sssd-ad em wheezy

Navegue suas respostas
0

Eu tenho uma pergunta semelhante em execução em serverfault , mas tenho um questão de acompanhamento que é mais adequada aqui, na minha opinião humilde (provavelmente desinformada).

Eu tenho tentado validar usuários em meu servidor Debian Wheezy contra o AD da empresa (servidor windows 2008).

O principal desafio é que este AD não fornece nenhum atributo Unix (uid, gid, homedir, shell). Eu comecei em torno de homedir e shell usando sssd e seus mecanismos de fallback. No entanto, atualmente estou preso no uid, gid.

Quando tento sincronizar usando a configuração (reduzo para as partes relevantes) 

id_provider = ad
access_provider = ad
auth_provider = krb5
chpass_provider = krb5
ldap_schema = ad
ldap_id_mapping = true
debug_level = 7

Eu recebo o seguinte erro: 

(Tue Jan 27 10:39:05 2015) [sssd[be[thecompany.dk]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching.
(Tue Jan 27 10:39:05 2015) [sssd[be[thecompany.dk]]] [be_client_destructor] (0x0400): Removed PAM client
(Tue Jan 27 10:39:05 2015) [sssd[be[thecompany.dk]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching.
(Tue Jan 27 10:39:05 2015) [sssd[be[thecompany.dk]]] [be_client_destructor] (0x0400): Removed NSS client
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [server_setup] (0x0080): CONFDB: /var/lib/sss/db/config.ldb
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [resolv_get_family_order] (0x1000): Lookup order: ipv4_first
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [fo_context_init] (0x0080): Created new fail over context, retry timeout is 30
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [confdb_get_domain_internal] (0x0020): No enumeration for [thecompany.dk]!
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [sysdb_domain_init_internal] (0x0200): DB File for thecompany.dk: /var/lib/sss/db/cache_thecompany.dk.ldb
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [ldb] (0x0400): asq: Unable to register control with rootdse!
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [sbus_init_connection] (0x0200): Adding connection FB1630
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [monitor_common_send_id] (0x0100): Sending ID: (%BE_thecompany.dk,1)
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [create_socket_symlink] (0x1000): Symlinking the dbus path /var/lib/sss/pipes/private/sbus-dp_thecompany.dk.4798 to a link /var/lib/sss/pipes/private/sbus-dp_thecompany.dk
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [sbus_new_server] (0x0080): D-BUS Server listening on unix:path=/var/lib/sss/pipes/private/sbus-dp_thecompany.dk.4798,guid=84361ff4e288ffa9288b858f54c75cba
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [load_backend_module] (0x1000): Loading backend [ad] with path [/usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so].
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [load_backend_module] (0x0010): Unable to load ad module with path (/usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so), error: /usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so: cannot open shared object file: No such file or directory
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [be_process_init] (0x0010): fatal error initializing data providers
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [main] (0x0010): Could not initialize backend [79]
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [server_setup] (0x0080): CONFDB: /var/lib/sss/db/config.ldb
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [resolv_get_family_order] (0x1000): Lookup order: ipv4_first
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [fo_context_init] (0x0080): Created new fail over context, retry timeout is 30
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [confdb_get_domain_internal] (0x0020): No enumeration for [thecompany.dk]!
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [sysdb_domain_init_internal] (0x0200): DB File for thecompany.dk: /var/lib/sss/db/cache_thecompany.dk.ldb
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [ldb] (0x0400): asq: Unable to register control with rootdse!
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [sbus_init_connection] (0x0200): Adding connection 1A3D630
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [monitor_common_send_id] (0x0100): Sending ID: (%BE_thecompany.dk,1)
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [create_socket_symlink] (0x1000): Symlinking the dbus path /var/lib/sss/pipes/private/sbus-dp_thecompany.dk.4799 to a link /var/lib/sss/pipes/private/sbus-dp_thecompany.dk
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [sbus_new_server] (0x0080): D-BUS Server listening on unix:path=/var/lib/sss/pipes/private/sbus-dp_thecompany.dk.4799,guid=f69da63ecb7352f94fee01df54c75cba
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [load_backend_module] (0x1000): Loading backend [ad] with path [/usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so].
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [load_backend_module] (0x0010): Unable to load ad module with path (/usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so), error: /usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so: cannot open shared object file: No such file or directory
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [be_process_init] (0x0010): fatal error initializing data providers
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [main] (0x0010): Could not initialize backend [79]
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [server_setup] (0x0080): CONFDB: /var/lib/sss/db/config.ldb
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [resolv_get_family_order] (0x1000): Lookup order: ipv4_first
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [fo_context_init] (0x0080): Created new fail over context, retry timeout is 30
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [confdb_get_domain_internal] (0x0020): No enumeration for [thecompany.dk]!
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [sysdb_domain_init_internal] (0x0200): DB File for thecompany.dk: /var/lib/sss/db/cache_thecompany.dk.ldb
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [ldb] (0x0400): asq: Unable to register control with rootdse!
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [sbus_init_connection] (0x0200): Adding connection 210B630
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [monitor_common_send_id] (0x0100): Sending ID: (%BE_thecompany.dk,1)
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [create_socket_symlink] (0x1000): Symlinking the dbus path /var/lib/sss/pipes/private/sbus-dp_thecompany.dk.4800 to a link /var/lib/sss/pipes/private/sbus-dp_thecompany.dk
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [sbus_new_server] (0x0080): D-BUS Server listening on unix:path=/var/lib/sss/pipes/private/sbus-dp_thecompany.dk.4800,guid=466e1c905c470ad8c00455f754c75cba
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [load_backend_module] (0x1000): Loading backend [ad] with path [/usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so].
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [load_backend_module] (0x0010): Unable to load ad module with path (/usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so), error: /usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so: cannot open shared object file: No such file or directory
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [be_process_init] (0x0010): fatal error initializing data providers
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [main] (0x0010): Could not initialize backend [79]
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [server_setup] (0x0080): CONFDB: /var/lib/sss/db/config.ldb
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [resolv_get_family_order] (0x1000): Lookup order: ipv4_first
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [fo_context_init] (0x0080): Created new fail over context, retry timeout is 30
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [confdb_get_domain_internal] (0x0020): No enumeration for [thecompany.dk]!
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [sysdb_domain_init_internal] (0x0200): DB File for thecompany.dk: /var/lib/sss/db/cache_thecompany.dk.ldb
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [ldb] (0x0400): asq: Unable to register control with rootdse!
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [sbus_init_connection] (0x0200): Adding connection 1811630
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [monitor_common_send_id] (0x0100): Sending ID: (%BE_thecompany.dk,1)
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [create_socket_symlink] (0x1000): Symlinking the dbus path /var/lib/sss/pipes/private/sbus-dp_thecompany.dk.4801 to a link /var/lib/sss/pipes/private/sbus-dp_thecompany.dk
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [sbus_new_server] (0x0080): D-BUS Server listening on unix:path=/var/lib/sss/pipes/private/sbus-dp_thecompany.dk.4801,guid=7410c96282fd44c81ae85d5454c75cba
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [load_backend_module] (0x1000): Loading backend [ad] with path [/usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so].
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [load_backend_module] (0x0010): Unable to load ad module with path (/usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so), error: /usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so: cannot open shared object file: No such file or directory
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [be_process_init] (0x0010): fatal error initializing data providers
(Tue Jan 27 10:39:06 2015) [sssd[be[thecompany.dk]]] [main] (0x0010): Could not initialize backend [79]

Os arquivos estão realmente ausentes: 

/usr/lib/x86_64-linux-gnu/sssd$ ls -la
total 3884
drwxr-xr-x  3 root root    4096 Jan 26 15:05 .
drwxr-xr-x 11 root root   12288 Jan 26 15:05 ..
-rw-r--r--  1 root root 1405048 Mar  4  2013 libsss_ipa.so
-rw-r--r--  1 root root  585784 Mar  4  2013 libsss_krb5.so
-rw-r--r--  1 root root 1081880 Mar  4  2013 libsss_ldap.so
-rw-r--r--  1 root root  479160 Mar  4  2013 libsss_proxy.so
-rw-r--r--  1 root root  389400 Mar  4  2013 libsss_simple.so
drwxr-xr-x  2 root root    4096 Jan 26 15:05 modules

Como eu obtenho o provedor de anúncios sssd para sssd no Debian Wheezy? Eu vi inúmeros exemplos dele em uso.  Não está realmente incluído na distribuição do wheezy? Posso contornar isso usando o provedor de ldap de alguma forma? Ou eu tenho que limpar meu servidor e adicionar o repositório instável às minhas fontes?

    
por Martin Nielsen 27.01.2015 / 11:39

1 resposta

2

A versão 1.11.7-2 do teste funciona para mim em um ambiente de produção.

Você não precisa atualizar seu sistema inteiro de estável, basta adicionar um repositório de teste: 

deb http://ftp.uk.debian.org/debian/ testing main contrib non-free
deb http://ftp.uk.debian.org/debian/ testing-updates main contrib non-free

Você pode precisar dizer a apt que você prefere a versão Estável. Você faz isso adicionando essa seção a um arquivo como /etc/apt/apt.conf.d/00local 

APT {
    Default-Release "stable";
    // Cache-Limit "50000000";  // only if needed
};

Em seguida, execute aptitude update e você deve descobrir que aptitude install -t testing sssd-ad oferece para instalar e atualizar o sssd, etc.

Apenas para completar, aqui está meu (redigido) sssd.conf 

[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = example.org

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3
offline_credentials_expiration = 7
offline_failed_login_delay = 1

[domain/example.org]
enumerate = false
ldap_group_nesting_level = 5
ldap_use_tokengroups = false
cache_credentials = true
account_cache_expiration = 10
entry_cache_timeout = 14400
lookup_family_order = ipv4_only
dns_resolver_timeout = 3
dns_discovery_domain = example.org
fallback_homedir = /home/%d/%u
default_shell = /bin/bash
id_provider = ad
    
por 27.01.2015 / 11:54

Tags

Default Route in ip route Como adicionar o grupo “sudo”