Autentica o protocolo Linux-LDAP-AD (diretório ativo): falha ao efetuar logon com senha

Dears,

Passei muito tempo nisso e até mesmo verifiquei com sucesso (Auth) Linux-LDAP-openLDAP ok. Mas fique bloqueado com o AD. Agora posso mudar para o usuário a partir da conta root, mas não consigo fazer o login com a senha ( pam_unix (sshd: auth): falha de autenticação ). Eu vou ver se eu posso ligar pam depurar e também levantar o problema aqui. Eu quero listar os passos detalhados aqui para obter ajuda. Não tenho certeza se está relacionado a userPassword (eu já defini dsHeuristics para 000000001) ou unixUserPassword atributo, mas vou continuar a investigar.

1. Lado do servidor Windows 2012 R2 (AD): Configure o AD DS.Enable SSL for AD. Instalado Gerenciamento de identidades para UNIX Adicione atributos (uidNumber, gidNumber, unixHomeDirectory) ao catálogo global em esquema .Adicionados alguns usuários (luser02, que é o usuário vinculado, luser03, luser04) e group (unixGrp2) com posixAccount / posixGroup, respectivamente. Para verificar isso, posso usar o ldapsearch no CENT OS 6 de destino %código%

# extended LDIF
#
# LDAPv3
# base <DC=kelamayi,DC=com> with scope subtree
# filter: sAMAccountName=luser03
# requesting: ALL
#

# luser03, Users, kelamayi.com
dn: CN=luser03,CN=Users,DC=kelamayi,DC=com
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: luser03
givenName: luser03
distinguishedName: CN=luser03,CN=Users,DC=kelamayi,DC=com
instanceType: 4
whenCreated: 20180824095929.0Z
whenChanged: 20180824103333.0Z
displayName: luser03
uSNCreated: 24826
memberOf: CN=unigGrp2,DC=kelamayi,DC=com
memberOf: CN=unixGrp,DC=kelamayi,DC=com
uSNChanged: 24861
name: luser03
objectGUID:: Q/Bx5j48CEWikaDPlHoyRw==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 131795783694428731
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAA3G4iEdoCV++319XAWgQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: luser03
sAMAccountType: 805306368
userPrincipalName: [email protected]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=kelamayi,DC=com
dSCorePropagationData: 16010101000000.0Z
uidNumber: 20003
gidNumber: 20001
unixHomeDirectory: /home/luser03
loginShell: /bin/bash

# search reference
ref: ldap://ForestDnsZones.kelamayi.com/DC=ForestDnsZones,DC=kelamayi,DC=com

# search reference
ref: ldap://DomainDnsZones.kelamayi.com/DC=DomainDnsZones,DC=kelamayi,DC=com

# search reference
ref: ldap://kelamayi.com/CN=Configuration,DC=kelamayi,DC=com

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3

Eu também posso usar o java api para se conectar ao AD com ldaps. O ldapsearch -x -H ldap://114.116.43.118:389 -D "CN=luser02,CN=Users,DC=kelamayi,DC=com" -b "DC=kelamayi,DC=com" -W sAMAccountName=luser03 também funciona bem.

getent passwd luser03
luser03:*:20003:513:luser03:/home/luser03:/bin/bash
getent passwd 20002
luser02:*:20002:513:luser02:/home/luser02:/bin/bash
getent passwd 20003
luser03:*:20003:513:luser03:/home/luser03:/bin/bash

2. Linux (CENT OS 6): vou listar abaixo em anexo.

getent passwd

binddn CN=luser02,CN=Users,DC=kelamayi,DC=com
bindpw Passw0rd
uid nslcd
gid ldap
uri ldap://114.116.43.118:389/
base dc=kelamayi,dc=com
ssl no
tls_cacertdir /etc/openldap/cacerts
filter passwd (objectClass=user)
filter group  (objectClass=group)
map     passwd uid sAMAccountName
map     passwd  homeDirectory      unixHomeDirectory
map     passwd  gecos              displayName
map     passwd  gidNumber          primaryGroupID
map     group   uniqueMember       member

grep -v '^$\|^\s*\#' /etc/nslcd.conf

base dc=kelamayi,dc=com
uri ldap://114.116.43.118:389/
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5

grep -v '^$\|^\s*\#' /etc/openldap/ldap.conf

base dc=kelamayi,dc=com
uri ldap://114.116.43.118:389/
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5

grep -v '^$\|^\s*\#' /etc/pam_ldap.conf

auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so
password    requisite     pam_cracklib.so retry=3 minlen=8 difok=3 ucredit=-1 lcredit=-2 dcredit=-1 ocredit=-1
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

grep -v '^$\|^\s*\#' /etc/pam.d/system-auth

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so
password    requisite     pam_cracklib.so retry=3 minlen=8 difok=3 ucredit=-1 lcredit=-2 dcredit=-1 ocredit=-1
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

grep -v '^$\|^\s*\#' /etc/pam.d/password-auth

passwd:     files ldap
shadow:     files ldap
group:      files ldap
hosts:      files dns
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files ldap
netgroup:   files ldap
publickey:  nisplus
automount:  files ldap
aliases:    files nisplus

3. Testar e depurar: %código% %código% %código%

log do ssh:

debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received

     here pending for a while,about 10 seconds.

debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Next authentication method: password
[email protected]'s password:
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
[email protected]'s password:

depuração do nslcd. Eu não sei porque há um "ldap_result () expirado" no log antes de inserir a senha. (Esse problema de desempenho foi resolvido por Stefan. Obrigado!)

nslcd: DEBUG: add_uri(ldap://114.116.43.118:389/)
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR,"/etc/openldap/cacerts")
nslcd: version 0.7.5 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory
nslcd: DEBUG: setgroups(0,NULL) done
nslcd: DEBUG: setgid(55) done
nslcd: DEBUG: setuid(65) done
nslcd: accepting connections

nslcd: [8b4567] DEBUG: connection from pid=2856 uid=0 gid=0
nslcd: [8b4567] DEBUG: nslcd_passwd_byname(luser03)
nslcd: [8b4567] DEBUG: myldap_search(base="dc=kelamayi,dc=com", filter="(&(objectClass=user)(sAMAccountName=luser03))")
nslcd: [8b4567] DEBUG: ldap_initialize(ldap://114.116.43.118:389/)
nslcd: [8b4567] DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_simple_bind_s("CN=luser02,CN=Users,DC=kelamayi,DC=com","***") (uri="ldap://114.116.43.118:389/")
nslcd: [8b4567] DEBUG: rebinding to ldap://kelamayi.com/CN=Configuration,DC=kelamayi,DC=com
nslcd: [8b4567] DEBUG: ldap_simple_bind_s("CN=luser02,CN=Users,DC=kelamayi,DC=com","***") (uri="ldap://kelamayi.com/CN=Configuration,DC=kelamayi,DC=com")
nslcd: [8b4567] ldap_result() timed out
nslcd: [8b4567] DEBUG: ldap_abandon()
nslcd: [8b4567] DEBUG: ldap_unbind()
nslcd: [7b23c6] DEBUG: connection from pid=2856 uid=0 gid=0
nslcd: [7b23c6] DEBUG: nslcd_passwd_byname(luser03)
nslcd: [7b23c6] DEBUG: myldap_search(base="dc=kelamayi,dc=com", filter="(&(objectClass=user)(sAMAccountName=luser03))")
nslcd: [7b23c6] DEBUG: ldap_initialize(ldap://114.116.43.118:389/)
nslcd: [7b23c6] DEBUG: ldap_set_rebind_proc()
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [7b23c6] DEBUG: ldap_simple_bind_s("CN=luser02,CN=Users,DC=kelamayi,DC=com","***") (uri="ldap://114.116.43.118:389/")
nslcd: [7b23c6] DEBUG: ldap_result(): end of results
nslcd: [3c9869] DEBUG: connection from pid=2856 uid=0 gid=0
nslcd: [3c9869] DEBUG: nslcd_passwd_byname(luser03)
nslcd: [3c9869] DEBUG: myldap_search(base="dc=kelamayi,dc=com", filter="(&(objectClass=user)(sAMAccountName=luser03))")
nslcd: [3c9869] DEBUG: ldap_initialize(ldap://114.116.43.118:389/)
nslcd: [3c9869] DEBUG: ldap_set_rebind_proc()
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [3c9869] DEBUG: ldap_simple_bind_s("CN=luser02,CN=Users,DC=kelamayi,DC=com","***") (uri="ldap://114.116.43.118:389/")
nslcd: [3c9869] DEBUG: ldap_result(): end of results
nslcd: [334873] DEBUG: connection from pid=2856 uid=0 gid=0
nslcd: [334873] DEBUG: nslcd_passwd_byname(luser03)
nslcd: [334873] DEBUG: myldap_search(base="dc=kelamayi,dc=com", filter="(&(objectClass=user)(sAMAccountName=luser03))")
nslcd: [334873] DEBUG: ldap_initialize(ldap://114.116.43.118:389/)
nslcd: [334873] DEBUG: ldap_set_rebind_proc()
nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [334873] DEBUG: ldap_simple_bind_s("CN=luser02,CN=Users,DC=kelamayi,DC=com","***") (uri="ldap://114.116.43.118:389/")
nslcd: [334873] DEBUG: ldap_result(): end of results

/ var / log / secure:

Aug 24 19:42:07 ecs-c191-0006 sshd[2856]: pam_unix(sshd:auth): authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=114.116.42.247  user=luser03

Tentou ativar a depuração de pam por > Tentei ativar o pam debug com isso: link , mas recebi outro erro quando o build

patching file modules/pam_unix/pam_unix_passwd.c
Hunk #1 succeeded at 233 (offset -7 lines).
patching file modules/pam_unix/pam_unix.8.xml
patching file modules/pam_unix/passverify.c
Hunk #1 succeeded at 1088 (offset -7 lines).
patching file modules/pam_unix/passverify.h
patching file modules/pam_unix/support.c
Hunk #1 FAILED at 495.
1 out of 1 hunk FAILED -- saving rejects to file modules/pam_unix/support.c.rej

dias difíceis .....