O servidor do Centos 7 está associado ao abc.com e a autenticação está trabalhando para abc.com com authlite para autenticação de dois fatores. Um domínio filho foi criado a.abc.com, mas a autenticação não está funcionando no domínio filho. O servidor pode ser unido a dois domínios?
[root@server01 sssd]# more /etc/sssd/sssd.conf
[sssd]
domains = abc.com
config_file_version = 2
services = nss, pam
[domain/abc.com]
id_provider = ad
access_provider = simple
realmd_tags = manages-system joined-with-samba
ad_domain = abc.com
ad_server = serverdc01.abc.com,serverdc02.abc.com,_srv_
!adding in subdomain line below - SG 1-20-2017
subdomain_enumerate = all
krb5_realm = ABC.COM
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
simple_allow_groups = TDI Remote Access [email protected]
debug_level = 0x07F0
[domain/a.abc.com]
ad_server = aserverdc01.a.abc.com,aserver02.a.abc.com,_srv_
Pode verificar se a conta do usuário é vista no domínio filho.
[root@server01 bin]# id [email protected]
uid=1915601610([email protected]) gid=1915601610([email protected]) groups=1915601610([email protected]),1213401243(tdi remote access users),1915601332(authlite 1f [email protected]),1915601331(authlite [email protected]),1915601110([email protected]),1915601606([email protected]),1915600513(domain [email protected])
Reino:
[root@server01 bin]# realm list
abc.com
type: kerberos
realm-name: ABC.COM
domain-name: abc.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common
login-formats: %U
login-policy: allow-permitted-logins
permitted-logins:
permitted-groups: TDI Remote Access [email protected]
Do log seguro:
Jan 20 15:46:35 server01 cw[22854]: pam_sss(conwrks:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= [email protected]
Jan 20 15:46:35 server01 cw[22854]: pam_sss(conwrks:auth): received for user [email protected]: 4 (System error)
De krb5_child.log:
(Fri Jan 20 15:46:33 2017) [[sssd[krb5_child[23048]]]] [unpack_buffer] (0x0100): cmd [241] uid [1915601610] gid [1915601610] validate [true] enterprise principal [true] offline [false] UPN [[email protected]]
(Fri Jan 20 15:46:33 2017) [[sssd[krb5_child[23048]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:1915601610] old_ccname: [not set] keytab: [/etc/krb5.keytab]
(Fri Jan 20 15:46:33 2017) [[sssd[krb5_child[23048]]]] [check_use_fast] (0x0100): Not using FAST.
(Fri Jan 20 15:46:33 2017) [[sssd[krb5_child[23048]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
(Fri Jan 20 15:46:33 2017) [[sssd[krb5_child[23048]]]] [become_user] (0x0200): Trying to become user [1915601610][1915601610].
(Fri Jan 20 15:46:33 2017) [[sssd[krb5_child[23048]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Fri Jan 20 15:46:33 2017) [[sssd[krb5_child[23048]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
(Fri Jan 20 15:46:33 2017) [[sssd[krb5_child[23048]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Fri Jan 20 15:46:33 2017) [[sssd[krb5_child[23048]]]] [main] (0x0400): Will perform online auth
(Fri Jan 20 15:46:33 2017) [[sssd[krb5_child[23048]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [ABC.COM]
(Fri Jan 20 15:46:35 2017) [[sssd[krb5_child[23048]]]] [get_and_save_tgt] (0x0020): 1234: [-1765328372][KDC policy rejects request]
(Fri Jan 20 15:46:35 2017) [[sssd[krb5_child[23048]]]] [map_krb5_error] (0x0020): 1303: [-1765328372][KDC policy rejects request]
(Fri Jan 20 15:46:35 2017) [[sssd[krb5_child[23048]]]] [k5c_send_data] (0x0200): Received error code 1432158209
(Fri Jan 20 15:46:35 2017) [[sssd[krb5_child[23048]]]] [main] (0x0400): krb5_child completed successfully
De sssd_abc.com.log:
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=user]
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [be_req_set_domain] (0x0400): Changing request domain from [abc.com] to [a.abc.com]
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [dc=a,dc=a,dc=hawaiian,dc=aero]
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=user)(objectclass=user)(sAMAccountName=*)(objectSID=*))][dc=a,dc=a].
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sdap_search_user_process] (0x0400): Search for users, returned 1 results.
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sdap_save_user] (0x0400): Save user
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sdap_get_primary_name] (0x0400): Processing object [email protected]
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sdap_save_user] (0x0400): Processing user [email protected]
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sdap_save_user] (0x0400): Adding original memberOf attributes to [[email protected]].
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sdap_save_user] (0x0400): Adding user principal [[email protected]] to attributes of [[email protected]].
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sdap_save_user] (0x0400): Storing info for user [email protected]
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sysdb_search_by_name] (0x0400): No such entry
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sysdb_search_by_name] (0x0400): No such entry
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [sysdb_search_user_by_uid] (0x0400): No such entry
(Fri Jan 20 15:46:31 2017) [sssd[be[abc.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success)