La sincronizzazione di SSSD AD non riesce dopo la modifica di UPN di Active Directory

Recentemente ho affrontato un problema con l'integrazione AD su una serie di caselle di debian. Utilizzo SSSD e krb5 per consentire a PAM di sincronizzare e autenticare gli utenti contro Active Directory. Questo funziona da più di un anno, finché l'amministratore AD non ha modificato l'UPN degli utenti AD da username@COMPANY.DK a username@ABCCOMPANY.DK .

Ora, il sincronismo e il riconoscimento di nome utente ancora funzionano, ma l'authentication improvvisamente fallisce, in quanto sembra che il nome inviato a krb5 sia " username@ABCCOMPANY.DK ". Questo regno non è conosciuto da krb5, quindi non riesce a autenticare l'utente.

Cambiare il krb5.conf file krb5.conf su ABCCOMPANY non funziona, in quanto il reame non è effettivamente modificato.

Posso usare kinit mnn@COMPANY.DK senza problemi, mi faccia registrare bene. Non posso, tuttavia, fare kinit mnn@ABCCOMPANY.DK come fa krb5 lamentarsi con il seguente messaggio:

 kinit: Cannot find KDC for realm "ABCCOMPANY.DK" while getting initial credentials 

Questo ha senso penso. SSSD invia ABCCOMPANY.DK nell' UPN lungo a krb5, ma krb5 non sta riconoscendo tale ambito perché non esiste.

Quindi, la domanda è: Come posso configurare krb5 per riconoscere che il regno non è lo stesso di UPN? E una questione bonus da pura curiosità: è questa pratica (impostare l'UPN su qualcosa di diverso dal nome del regno) un modo accettato di fare le cose? Mi sembra strano avere un componente di dominio che in realtà non corrisponda a un dominio.

 (Mon Jan 23 13:12:59 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Mon Jan 23 13:12:59 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Mon Jan 23 13:12:59 2017) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'mnn' matched without domain, user is mnn (Mon Jan 23 13:12:59 2017) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Mon Jan 23 13:12:59 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [mnn] from [<ALL>] (Mon Jan 23 13:12:59 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [mnn@company.dk] (Mon Jan 23 13:12:59 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3]. (Mon Jan 23 13:12:59 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3]. (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate (Mon Jan 23 13:12:59 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'mnn' matched without domain, user is mnn (Mon Jan 23 13:12:59 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): user: mnn (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: 172.16.112.155 (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 8724 (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [be_get_account_info] (0x0100): Got request for [3][1][name=mnn] (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [sysdb_error_to_errno] (0x0020): LDB returned unexpected error: [No such attribute] ... (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [mnn@company.dk] (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: company.dk (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): user: mnn (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: 172.16.112.155 (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 8724 (Mon Jan 23 13:12:59 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [be_pam_handler] (0x0100): Got request with the following data (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [pam_print_data] (0x0100): domain: company.dk (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [pam_print_data] (0x0100): user: mnn (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [pam_print_data] (0x0100): service: sshd (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [pam_print_data] (0x0100): tty: ssh (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [pam_print_data] (0x0100): ruser: (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [pam_print_data] (0x0100): rhost: 172.16.112.155 (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [pam_print_data] (0x0100): authtok type: 1 (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [pam_print_data] (0x0100): priv: 1 (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [pam_print_data] (0x0100): cli_pid: 8724 (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [krb5_auth_send] (0x0100): Home directory for user [mnn] not known. (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [krb5_auth_send] (0x0200): Ignoring ccache attribute [FILE:/tmp/krb5cc_876027530_rTTlt3], because it doesn'texist. (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'KERBEROS' (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [resolve_srv_send] (0x0200): The status of SRV lookup is neutral (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_KERBEROS._udp.company.dk' (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'KERBEROS' as 'resolved' (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'ad2.company.dk' in files (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [set_server_common_status] (0x0100): Marking server 'ad2.company.dk' as 'resolving name' (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'ad2.company.dk' in files (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'ad2.company.dk' in DNS (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [set_server_common_status] (0x0100): Marking server 'ad2.company.dk' as 'name resolved' (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [be_resolve_server_process] (0x0200): Found address for server ad2.company.dk: [xxx.xx.x.xx] TTL 3600 (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'KPASSWD' (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [resolve_srv_send] (0x0200): The status of SRV lookup is neutral (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_KPASSWD._udp.company.dk' (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'KPASSWD' as 'resolved' (Mon Jan 23 13:12:59 2017) [sssd[be[company.dk]]] [be_resolve_server_process] (0x0200): Found address for server ad2.company.dk: [xxx.xx.x.xx] TTL 3600 (Mon Jan 23 13:13:00 2017) [sssd] [service_send_ping] (0x0100): Pinging company.dk (Mon Jan 23 13:13:00 2017) [sssd] [service_send_ping] (0x0100): Pinging nss (Mon Jan 23 13:13:00 2017) [sssd] [service_send_ping] (0x0100): Pinging pam (Mon Jan 23 13:13:00 2017) [sssd] [ping_check] (0x0100): Service pam replied to ping (Mon Jan 23 13:13:00 2017) [sssd] [ping_check] (0x0100): Service nss replied to ping (Mon Jan 23 13:13:00 2017) [sssd[be[company.dk]]] [become_user] (0x0200): Trying to become user [876027530][876000513]. (Mon Jan 23 13:13:00 2017) [sssd] [ping_check] (0x0100): Service company.dk replied to ping (Mon Jan 23 13:13:00 2017) [[sssd[krb5_child[8727]]]] [unpack_buffer] (0x0100): cmd [241] uid [876027530] gid [876000513] validate [false] enterprise principal [false] offline [false] UPN [mnn@ABCCOMPANY.DK] (Mon Jan 23 13:13:00 2017) [[sssd[krb5_child[8727]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_876027530_XXXXXX] keytab: [/etc/krb5.keytab] (Mon Jan 23 13:13:00 2017) [[sssd[krb5_child[8727]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Mon Jan 23 13:13:00 2017) [[sssd[krb5_child[8727]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Mon Jan 23 13:13:00 2017) [[sssd[krb5_child[8727]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [false] (Mon Jan 23 13:13:00 2017) [[sssd[krb5_child[8727]]]] [k5c_setup] (0x0100): Not using FAST. (Mon Jan 23 13:13:00 2017) [[sssd[krb5_child[8727]]]] [get_and_save_tgt] (0x0020): 981: [-1765328230][Cannot find KDC for realm "ABCCOMPANY.DK"] (Mon Jan 23 13:13:00 2017) [[sssd[krb5_child[8727]]]] [map_krb5_error] (0x0020): 1043: [-1765328230][Cannot find KDC for realm "ABCCOMPANY.DK"] (Mon Jan 23 13:13:00 2017) [[sssd[krb5_child[8727]]]] [k5c_send_data] (0x0200): Received error code 1432158209 (Mon Jan 23 13:13:00 2017) [sssd[be[company.dk]]] [child_sig_handler] (0x0100): child [8727] finished successfully. (Mon Jan 23 13:13:00 2017) [sssd[be[company.dk]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success] (Mon Jan 23 13:13:00 2017) [sssd[be[company.dk]]] [be_pam_handler_callback] (0x0100): Sending result [4][company.dk] (Mon Jan 23 13:13:00 2017) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [4][company.dk] (Mon Jan 23 13:13:00 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4]. (Mon Jan 23 13:13:00 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 29 (Mon Jan 23 13:13:00 2017) [sssd[be[company.dk]]] [be_pam_handler_callback] (0x0100): Sent result [4][company.dk] (Mon Jan 23 13:13:02 2017) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Mon Jan 23 13:13:02 2017) [sssd[pam]] [client_recv] (0x0200): Client disconnected! (Mon Jan 23 13:13:04 2017) [sssd] [monitor_quit_signal] (0x0040): Monitor received Interrupt: terminating children (Mon Jan 23 13:13:04 2017) [sssd] [monitor_quit] (0x0040): Returned with: 0 (Mon Jan 23 13:13:04 2017) [sssd] [monitor_quit] (0x0020): Terminating [pam][8719] (Mon Jan 23 13:13:04 2017) [sssd[be[company.dk]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching. (Mon Jan 23 13:13:04 2017) [sssd] [monitor_quit] (0x0020): Child [pam] exited gracefully (Mon Jan 23 13:13:04 2017) [sssd] [monitor_quit] (0x0020): Terminating [nss][8718] (Mon Jan 23 13:13:04 2017) [sssd] [monitor_quit] (0x0020): Child [nss] exited gracefully (Mon Jan 23 13:13:04 2017) [sssd] [monitor_quit] (0x0020): Terminating [company.dk][8717] (Mon Jan 23 13:13:04 2017) [sssd] [monitor_quit] (0x0020): Child [company.dk] terminated with a signal 

  • SL7.1 (EL7.1) regno scoprire non scoprire
  • Cosa fare quando i nomi utente locali sono in conflitto con i nomi utente di networking
  • La directory di installazione SSSD è vuota
  • Imansible autenticarsi in Active Directory utilizzando security / sssd dalle porte FreeBSD
  • Impedire a sssd di utilizzare ldap per autenticare o identificare utenti specifici per lo chef
  • vsFTPd authentication con SSSD
  • Imansible unirsi a un dominio utilizzando la networking di strumenti di samba o realm / sssd
  • FreeIPA: impedisce che accedere a root locali agli account utente
  • 2 Solutions collect form web for “La sincronizzazione di SSSD AD non riesce dopo la modifica di UPN di Active Directory”

    Controlla la tua versione sssd . Secondo questo thread funzionalità di ricerca UPN funziona da sssd-1.12 .

    PS Ma c'è bug correlato fissato in sssd-1.13.2 , quindi cercare di aggiornare sssd alla versione disponibile più recente.

    UPD. Secondo questo post, SSSD 1.10 e versioni successive hanno il supporto per il suffisso principale alternativo di Kerberos (vedere la sezione "Supporto per gli approfondimenti aziendali"). E questa funzionalità è implementata nel sssd-ad servizi sssd-ad . Sei sicuro di utilizzare il provider di ad SSSD, ma non krb5 ?

    Controllare il regno in alless:

    • krb5.conf
    • smb.conf
    • sssd.conf

    Per riferimento, ecco il mio script per la preparazione AD su Ubuntu:

    https://github.com/bviktor/ubuntu-ad/blob/master/ad.sh

    Suggerimenti per Linux e Windows Server, quali Ubuntu, Centos, Apache, Nginx, Debian e argomenti di rete.