如何设置 Redhat 对 ActiveDirectory 的用户进行身份验证

Question

Fred

Asked: 2022-01-29 07:49:28 +0800 CST2022-01-29 07:49:28 +0800 CST 2022-01-29 07:49:28 +0800 CST

LDAP 找到用户，但登录时“权限被拒绝”

772

我正在 Red Hat 8 中设置 LDAP 客户端。

设置配置文件后，我做了一个 LDAP 用户测试，它成功返回：

# id myusername
uid=666(myusername) gid=510(active_users) groups=510(active_users)

如果我运行ldapsearch它，它会成功返回预期的结果：

# ldapsearch -x -ZZ -h ldap.example.com -b dc=example,dc=com

但是，如果我尝试ssh从另一台机器访问 Red Hat 8 机器，则会收到以下错误：

# ssh [email protected]
[email protected]'s password:
Permission denied, please try again.

我用不同的用户帐户尝试了几台不同的机器，并得到了相同的结果。

这是我的设置：

/etc/sssd/sssd.conf

[domain/default]
ldap_tls_reqcert = demand
cache_credentials = False
ldap_search_base = dc=example,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://ldap.example.com/
ldap_id_use_start_tls = False
ldap_tls_cacert = /etc/sssd/ca-bundle.crt

[sssd]
config_file_version = 2
services = nss, pam, ssh
domains = default

[nss]
homedir_substring = /home

/etc/openldap/ldap.conf

TLS_CACERT /etc/sssd/ca-bundle.crt

#BASE dc=example,dc=com
#URI ldap://ldap.example.com/
SASL_NOCANON    on
URI ldaps://ldap.example.com/
BASE dc=example,dc=com
TLS_CACERTDIR /etc/sssd

/etc/nsswitch.conf

# Generated by authselect on Thu Jan 27 15:22:08 2022
# Do not modify this file manually.

passwd:     sss files systemd
group:      sss files systemd
netgroup:   sss files
automount:  sss files
services:   sss files

# passwd:    db files
# shadow:    db files
# group:     db files

# In order of likelihood of use to accelerate lookup.
shadow:     files sss
hosts:      files dns myhostname

aliases:    files
ethers:     files
gshadow:    files
# Allow initgroups to default to the setting for group.
# initgroups: files
networks:   files dns
protocols:  files
publickey:  files
rpc:        files

/etc/sysconfig/authconfig

USELDAP=yes
USELDAPAUTH=yes

/etc/pam.d/password-auth

# Generated by authselect on Thu Jan 27 15:22:08 2022
# Do not modify this file manually.

auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
auth        sufficient                                   pam_unix.so nullok
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
auth        sufficient                                   pam_sss.so forward_pass
auth        required                                     pam_deny.so

account     required                                     pam_unix.so
account     sufficient                                   pam_localuser.so
account     sufficient                                   pam_usertype.so issystem
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required                                     pam_permit.so

password    requisite                                    pam_pwquality.so local_users_only
password    sufficient                                   pam_unix.so sha512 shadow nullok use_authtok
password    sufficient                                   pam_sss.so use_authtok
password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
-session    optional                                     pam_systemd.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so
session     optional                                     pam_sss.so

/etc/pam.d/system-auth

# Generated by authselect on Thu Jan 27 15:22:08 2022
# Do not modify this file manually.

auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
auth        sufficient                                   pam_unix.so nullok
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
auth        sufficient                                   pam_sss.so forward_pass
auth        required                                     pam_deny.so

account     required                                     pam_unix.so
account     sufficient                                   pam_localuser.so
account     sufficient                                   pam_usertype.so issystem
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required                                     pam_permit.so

password    requisite                                    pam_pwquality.so local_users_only
password    sufficient                                   pam_unix.so sha512 shadow nullok use_authtok
password    sufficient                                   pam_sss.so use_authtok
password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
-session    optional                                     pam_systemd.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so
session     optional                                     pam_sss.so

/etc/ssh/sshd_config

# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:
PermitRootLogin yes
AuthorizedKeysFile .ssh/authorized_keys

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

UsePAM yes

X11Forwarding yes

# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
# as it is more configurable and versatile than the built-in version.
PrintMotd no

ClientAliveInterval 600
ClientAliveCountMax 0

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server

/var/log/安全

Jan 28 08:35:39 opal sshd[206875]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.xxx  user=myusername
Jan 28 08:35:40 opal sshd[206875]: Failed password for myusername from xxx.xxx.xxx.xxx port 60384 ssh2

尝试

我尝试了以下方法：

在中禁用 selinux/etc/selinux/config
停止 iptables.service
添加PermitRootLogin yes和UsePAM yes到 Red Hat 8/etc/ssh/sshd_conf文件
反复尝试authselect select sssd，然后重启sssd.service
加入FORCELEGACY=yes_/etc/sysconfig/authconfig

问题

谁能帮我弄清楚为什么用户不能使用 SSH 登录到这个服务器？

1 个回答

Voted

Fred · Answer 1 · 2022-02-09T05:34:37+08:00

我终于找到了一个解决方案，通过使用 custom 、和files创建自定义authselect配置文件。password-authsystem-authnsswitch.conf

1. 基于 sssd 创建自定义配置文件

authselect create-profile user-profile -b sssd

2.覆盖/etc/authselect/custom/user-profile/password-auth并/etc/authselect/custom/user-profile/system-auth使用以下设置

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        sufficient    pam_sss.so
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_sss.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_sss.so
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     sufficient    pam_sss.so
session     required      pam_unix.so

/etc/authselect/custom/user-profile/nsswitch.conf3.用以下设置覆盖

passwd:     files sss     {exclude if "with-custom-passwd"}
shadow:     files sss
group:      files sss     {exclude if "with-custom-group"}
netmasks:   files
networks:   files
netgroup:   files sss     {exclude if "with-custom-netgroup"}
automount:  files sss     {exclude if "with-custom-automount"}
services:   files sss     {exclude if "with-custom-services"}
sudoers:    files sss     {exclude if "with-sudo"}

4.选择新的个人资料

authselect select custom/user-profile

5.重启sssd

systemctrl restart sssd

LDAP 找到用户，但登录时“权限被拒绝”

/etc/sssd/sssd.conf

/etc/openldap/ldap.conf

/etc/nsswitch.conf

/etc/sysconfig/authconfig

/etc/pam.d/password-auth

/etc/pam.d/system-auth

/etc/ssh/sshd_config

/var/log/安全

尝试

问题

新安装后 postgres 的默认超级用户用户名/密码是什么？

SFTP 使用什么端口？

命令行列出 Windows Active Directory 组中的用户？

什么是 Pem 文件，它与其他 OpenSSL 生成的密钥文件格式有何不同？

如何确定bash变量是否为空？

LDAP 找到用户，但登录时“权限被拒绝”

/etc/sssd/sssd.conf

/etc/openldap/ldap.conf

/etc/nsswitch.conf

/etc/sysconfig/authconfig

/etc/pam.d/password-auth

/etc/pam.d/system-auth

/etc/ssh/sshd_config

/var/log/安全

尝试

问题

1 个回答

相关问题