj,DC=br].
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [common_parse_search_base] (0x0100): Search base added: [AUTOFS][DC=local,DC=iq,DC=ufrj,DC=br][SUBTREE][]
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [sdap_get_server_opts_from_rootdse] (0x0080): Received invalid value for AD compatibility level. Continuing without AD performance enhancements
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [be_resolve_server_process] (0x0200): Found address for server pewter.local.iq.ufrj.br: [10.7.0.2] TTL 1200

==> /var/log/sssd/ldap_child.log <==
(Thu May 22 18:22:00 2014) [[sssd[ldap_child[8071]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [SSSD-TEST$@LOCAL.IQ.UFRJ.BR]
(Thu May 22 18:22:00 2014) [[sssd[ldap_child[8071]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [default]

==> /var/log/sssd/sssd_local.iq.ufrj.br.log <==
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: SSSD-TEST$
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [child_sig_handler] (0x0100): child [8071] finished successfully.
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'pewter.local.iq.ufrj.br' as 'working'
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [set_server_common_status] (0x0100): Marking server 'pewter.local.iq.ufrj.br' as 'working'
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success

Так что вроде работает, но это не так. Когда я выдаю getent passwd Я не получаю никакой информации от AD.

И вот наконец мой /etc/nsswitch.conf на всякий случай:

root@sssd-test:/usr/local/etc/sssd # cat /etc/nsswitch.conf
#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: release/10.0.0/etc/nsswitch.conf 224765 2011-08-10 20:52:02Z dougb $
#
group: files sss 
group_compat: nis
hosts: files dns
networks: files
passwd: files sss
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files

Заранее спасибо.

Думаю, вы сделали правильно, наверное, работает, а вы этого не знаете.

По умолчанию getent для всех пользователей не показывают идентификаторы, но выполнение имени пользователя getent passwd возвращает то, что вы ожидаете.

Проверьте еще раз

У SSSD есть проблемы с контроллерами домена AD на базе Windows Server 2012R2. Я подал этот билет: https://fedorahosted.org/sssd/ticket/2418