Não é possível autenticar no Active Directory usando segurança / sssd de portas do FreeBSD

Navegue suas respostas
3

Estou tentando implementar security/sssd port em um sistema FreeBSD 10.0. Meu principal objetivo é autenticar os usuários do Active Directory em execução no Windows Server 2012 R2.

Gostaria de saber se alguém teve sucesso usando esta porta (ou pacote). Nem consigo depurar para funcionar corretamente, nada de errado aparece nos arquivos de log. Meus arquivos de configuração e informações de depuração estão aqui:

Conteúdo do arquivo: /usr/local/etc/sssd/sssd.conf 

[sssd]
config_file_version = 2
services = nss, pam
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
; domains = LDAP
domains = local.iq.ufrj.br

[nss]

[pam]

[domain/local.iq.ufrj.br]
# Uncomment if you need offline logins
#cache_credentials = true
debug_level = 5

id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad

#ad_hostname = sssd-test.local.iq.ufrj.br
#ad_domain = local.iq.ufrj.br
#ldap_search_base = dc=local,dc=iq,dc=ufrj,dc=br

# Uncomment if service discovery is not working
ad_server = pewter.local.iq.ufrj.br
#
# Uncomment if you want to use POSIX UIDs and GIDs set on the AD side
#ldap_id_mapping = False
#
# Comment out if the users have the shell and home dir set on the AD side
default_shell = /bin/tcsh
fallback_homedir = /home/%d/%u

# Uncomment and adjust if the default principal SHORTNAME$@REALM is not available
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = [email protected]
#
# Comment out if you prefer to user shortnames.
#use_fully_qualified_names = True[/code]

Conteúdo do arquivo: /etc/krb5.conf 

root@sssd-test:/usr/local/etc/sssd # cat /etc/krb5.conf
[logging]
# The logging is not really required as this host is not
# using kadmin. Kept in as it does no harm.
# Debugging, if required, will be set in the
# /etc/pam.d/ files.
default = FILE:/var/log/krb5libs.log
#kdc = FILE:/var/log/krb5kdc.log
#admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = LOCAL.IQ.UFRJ.BR
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = yes

Posso confirmar que o Kerberos e o keytab estão funcionando: 

root@sssd-test:/usr/local/etc/sssd # kdestroy
root@sssd-test:/usr/local/etc/sssd # kinit -k SSSD-TEST$
root@sssd-test:/usr/local/etc/sssd # klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: [email protected]

  Issued                Expires               Principal
May 22 18:15:32 2014  May 23 04:15:32 2014  krbtgt/[email protected]

E, finalmente, posso fazer uma pesquisa usando ldapsearch com GSSAPI sem problemas: 

root@sssd-test:/usr/local/etc/sssd # ldapsearch -H ldap://pewter.local.iq.ufrj.br/ -Y GSSAPI -N -b "dc=local,dc=iq,dc=ufrj,dc=br" "(&(objectClass=user)(sAMAccountName=ferrao))"
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=local,dc=iq,dc=ufrj,dc=br> with scope subtree
# filter: (&(objectClass=user)(sAMAccountName=ferrao))
# requesting: ALL

... CUT ...

Olhando dentro dos registros em /var/log/sssd/* após um service sssd restart . 

(Thu May 22 18:20:05 2014) [sssd[be[local.iq.ufrj.br]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching.
(Thu May 22 18:20:05 2014) [sssd[be[local.iq.ufrj.br]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching.
(Thu May 22 18:20:05 2014) [sssd[be[local.iq.ufrj.br]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/run/sss/kdcinfo.LOCAL.IQ.UFRJ.BR], [2][No such file or directory]
(Thu May 22 18:20:05 2014) [sssd[be[local.iq.ufrj.br]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/run/sss/kpasswdinfo.LOCAL.IQ.UFRJ.BR], [2][No such file or directory]
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sysdb_domain_init_internal] (0x0200): DB File for local.iq.ufrj.br: /var/db/sss/cache_local.iq.ufrj.br.ldb
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sbus_init_connection] (0x0200): Adding connection 805C43500
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [monitor_common_send_id] (0x0100): Sending ID: (%BE_local.iq.ufrj.br,1)
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sss_names_init] (0x0100): Using re [(((?P<domain>[^\]+)\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\]+)$))].
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [ad_get_common_options] (0x0100): Setting ad_hostname to [sssd-test.iq.ufrj.br].
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [ad_get_common_options] (0x0100): Setting domain case-insensitive
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [fo_add_server] (0x0080): Adding new server 'pewter.local.iq.ufrj.br', to service 'AD'
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [ad_servers_init] (0x0100): Added failover server pewter.local.iq.ufrj.br
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [ad_set_search_bases] (0x0100): Search base not set. SSSD will attempt to discover it later, when connecting to the LDAP server.
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [ad_get_id_options] (0x0100): Option krb5_realm set to LOCAL.IQ.UFRJ.BR
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sdap_set_sasl_options] (0x0100): Will look for [email protected] in default keytab
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [select_principal_from_keytab] (0x0200): Selected primary: SSSD-TEST$
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [select_principal_from_keytab] (0x0200): Selected realm: LOCAL.IQ.UFRJ.BR
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to SSSD-TEST$
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to LOCAL.IQ.UFRJ.BR
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [ad_get_auth_options] (0x0100): Option krb5_server set to pewter.local.iq.ufrj.br
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [ad_get_auth_options] (0x0100): Option krb5_realm set to LOCAL.IQ.UFRJ.BR
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [check_and_export_lifetime] (0x0200): No lifetime configured.
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [check_and_export_lifetime] (0x0200): No lifetime configured.
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [check_and_export_options] (0x0100): No kpasswd server explicitly configured, using the KDC or defaults.
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [check_and_export_options] (0x0100): ccache is of type FILE
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [be_process_init] (0x0080): No SUDO module provided for [local.iq.ufrj.br] !!
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [load_backend_module] (0x0200): no module name found in confdb, using [ad].
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [be_process_init] (0x0080): No autofs module provided for [local.iq.ufrj.br] !!
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [load_backend_module] (0x0200): no module name found in confdb, using [ad].
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [be_process_init] (0x0020): No selinux module provided for [local.iq.ufrj.br] !!
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [load_backend_module] (0x0200): no module name found in confdb, using [ad].
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [be_process_init] (0x0020): No host info module provided for [local.iq.ufrj.br] !!
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [load_backend_module] (0x0200): no module name found in confdb, using [ad].
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [be_process_init] (0x0020): Subdomains are not supported for [local.iq.ufrj.br] !!
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [id_callback] (0x0100): Got id ack and version (1) from Monitor
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sbus_server_init_new_connection] (0x0200): Entering.
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0x805c43b40.
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sbus_init_connection] (0x0200): Adding connection 805C43B40
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sbus_server_init_new_connection] (0x0200): Got a connection
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0x805c2c1a0]
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [client_registration] (0x0100): Cancel DP ID timeout [0x805c2c1a0]
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [client_registration] (0x0100): Added Frontend client [PAM]
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sbus_server_init_new_connection] (0x0200): Entering.
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0x805c43c80.
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sbus_init_connection] (0x0200): Adding connection 805C43C80
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [sbus_server_init_new_connection] (0x0200): Got a connection
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0x805c2cb60]
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [client_registration] (0x0100): Cancel DP ID timeout [0x805c2cb60]
(Thu May 22 18:20:06 2014) [sssd[be[local.iq.ufrj.br]]] [client_registration] (0x0100): Added Frontend client [NSS]

Dois minutos depois ... 

(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [be_get_account_info] (0x0100): Got request for [4099][1][name=operator]
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [resolv_is_address] (0x0040): getaddrinfo failed [8]: hostname nor servname provided, or not known
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'pewter.local.iq.ufrj.br' in files
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [set_server_common_status] (0x0100): Marking server 'pewter.local.iq.ufrj.br' as 'resolving name'
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'pewter.local.iq.ufrj.br' in files
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'pewter.local.iq.ufrj.br' in DNS
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [set_server_common_status] (0x0100): Marking server 'pewter.local.iq.ufrj.br' as 'name resolved'
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [be_resolve_server_process] (0x0200): Found address for server pewter.local.iq.ufrj.br: [10.7.0.2] TTL 1200
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://pewter.local.iq.ufrj.br'
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [get_naming_context] (0x0200): Using value from [defaultNamingContext] as naming context.
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [sdap_set_search_base] (0x0100): Setting option [ldap_search_base] to [DC=local,DC=iq,DC=ufrj,DC=br].
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [common_parse_search_base] (0x0100): Search base added: [DEFAULT][DC=local,DC=iq,DC=ufrj,DC=br][SUBTREE][]
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [sdap_set_search_base] (0x0100): Setting option [ldap_user_search_base] to [DC=local,DC=iq,DC=ufrj,DC=br].
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [common_parse_search_base] (0x0100): Search base added: [USER][DC=local,DC=iq,DC=ufrj,DC=br][SUBTREE][]
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [sdap_set_search_base] (0x0100): Setting option [ldap_group_search_base] to [DC=local,DC=iq,DC=ufrj,DC=br].
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [common_parse_search_base] (0x0100): Search base added: [GROUP][DC=local,DC=iq,DC=ufrj,DC=br][SUBTREE][]
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [sdap_set_search_base] (0x0100): Setting option [ldap_netgroup_search_base] to [DC=local,DC=iq,DC=ufrj,DC=br].
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [common_parse_search_base] (0x0100): Search base added: [NETGROUP][DC=local,DC=iq,DC=ufrj,DC=br][SUBTREE][]
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [sdap_set_search_base] (0x0100): Setting option [ldap_sudo_search_base] to [DC=local,DC=iq,DC=ufrj,DC=br].
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [common_parse_search_base] (0x0100): Search base added: [SUDO][DC=local,DC=iq,DC=ufrj,DC=br][SUBTREE][]
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [sdap_set_search_base] (0x0100): Setting option [ldap_service_search_base] to [DC=local,DC=iq,DC=ufrj,DC=br].
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [common_parse_search_base] (0x0100): Search base added: [SERVICE][DC=local,DC=iq,DC=ufrj,DC=br][SUBTREE][]
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [sdap_set_search_base] (0x0100): Setting option [ldap_autofs_search_base] to [DC=local,DC=iq,DC=ufrj,DC=br].
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [common_parse_search_base] (0x0100): Search base added: [AUTOFS][DC=local,DC=iq,DC=ufrj,DC=br][SUBTREE][]
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [sdap_get_server_opts_from_rootdse] (0x0080): Received invalid value for AD compatibility level. Continuing without AD performance enhancements
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [be_resolve_server_process] (0x0200): Found address for server pewter.local.iq.ufrj.br: [10.7.0.2] TTL 1200

==> /var/log/sssd/ldap_child.log <==
(Thu May 22 18:22:00 2014) [[sssd[ldap_child[8071]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [[email protected]]
(Thu May 22 18:22:00 2014) [[sssd[ldap_child[8071]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [default]

==> /var/log/sssd/sssd_local.iq.ufrj.br.log <==
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: SSSD-TEST$
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [child_sig_handler] (0x0100): child [8071] finished successfully.
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'pewter.local.iq.ufrj.br' as 'working'
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [set_server_common_status] (0x0100): Marking server 'pewter.local.iq.ufrj.br' as 'working'
(Thu May 22 18:22:00 2014) [sssd[be[local.iq.ufrj.br]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success

Então, parece estar funcionando, mas não é. Quando eu emito um getent passwd , não recebo nenhuma informação do AD.

E finalmente aqui está o meu /etc/nsswitch.conf apenas no caso: 

root@sssd-test:/usr/local/etc/sssd # cat /etc/nsswitch.conf
#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: release/10.0.0/etc/nsswitch.conf 224765 2011-08-10 20:52:02Z dougb $
#
group: files sss 
group_compat: nis
hosts: files dns
networks: files
passwd: files sss
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files

Obrigado antecipadamente.

    
por Vinícius Ferrão 23.05.2014 / 00:46

2 respostas

2

Eu acho que você fez isso corretamente, provavelmente está funcionando e você não sabe disso.

Por padrão, o getent de todos os usuários não mostra os IDs, mas fazer um getent passwd username retorna o que você espera.

Verifique novamente

    
por 23.05.2014 / 04:07
0

O SSSD tem problemas com o AD DC-s baseado no Windows Server 2012R2. Eu arquivei este ticket: link

    
por 28.08.2014 / 15:17

Tags

servidor GIT com autenticação de nome de usuário e senha Restringir o sistema inteiro em certos núcleos, exceto alguns processos?