SSSD não retorna lista completa de usuários em grupos

2

Configuramos um pacote SSSD + Samba + Krb5 funcional para autorizar usuários do domínio em máquinas Linux. A autorização funciona bem, mas o getent group EXAMPLE não retorna a lista completa de usuários em um grupo. Enquanto o comando id mostra esse grupo específico, ao qual os usuários pertencem

Exemplo de comando

id mshepelev (existe um grupo pam_nas_admins ):

    ~$ id mshepelev
    uid=1019815042(mshepelev) gid=1019817477(linuxadm) группы=128(vboxusers),132(libvirtd),
1019817706(exchange_terminal),1019800512(domain admins),1019800513(domain users),1019817356(it dept base),1019817232(printer_it),
1019817477(linuxadm),1019801141(buh),1019817834(pam_nas_admins)....
Exemplo de

getent group pam_nas_admins (não há mshepelev neste grupo):

    ~$ getent group pam_nas_admins
pam_nas_admins:*:1019817834:nhramchihin,apyataev,
vshuykov,isaidashev,admin,nrosnovskiy,itugunov,
malfereva,mdimitraki,izinoviev,gkulakov,mcherenkov,kfomchenko,mkotov,aromanovskiy

Update
Same situation appears on another PC but vice versa for user isaidashev. Id command returns a full list and getent group pam_nas_admins returns everyone but the user itself (output has mshepelev user but doesn't have isaidashev user)

Aqui estão os arquivos de configuração: /etc/krb5.conf

cat /etc/krb5.conf
[logging] 
    default = FILE:/var/log/krb5libs.log 
    kdc = FILE:/var/log/krb5kdc.log 
    admin_server = FILE:/var/log/kadmind.log 
[libdefaults]
    default_realm = BKCCO.RU
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true
    v4_instance_resolve = false 
#add
        dns_lookup_realm = false
        dns_lookup_kdc = true
        ticket_lifetime = 24h
        renew_lifetime = 2d
    v4_name_convert = {
        host = {
            rcmd = host
            ftp = ftp
        }
        plain = {
            something = something-else
        }
    }
    fcc-mit-ticketflags = true

[realms]
    BKCCO.RU = {
        kdc = dc2012.bkcco.ru
        kdc = echo.bkcco.ru
        kdc = artemis.bkcco.ru
        admin_server = dc2012.bkcco.ru
        default_domain = BKCCO.RU
            }
[domain_realm]
    .bkcco.ru = BKCCO.RU
    bkcco.ru = BKCCO.RU
[login]
    krb4_convert = false
    krb4_get_tickets = false

/etc/samba/smb.conf

cat /etc/samba/smb.conf

[global]
        workgroup = BKC
        security = ADS
        ## Full domain name
        realm = BKCCO.RU

security = user
kerberos method = system keytab

log file = /var/log/samba/log.%m
log level = 10
max log size = 50
load printers = no
cups options = raw
printcap name = /dev/null



    idmap config * : backend = tdb
    idmap config * : range = 100000-299999
    idmap config BKCCO.RU : backend  = rid
    idmap config BKCCO.RU : range = 300000-499999





    # Если вы не хотите, чтобы самба пыталась при случае вылезти в лидеры в домене или рабочей группе,
    # или даже стать доменконтроллером, то всегда прописывайте эти пять опций именно в таком виде
    domain master = no
    local master = no
    preferred master = no
    os level = 0
    domain logons = no

    #Настройки для принтеров(отключение поддержки)
    load printers = no
    show add printer wizard = no
    printcap name = /dev/null
    disable spoolss = yes

/etc/sssd/sssd.conf

    cat /etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = bkcco.ru
debug_level = 7

[nss]
#allowed_shells = /bin/bash, /bin/hgcsh
shell_fallback = /bin/bash
default_shell = /bin/bash
debug_level = 7
entry_cache_timeout = 2
enum_cache_timeout = 5

[domain/bkcco.ru]
enumerate = true
debug_level = 7
ad_domain = bkcco.ru
krb5_realm = BKCCO.RU
krb5_store_password_if_offline = True
realmd_tags = manages-system joined-with-adcli 
cache_credentials = True
id_provider = ad
access_provider = ad
#ldap_id_mapping = True
use_fully_qualified_names = False
default_shell = /bin/bash
fallback_homedir = /home/%u
krb5_validate = false

/etc/nsswitch.conf

cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the 'glibc-doc-reference' and 'info' packages installed, try:
# 'info libc "Name Service Switch"' for information about this file.

passwd:         compat sss
group:          compat sss
shadow:         compat sss
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns
networks:       files

protocols:      db files
services:       db files sss
ethers:         db files
rpc:            db files

netgroup:       nis sss
sudoers:        files sss

/etc/realmd.conf

cat /etc/realmd.conf
[active-directory]
os-name = BKCBuntu
os-version = 16.04

[service]
automatic-install = no

[users]
default-home = /home/%u
default-shell = /bin/bash

[bkcco.ru]
user-principal = yes
fully-qualified-names = no

E abaixo estão os arquivos de log. Por alguma razão, o sssd_domain.log informa que a porta 389 está indisponível, mas está aberta

~$ nslookup -type=srv _ldap._tcp.bkcco.ru
Server:     192.168.20.1
Address:    192.168.20.1#53

_ldap._tcp.bkcco.ru service = 0 100 389 echo.bkcco.ru.
_ldap._tcp.bkcco.ru service = 0 100 389 artemis.bkcco.ru.
_ldap._tcp.bkcco.ru service = 0 100 389 dc2012.bkcco.ru.

verifique as portas separadamente

~$ nc -zv bkcco.ru 389
Connection to bkcco.ru 389 port [tcp/ldap] succeeded!
mshepelev@bkc480:~$ nc -zv dc2012 389
Connection to dc2012 389 port [tcp/ldap] succeeded!
mshepelev@bkc480:~$ nc -zv artemis 389
Connection to artemis 389 port [tcp/ldap] succeeded!

/etc/var/log/sssd/sssd_bkcco.ru.log

(Tue Jul  4 13:19:58 2017) [sssd[be[bkcco.ru]]] [be_resolve_server_process] (0x1000): Saving the first resolved server
(Tue Jul  4 13:19:58 2017) [sssd[be[bkcco.ru]]] [be_resolve_server_process] (0x0200): Found address for server artemis.bkcco.ru: [172.16.0.3] TTL 3600
(Tue Jul  4 13:19:58 2017) [sssd[be[bkcco.ru]]] [be_primary_server_timeout_activate] (0x0400): The primary server reconnection is already scheduled
(Tue Jul  4 13:19:58 2017) [sssd[be[bkcco.ru]]] [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT...
(Tue Jul  4 13:19:58 2017) [sssd[be[bkcco.ru]]] [create_tgt_req_send_buffer] (0x0400): buffer size: 31
(Tue Jul  4 13:19:58 2017) [sssd[be[bkcco.ru]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child
(Tue Jul  4 13:19:58 2017) [sssd[be[bkcco.ru]]] [write_pipe_handler] (0x0400): All data has been sent!
(Tue Jul  4 13:19:58 2017) [sssd[be[bkcco.ru]]] [read_pipe_handler] (0x0400): EOF received, client finished
(Tue Jul  4 13:19:58 2017) [sssd[be[bkcco.ru]]] [sdap_get_tgt_recv] (0x0400): Child responded: 14 [Preauthentication failed], expired on [0]
(Tue Jul  4 13:19:58 2017) [sssd[be[bkcco.ru]]] [sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad address]
(Tue Jul  4 13:19:58 2017) [sssd[be[bkcco.ru]]] [sdap_cli_kinit_done] (0x0400): Cannot get a TGT: ret [1432158218](Authentication Failed)
(Tue Jul  4 13:19:58 2017) [sssd[be[bkcco.ru]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'artemis.bkcco.ru' as 'not working'
(Tue Jul  4 13:19:58 2017) [sssd[be[bkcco.ru]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Tue Jul  4 13:19:58 2017) [sssd[be[bkcco.ru]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Tue Jul  4 13:19:58 2017) [sssd[be[bkcco.ru]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Tue Jul  4 13:19:58 2017) [sssd[be[bkcco.ru]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'artemis.bkcco.ru' as 'not working'
(Tue Jul  4 13:19:58 2017) [sssd[be[bkcco.ru]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'
(Tue Jul  4 13:19:58 2017) [sssd[be[bkcco.ru]]] [get_server_status] (0x1000): Status of server 'dc2012.bkcco.ru' is 'name resolved'
(Tue Jul  4 13:19:58 2017) [sssd[be[bkcco.ru]]] [get_port_status] (0x1000): Port status of port 389 for server 'dc2012.bkcco.ru' is 'not working'
(Tue Jul  4 13:19:58 2017) [sssd[be[bkcco.ru]]] [get_server_status] (0x1000): Status of server 'echo.bkcco.ru' is 'name resolved'
(Tue Jul  4 13:19:58 2017) [sssd[be[bkcco.ru]]] [get_port_status] (0x1000): Port status of port 389 for server 'echo.bkcco.ru' is 'not working'
(Tue Jul  4 13:19:58 2017) [sssd[be[bkcco.ru]]] [get_server_status] (0x1000): Status of server 'artemis.bkcco.ru' is 'name resolved'
(Tue Jul  4 13:19:58 2017) [sssd[be[bkcco.ru]]] [get_port_status] (0x1000): Port status of port 389 for server 'artemis.bkcco.ru' is 'not working'
(Tue Jul  4 13:19:58 2017) [sssd[be[bkcco.ru]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD'
(Tue Jul  4 13:19:58 2017) [sssd[be[bkcco.ru]]] [child_sig_handler] (0x1000): Waiting for child [1814].
(Tue Jul  4 13:19:58 2017) [sssd[be[bkcco.ru]]] [child_sig_handler] (0x0100): child [1814] finished successfully.
(Tue Jul  4 13:19:58 2017) [sssd[be[bkcco.ru]]] [be_resolve_server_done] (0x1000): Server resolution failed: 5
(Tue Jul  4 13:19:58 2017) [sssd[be[bkcco.ru]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error])
(Tue Jul  4 13:19:58 2017) [sssd[be[bkcco.ru]]] [be_ptask_enable] (0x0400): Task [Check if online (periodic)]: enabling task
(Tue Jul  4 13:19:58 2017) [sssd[be[bkcco.ru]]] [be_ptask_schedule] (0x0400): Task [Check if online (periodic)]: scheduling task 62 seconds from now [1499163660]
(Tue Jul  4 13:19:58 2017) [sssd[be[bkcco.ru]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks.
(Tue Jul  4 13:19:58 2017) [sssd[be[bkcco.ru]]] [ad_subdomains_get_conn_done] (0x0080): No AD server is available, cannot get the subdomain list while offline
(Tue Jul  4 13:19:58 2017) [sssd[be[bkcco.ru]]] [sdap_dyndns_get_addrs_done] (0x0080): No LDAP server is available, dynamic DNS update is skipped in offline mode.
(Tue Jul  4 13:19:58 2017) [sssd[be[bkcco.ru]]] [sdap_dyndns_update_addrs_done] (0x0040): Can't get addresses for DNS update
(Tue Jul  4 13:19:58 2017) [sssd[be[bkcco.ru]]] [ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed [1432158230]: Dynamic DNS update not possible while offline
(Tue Jul  4 13:19:58 2017) [sssd[be[bkcco.ru]]] [ad_dyndns_nsupdate_done] (0x0040): Updating DNS entry failed [1432158230]: Dynamic DNS update not possible while offline
(Tue Jul  4 13:19:59 2017) [sssd[be[bkcco.ru]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.BKCCO.RU], [2][No such file or directory]
(Tue Jul  4 13:20:29 2017) [sssd[be[bkcco.ru]]] [be_primary_server_timeout] (0x0400): Looking for primary server!
(Tue Jul  4 13:20:29 2017) [sssd[be[bkcco.ru]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'
(Tue Jul  4 13:20:29 2017) [sssd[be[bkcco.ru]]] [get_server_status] (0x1000): Status of server 'dc2012.bkcco.ru' is 'name resolved'
(Tue Jul  4 13:20:29 2017) [sssd[be[bkcco.ru]]] [get_port_status] (0x1000): Port status of port 389 for server 'dc2012.bkcco.ru' is 'not working'
(Tue Jul  4 13:20:29 2017) [sssd[be[bkcco.ru]]] [get_port_status] (0x0100): Reseting the status of port 389 for server 'dc2012.bkcco.ru'
(Tue Jul  4 13:20:29 2017) [sssd[be[bkcco.ru]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved
(Tue Jul  4 13:20:29 2017) [sssd[be[bkcco.ru]]] [get_server_status] (0x1000): Status of server 'dc2012.bkcco.ru' is 'name resolved'
(Tue Jul  4 13:20:29 2017) [sssd[be[bkcco.ru]]] [be_resolve_server_process] (0x1000): Saving the first resolved server
(Tue Jul  4 13:20:29 2017) [sssd[be[bkcco.ru]]] [be_resolve_server_process] (0x0200): Found address for server dc2012.bkcco.ru: [192.168.20.1] TTL 3600
(Tue Jul  4 13:20:29 2017) [sssd[be[bkcco.ru]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://dc2012.bkcco.ru'
(Tue Jul  4 13:20:29 2017) [sssd[be[bkcco.ru]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://dc2012.bkcco.ru'
(Tue Jul  4 13:20:29 2017) [sssd[be[bkcco.ru]]] [be_run_reconnect_cb] (0x0400): Reconnecting. Running callbacks.

/var/log/sssd/krb5_child.log

(Tue Jul  4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [main] (0x0400): krb5_child started.
(Tue Jul  4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [unpack_buffer] (0x1000): total buffer size: [126]
(Tue Jul  4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [unpack_buffer] (0x0100): cmd [241] uid [1019815042] gid [1019817477] validate [false] enterprise principal [true] offline [false] UPN [[email protected]]
(Tue Jul  4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_1019815042_n1SyC3] keytab: [/etc/krb5.keytab]
(Tue Jul  4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Tue Jul  4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
(Tue Jul  4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Tue Jul  4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [k5c_setup] (0x0100): Not using FAST.
(Tue Jul  4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [main] (0x0400): Will perform online auth
(Tue Jul  4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [tgt_req_child] (0x1000): Attempting to get a TGT
(Tue Jul  4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [BKCCO.RU]
(Tue Jul  4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [get_and_save_tgt] (0x0100): TGT validation is disabled.
(Tue Jul  4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [k5c_send_data] (0x0200): Received error code 0
(Tue Jul  4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [main] (0x0400): krb5_child completed successfully

/var/log/sssd/ldap_child.log

(Tue Jul  4 13:22:26 2017) [[sssd[ldap_child[1956]]]] [main] (0x0020): ldap_child_get_tgt_sync failed.
(Tue Jul  4 13:22:26 2017) [[sssd[ldap_child[1956]]]] [prepare_response] (0x0400): Building response for result [-1765328360]
(Tue Jul  4 13:22:26 2017) [[sssd[ldap_child[1956]]]] [pack_buffer] (0x1000): result [14] krberr [-1765328360] msgsize [24] msg [Preauthentication failed]
(Tue Jul  4 13:22:26 2017) [[sssd[ldap_child[1956]]]] [main] (0x0400): ldap_child completed successfully
(Tue Jul  4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [main] (0x0400): ldap_child started.
(Tue Jul  4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [unpack_buffer] (0x1000): total buffer size: 31
(Tue Jul  4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [unpack_buffer] (0x1000): realm_str size: 8
(Tue Jul  4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [unpack_buffer] (0x1000): got realm_str: BKCCO.RU
(Tue Jul  4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [unpack_buffer] (0x1000): princ_str size: 7
(Tue Jul  4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [unpack_buffer] (0x1000): got princ_str: BKC480$
(Tue Jul  4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [unpack_buffer] (0x1000): keytab_name size: 0
(Tue Jul  4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [unpack_buffer] (0x1000): lifetime: 86400
(Tue Jul  4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [[email protected]]
(Tue Jul  4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [default]
(Tue Jul  4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Preauthentication failed
(Tue Jul  4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [main] (0x0020): ldap_child_get_tgt_sync failed.
(Tue Jul  4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [prepare_response] (0x0400): Building response for result [-1765328360]
(Tue Jul  4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [pack_buffer] (0x1000): result [14] krberr [-1765328360] msgsize [24] msg [Preauthentication failed]
(Tue Jul  4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [main] (0x0400): ldap_child completed successfully

/var/log/sssd/sssd_nss.log

(Tue Jul  4 13:22:31 2017) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
(Tue Jul  4 13:22:31 2017) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected!
(Tue Jul  4 13:22:31 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Tue Jul  4 13:22:31 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Tue Jul  4 13:22:31 2017) [sssd[nss]] [nss_cmd_endpwent] (0x0100): Terminating request info for all accounts
(Tue Jul  4 13:22:31 2017) [sssd[nss]] [nss_cmd_endgrent] (0x0100): Terminating request info for all groups
(Tue Jul  4 13:22:31 2017) [sssd[nss]] [nss_cmd_endpwent] (0x0100): Terminating request info for all accounts
(Tue Jul  4 13:22:31 2017) [sssd[nss]] [nss_cmd_endgrent] (0x0100): Terminating request info for all groups
(Tue Jul  4 13:22:31 2017) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
(Tue Jul  4 13:23:09 2017) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected!
(Tue Jul  4 13:23:09 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Tue Jul  4 13:23:09 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Tue Jul  4 13:23:09 2017) [sssd[nss]] [nss_cmd_endpwent] (0x0100): Terminating request info for all accounts
(Tue Jul  4 13:23:09 2017) [sssd[nss]] [nss_cmd_endgrent] (0x0100): Terminating request info for all groups
(Tue Jul  4 13:23:09 2017) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
(Tue Jul  4 13:23:09 2017) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected!
(Tue Jul  4 13:23:09 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Tue Jul  4 13:23:09 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Tue Jul  4 13:23:09 2017) [sssd[nss]] [nss_cmd_endpwent] (0x0100): Terminating request info for all accounts
(Tue Jul  4 13:23:09 2017) [sssd[nss]] [nss_cmd_endgrent] (0x0100): Terminating request info for all groups
(Tue Jul  4 13:23:09 2017) [sssd[nss]] [nss_cmd_endpwent] (0x0100): Terminating request info for all accounts
(Tue Jul  4 13:23:09 2017) [sssd[nss]] [nss_cmd_endgrent] (0x0100): Terminating request info for all groups
(Tue Jul  4 13:23:09 2017) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
    
por Max Shepelev 04.07.2017 / 12:32

0 respostas

Tags