Configuramos um pacote SSSD + Samba + Krb5 funcional para autorizar usuários do domínio em máquinas Linux. A autorização funciona bem, mas o getent group EXAMPLE não retorna a lista completa de usuários em um grupo. Enquanto o comando id mostra esse grupo específico, ao qual os usuários pertencem
Exemplo de comandoid mshepelev (existe um grupo pam_nas_admins ):
~$ id mshepelev
uid=1019815042(mshepelev) gid=1019817477(linuxadm) группы=128(vboxusers),132(libvirtd),
1019817706(exchange_terminal),1019800512(domain admins),1019800513(domain users),1019817356(it dept base),1019817232(printer_it),
1019817477(linuxadm),1019801141(buh),1019817834(pam_nas_admins)....
getent group pam_nas_admins (não há mshepelev neste grupo):
~$ getent group pam_nas_admins
pam_nas_admins:*:1019817834:nhramchihin,apyataev,
vshuykov,isaidashev,admin,nrosnovskiy,itugunov,
malfereva,mdimitraki,izinoviev,gkulakov,mcherenkov,kfomchenko,mkotov,aromanovskiy
Update
Same situation appears on another PC but vice versa for user isaidashev. Id command returns a full list and getent group pam_nas_admins returns everyone but the user itself (output has mshepelev user but doesn't have isaidashev user)
Aqui estão os arquivos de configuração: /etc/krb5.conf
cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = BKCCO.RU
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
#add
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 2d
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
BKCCO.RU = {
kdc = dc2012.bkcco.ru
kdc = echo.bkcco.ru
kdc = artemis.bkcco.ru
admin_server = dc2012.bkcco.ru
default_domain = BKCCO.RU
}
[domain_realm]
.bkcco.ru = BKCCO.RU
bkcco.ru = BKCCO.RU
[login]
krb4_convert = false
krb4_get_tickets = false
/etc/samba/smb.conf
cat /etc/samba/smb.conf
[global]
workgroup = BKC
security = ADS
## Full domain name
realm = BKCCO.RU
security = user
kerberos method = system keytab
log file = /var/log/samba/log.%m
log level = 10
max log size = 50
load printers = no
cups options = raw
printcap name = /dev/null
idmap config * : backend = tdb
idmap config * : range = 100000-299999
idmap config BKCCO.RU : backend = rid
idmap config BKCCO.RU : range = 300000-499999
# Если вы не хотите, чтобы самба пыталась при случае вылезти в лидеры в домене или рабочей группе,
# или даже стать доменконтроллером, то всегда прописывайте эти пять опций именно в таком виде
domain master = no
local master = no
preferred master = no
os level = 0
domain logons = no
#Настройки для принтеров(отключение поддержки)
load printers = no
show add printer wizard = no
printcap name = /dev/null
disable spoolss = yes
/etc/sssd/sssd.conf
cat /etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = bkcco.ru
debug_level = 7
[nss]
#allowed_shells = /bin/bash, /bin/hgcsh
shell_fallback = /bin/bash
default_shell = /bin/bash
debug_level = 7
entry_cache_timeout = 2
enum_cache_timeout = 5
[domain/bkcco.ru]
enumerate = true
debug_level = 7
ad_domain = bkcco.ru
krb5_realm = BKCCO.RU
krb5_store_password_if_offline = True
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
access_provider = ad
#ldap_id_mapping = True
use_fully_qualified_names = False
default_shell = /bin/bash
fallback_homedir = /home/%u
krb5_validate = false
/etc/nsswitch.conf
cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the 'glibc-doc-reference' and 'info' packages installed, try:
# 'info libc "Name Service Switch"' for information about this file.
passwd: compat sss
group: compat sss
shadow: compat sss
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis sss
sudoers: files sss
/etc/realmd.conf
cat /etc/realmd.conf
[active-directory]
os-name = BKCBuntu
os-version = 16.04
[service]
automatic-install = no
[users]
default-home = /home/%u
default-shell = /bin/bash
[bkcco.ru]
user-principal = yes
fully-qualified-names = no
E abaixo estão os arquivos de log. Por alguma razão, o sssd_domain.log informa que a porta 389 está indisponível, mas está aberta
~$ nslookup -type=srv _ldap._tcp.bkcco.ru
Server: 192.168.20.1
Address: 192.168.20.1#53
_ldap._tcp.bkcco.ru service = 0 100 389 echo.bkcco.ru.
_ldap._tcp.bkcco.ru service = 0 100 389 artemis.bkcco.ru.
_ldap._tcp.bkcco.ru service = 0 100 389 dc2012.bkcco.ru.
verifique as portas separadamente
~$ nc -zv bkcco.ru 389
Connection to bkcco.ru 389 port [tcp/ldap] succeeded!
mshepelev@bkc480:~$ nc -zv dc2012 389
Connection to dc2012 389 port [tcp/ldap] succeeded!
mshepelev@bkc480:~$ nc -zv artemis 389
Connection to artemis 389 port [tcp/ldap] succeeded!
/etc/var/log/sssd/sssd_bkcco.ru.log
(Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [be_resolve_server_process] (0x1000): Saving the first resolved server
(Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [be_resolve_server_process] (0x0200): Found address for server artemis.bkcco.ru: [172.16.0.3] TTL 3600
(Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [be_primary_server_timeout_activate] (0x0400): The primary server reconnection is already scheduled
(Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT...
(Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [create_tgt_req_send_buffer] (0x0400): buffer size: 31
(Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child
(Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [write_pipe_handler] (0x0400): All data has been sent!
(Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [read_pipe_handler] (0x0400): EOF received, client finished
(Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [sdap_get_tgt_recv] (0x0400): Child responded: 14 [Preauthentication failed], expired on [0]
(Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad address]
(Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [sdap_cli_kinit_done] (0x0400): Cannot get a TGT: ret [1432158218](Authentication Failed)
(Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'artemis.bkcco.ru' as 'not working'
(Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'artemis.bkcco.ru' as 'not working'
(Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'
(Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [get_server_status] (0x1000): Status of server 'dc2012.bkcco.ru' is 'name resolved'
(Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [get_port_status] (0x1000): Port status of port 389 for server 'dc2012.bkcco.ru' is 'not working'
(Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [get_server_status] (0x1000): Status of server 'echo.bkcco.ru' is 'name resolved'
(Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [get_port_status] (0x1000): Port status of port 389 for server 'echo.bkcco.ru' is 'not working'
(Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [get_server_status] (0x1000): Status of server 'artemis.bkcco.ru' is 'name resolved'
(Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [get_port_status] (0x1000): Port status of port 389 for server 'artemis.bkcco.ru' is 'not working'
(Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD'
(Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [child_sig_handler] (0x1000): Waiting for child [1814].
(Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [child_sig_handler] (0x0100): child [1814] finished successfully.
(Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [be_resolve_server_done] (0x1000): Server resolution failed: 5
(Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error])
(Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [be_ptask_enable] (0x0400): Task [Check if online (periodic)]: enabling task
(Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [be_ptask_schedule] (0x0400): Task [Check if online (periodic)]: scheduling task 62 seconds from now [1499163660]
(Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks.
(Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [ad_subdomains_get_conn_done] (0x0080): No AD server is available, cannot get the subdomain list while offline
(Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [sdap_dyndns_get_addrs_done] (0x0080): No LDAP server is available, dynamic DNS update is skipped in offline mode.
(Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [sdap_dyndns_update_addrs_done] (0x0040): Can't get addresses for DNS update
(Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed [1432158230]: Dynamic DNS update not possible while offline
(Tue Jul 4 13:19:58 2017) [sssd[be[bkcco.ru]]] [ad_dyndns_nsupdate_done] (0x0040): Updating DNS entry failed [1432158230]: Dynamic DNS update not possible while offline
(Tue Jul 4 13:19:59 2017) [sssd[be[bkcco.ru]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.BKCCO.RU], [2][No such file or directory]
(Tue Jul 4 13:20:29 2017) [sssd[be[bkcco.ru]]] [be_primary_server_timeout] (0x0400): Looking for primary server!
(Tue Jul 4 13:20:29 2017) [sssd[be[bkcco.ru]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'
(Tue Jul 4 13:20:29 2017) [sssd[be[bkcco.ru]]] [get_server_status] (0x1000): Status of server 'dc2012.bkcco.ru' is 'name resolved'
(Tue Jul 4 13:20:29 2017) [sssd[be[bkcco.ru]]] [get_port_status] (0x1000): Port status of port 389 for server 'dc2012.bkcco.ru' is 'not working'
(Tue Jul 4 13:20:29 2017) [sssd[be[bkcco.ru]]] [get_port_status] (0x0100): Reseting the status of port 389 for server 'dc2012.bkcco.ru'
(Tue Jul 4 13:20:29 2017) [sssd[be[bkcco.ru]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved
(Tue Jul 4 13:20:29 2017) [sssd[be[bkcco.ru]]] [get_server_status] (0x1000): Status of server 'dc2012.bkcco.ru' is 'name resolved'
(Tue Jul 4 13:20:29 2017) [sssd[be[bkcco.ru]]] [be_resolve_server_process] (0x1000): Saving the first resolved server
(Tue Jul 4 13:20:29 2017) [sssd[be[bkcco.ru]]] [be_resolve_server_process] (0x0200): Found address for server dc2012.bkcco.ru: [192.168.20.1] TTL 3600
(Tue Jul 4 13:20:29 2017) [sssd[be[bkcco.ru]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://dc2012.bkcco.ru'
(Tue Jul 4 13:20:29 2017) [sssd[be[bkcco.ru]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://dc2012.bkcco.ru'
(Tue Jul 4 13:20:29 2017) [sssd[be[bkcco.ru]]] [be_run_reconnect_cb] (0x0400): Reconnecting. Running callbacks.
/var/log/sssd/krb5_child.log
(Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [main] (0x0400): krb5_child started.
(Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [unpack_buffer] (0x1000): total buffer size: [126]
(Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [unpack_buffer] (0x0100): cmd [241] uid [1019815042] gid [1019817477] validate [false] enterprise principal [true] offline [false] UPN [[email protected]]
(Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_1019815042_n1SyC3] keytab: [/etc/krb5.keytab]
(Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
(Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [k5c_setup] (0x0100): Not using FAST.
(Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [main] (0x0400): Will perform online auth
(Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [tgt_req_child] (0x1000): Attempting to get a TGT
(Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [BKCCO.RU]
(Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [get_and_save_tgt] (0x0100): TGT validation is disabled.
(Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [k5c_send_data] (0x0200): Received error code 0
(Tue Jul 4 11:46:47 2017) [[sssd[krb5_child[29641]]]] [main] (0x0400): krb5_child completed successfully
/var/log/sssd/ldap_child.log
(Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1956]]]] [main] (0x0020): ldap_child_get_tgt_sync failed.
(Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1956]]]] [prepare_response] (0x0400): Building response for result [-1765328360]
(Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1956]]]] [pack_buffer] (0x1000): result [14] krberr [-1765328360] msgsize [24] msg [Preauthentication failed]
(Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1956]]]] [main] (0x0400): ldap_child completed successfully
(Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [main] (0x0400): ldap_child started.
(Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [unpack_buffer] (0x1000): total buffer size: 31
(Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [unpack_buffer] (0x1000): realm_str size: 8
(Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [unpack_buffer] (0x1000): got realm_str: BKCCO.RU
(Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [unpack_buffer] (0x1000): princ_str size: 7
(Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [unpack_buffer] (0x1000): got princ_str: BKC480$
(Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [unpack_buffer] (0x1000): keytab_name size: 0
(Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [unpack_buffer] (0x1000): lifetime: 86400
(Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [[email protected]]
(Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [default]
(Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Preauthentication failed
(Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [main] (0x0020): ldap_child_get_tgt_sync failed.
(Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [prepare_response] (0x0400): Building response for result [-1765328360]
(Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [pack_buffer] (0x1000): result [14] krberr [-1765328360] msgsize [24] msg [Preauthentication failed]
(Tue Jul 4 13:22:26 2017) [[sssd[ldap_child[1958]]]] [main] (0x0400): ldap_child completed successfully
/var/log/sssd/sssd_nss.log
(Tue Jul 4 13:22:31 2017) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
(Tue Jul 4 13:22:31 2017) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected!
(Tue Jul 4 13:22:31 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Tue Jul 4 13:22:31 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Tue Jul 4 13:22:31 2017) [sssd[nss]] [nss_cmd_endpwent] (0x0100): Terminating request info for all accounts
(Tue Jul 4 13:22:31 2017) [sssd[nss]] [nss_cmd_endgrent] (0x0100): Terminating request info for all groups
(Tue Jul 4 13:22:31 2017) [sssd[nss]] [nss_cmd_endpwent] (0x0100): Terminating request info for all accounts
(Tue Jul 4 13:22:31 2017) [sssd[nss]] [nss_cmd_endgrent] (0x0100): Terminating request info for all groups
(Tue Jul 4 13:22:31 2017) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
(Tue Jul 4 13:23:09 2017) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected!
(Tue Jul 4 13:23:09 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Tue Jul 4 13:23:09 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Tue Jul 4 13:23:09 2017) [sssd[nss]] [nss_cmd_endpwent] (0x0100): Terminating request info for all accounts
(Tue Jul 4 13:23:09 2017) [sssd[nss]] [nss_cmd_endgrent] (0x0100): Terminating request info for all groups
(Tue Jul 4 13:23:09 2017) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
(Tue Jul 4 13:23:09 2017) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected!
(Tue Jul 4 13:23:09 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Tue Jul 4 13:23:09 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Tue Jul 4 13:23:09 2017) [sssd[nss]] [nss_cmd_endpwent] (0x0100): Terminating request info for all accounts
(Tue Jul 4 13:23:09 2017) [sssd[nss]] [nss_cmd_endgrent] (0x0100): Terminating request info for all groups
(Tue Jul 4 13:23:09 2017) [sssd[nss]] [nss_cmd_endpwent] (0x0100): Terminating request info for all accounts
(Tue Jul 4 13:23:09 2017) [sssd[nss]] [nss_cmd_endgrent] (0x0100): Terminating request info for all groups
(Tue Jul 4 13:23:09 2017) [sssd[nss]] [client_recv] (0x0200): Client disconnected!