user12682985's questions

我想用 autofs 挂载一个 samba 共享。

srv.xxxxxxx.net 是 samba 服务器（proxmox 容器，Debian 10）
ldap2.xxxxxxx.net 是 openldap（proxmox 容器，Debian 10）
gui.xxxxxxx.net 是客户端（proxmox vm，Ubuntu 18.04）

Samba 以独立模式运行（无活动目录）
共享为 /srv/test

ls -l /srv/
drwxrwxrwx 2 test05 Domain Users 4096 Feb  8 11:41 test

autofs 配置保存在 openldap 中

dn: cn=test,ou=auto.mnt,ou=automount,ou=services,dc=lan,dc=xxxxxxx,dc=net
cn: test
objectClass: automount
objectClass: top
description: /srv/test on Samba
automountInformation: -fstype=cifs,multiuser,user=${USER},cruid=test05,sec=krb5 ://srv.xxxxxxx.net/test

/etc/autofs_ldap_auth.conf

    <?xml version="1.0" ?>
    <autofs_ldap_sasl_conf
            usetls="no"
            tlsrequired="no"
            authrequired="yes"
            authtype="GSSAPI"
            clientprinc="host/gui.xxxxxxx.net"
    />

启动服务 autofs 时，会创建挂载点

ls -lisa /mnt
insgesamt 4
22776 0 drwxr-xr-x  4 root root    0 mars   2 15:25 .
    2 4 drwxr-xr-x 25 root root 4096 mars   2 10:02 ..
22778 0 dr-xr-xr-x  2 root root    0 mars   2 15:25 exchange
22777 0 dr-xr-xr-x  2 root root    0 mars   2 15:25 test   <---- created by autofs

但是当用户尝试 cd 进入测试目录时，他得到一个错误

test05@gui:/mnt$ cd test
bash: cd: test: File or directory not found (translated from german)

在自动挂载日志中，我发现了这条消息

cifs.upcall: get_tgt_time: unable to get principal

我认为这是我的问题，但我不知道如何解决。

当我将我的日志与我在 google 上找到的其他日志进行比较时，我发现 ccache 类型有所不同。
在我的日志中

cifs.upcall: get_cachename_from_process_env: pathname=/proc/2239/environ
cifs.upcall: get_cachename_from_process_env: cachename = MEMORY:_autofstkt
cifs.upcall: get_existing_cc: default ccache is MEMORY:_autofstkt

在所有其他日志中，我发现类似

cifs.upcall: get_cachename_from_process_env: pathname=/proc/1234/environ  
cifs.upcall: get_existing_cc: default ccache is FILE:/tmp/krb5cc_12345678  

这是我的配置错误吗？

NSS 和 kerberos 身份验证似乎有效：

klist
Ticket cache: FILE:/tmp/krb5cc_10105_YxoDWF
Default principal: [email protected]

id test05
uid=10105(test05) gid=512(Domain Admins) Gruppen=512(Domain Admins)

ldapwhoami
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 56
SASL data security layer installed.
dn:uid=test05,ou=users,dc=lan,dc=xxxxxxx,dc=net

自动挂载日志

Mar  2 16:01:28 gui automount[808]: handle_packet: type = 3
Mar  2 16:01:28 gui automount[808]: handle_packet_missing_indirect: token 9, name test, request pid 1753
Mar  2 16:01:28 gui automount[808]: attempting to mount entry /mnt/test
Mar  2 16:01:28 gui automount[808]: parse_mount: parse(sun): expanded entry: -fstype=cifs,multiuser,user=test05,cruid=test05,sec=krb5 ://srv.xxxxxxx.net/test
Mar  2 16:01:28 gui automount[808]: parse_mount: parse(sun): gathered options: fstype=cifs,multiuser,user=test05,cruid=test05,sec=krb5
Mar  2 16:01:28 gui automount[808]: parse_mount: parse(sun): dequote("://srv.xxxxxxx.net/test") -> ://srv.xxxxxxx.net/test
Mar  2 16:01:28 gui automount[808]: parse_mount: parse(sun): core of entry: options=fstype=cifs,multiuser,user=test05,cruid=test05,sec=krb5, loc=://srv.xxxxxxx.net/test
Mar  2 16:01:28 gui automount[808]: sun_mount: parse(sun): mounting root /mnt, mountpoint test, what //srv.xxxxxxx.net/test, fstype cifs, options multiuser,user=test05,cruid=test05,sec=krb5
Mar  2 16:01:28 gui automount[808]: do_mount: //srv.xxxxxxx.net/test /mnt/test type cifs options multiuser,user=test05,cruid=test05,sec=krb5 using module generic
Mar  2 16:01:28 gui automount[808]: mount_mount: mount(generic): calling mkdir_path /mnt/test
Mar  2 16:01:28 gui automount[808]: mount_mount: mount(generic): calling mount -t cifs -o multiuser,user=test05,cruid=test05,sec=krb5 //srv.xxxxxxx.net/test /mnt/test
Mar  2 16:01:28 gui kernel: [ 2177.233113] CIFS: Attempting to mount //srv.xxxxxxx.net/test
Mar  2 16:01:28 gui kernel: [ 2177.233133] No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount.
Mar  2 16:01:28 gui cifs.upcall: key description: cifs.spnego;0;0;39010000;ver=0x2;host=srv.xxxxxxx.net;ip4=192.168.1.121;sec=krb5;uid=0x0;creduid=0x2779;user=test05;pid=0x8bf
Mar  2 16:01:28 gui cifs.upcall: ver=2
Mar  2 16:01:28 gui cifs.upcall: host=srv.xxxxxxx.net
Mar  2 16:01:28 gui cifs.upcall: ip=192.168.1.121
Mar  2 16:01:28 gui cifs.upcall: sec=1
Mar  2 16:01:28 gui cifs.upcall: uid=0
Mar  2 16:01:28 gui cifs.upcall: creduid=10105
Mar  2 16:01:28 gui cifs.upcall: user=test05
Mar  2 16:01:28 gui cifs.upcall: pid=2239
Mar  2 16:01:28 gui cifs.upcall: get_cachename_from_process_env: pathname=/proc/2239/environ
Mar  2 16:01:28 gui cifs.upcall: get_cachename_from_process_env: cachename = MEMORY:_autofstkt
Mar  2 16:01:28 gui cifs.upcall: get_existing_cc: default ccache is MEMORY:_autofstkt
Mar  2 16:01:28 gui kernel: [ 2177.243918] CIFS VFS: Send error in SessSetup = -126
Mar  2 16:01:28 gui kernel: [ 2177.243931] CIFS VFS: cifs_mount failed w/return code = -2
Mar  2 16:01:28 gui cifs.upcall: get_tgt_time: unable to get principal
Mar  2 16:01:28 gui cifs.upcall: krb5_get_init_creds_keytab: -1765328174
Mar  2 16:01:28 gui cifs.upcall: Exit status 1
Mar  2 16:01:28 gui automount[808]: >> mount error(2): No such file or directory
Mar  2 16:01:28 gui automount[808]: >> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
Mar  2 16:01:28 gui automount[808]: mount(generic): failed to mount //srv.xxxxxxx.net/test (type cifs) on /mnt/test
Mar  2 16:01:28 gui automount[808]: dev_ioctl_send_fail: token = 9
Mar  2 16:01:28 gui automount[808]: failed to mount /mnt/test
Mar  2 16:01:28 gui automount[808]: handle_packet: type = 3
Mar  2 16:01:28 gui automount[808]: handle_packet_missing_indirect: token 10, name test, request pid 1753
Mar  2 16:01:28 gui automount[808]: dev_ioctl_send_fail: token = 10

sssd日志

==> /var/log/sssd/sssd_nss.log <==
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected!
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [nss_getby_id] (0x0400): Input ID: 10105
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_send] (0x0400): CR #257: New request 'User by ID'
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_select_domains] (0x0400): CR #257: Performing a multi-domain search
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_search_domains] (0x0400): CR #257: Search will check the cache and check the data provider
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #257: Using domain [xxxxxxx.net]
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_search_send] (0x0400): CR #257: Looking up UID:[email protected]
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #257: Checking negative cache for [UID:[email protected]]
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #257: [UID:[email protected]] is not present in negative cache
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #257: Looking up [UID:[email protected]] in cache
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_search_send] (0x0400): CR #257: Returning [UID:[email protected]] from cache
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_search_ncache_filter] (0x0400): CR #257: Filtering out results by negative cache
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_create_and_add_result] (0x0400): CR #257: Found 1 entries in domain xxxxxxx.net
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_done] (0x0400): CR #257: Finished: Success
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [nss_getby_id] (0x0400): Input ID: 512
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_send] (0x0400): CR #258: New request 'Group by ID'
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_select_domains] (0x0400): CR #258: Performing a multi-domain search
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_search_domains] (0x0400): CR #258: Search will check the cache and check the data provider
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #258: Using domain [xxxxxxx.net]
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_search_send] (0x0400): CR #258: Looking up GID:[email protected]
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #258: Checking negative cache for [GID:[email protected]]
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #258: [GID:[email protected]] is not present in negative cache
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #258: Looking up [GID:[email protected]] in cache
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_search_send] (0x0400): CR #258: Object found, but needs to be refreshed.
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_search_dp] (0x0400): CR #258: Performing midpoint cache update of [GID:[email protected]]
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x558d3052be70:2:[email protected]]
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [xxxxxxx.net][0x2][BE_REQ_GROUP][idnumber=512:-]
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x558d3052be70:2:[email protected]]
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_search_ncache_filter] (0x0400): CR #258: Filtering out results by negative cache
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_create_and_add_result] (0x0400): CR #258: Found 1 entries in domain xxxxxxx.net
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_done] (0x0400): CR #258: Finished: Success
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [nss_protocol_fill_members] (0x0400): Group [Domain Admins] member [[email protected]] filtered out! (negative cache)

==> /var/log/sssd/sssd_xxxxxxx.net.log <==
(Mon Mar  2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [dp_get_account_info_handler] (0x0200): Got request for [0x2][BE_REQ_GROUP][idnumber=512]
(Mon Mar  2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [dp_attach_req] (0x0400): DP Request [Account #34]: New request. Flags [0x0001].
(Mon Mar  2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [dp_attach_req] (0x0400): Number of active DP request: 1
(Mon Mar  2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [dc=lan,dc=xxxxxxx,dc=net]
(Mon Mar  2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=512)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=lan,dc=xxxxxxx,dc=net].
(Mon Mar  2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Mon Mar  2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results.
(Mon Mar  2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [sysdb_search_by_name] (0x0400): No such entry
(Mon Mar  2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [sdap_process_missing_member_2307] (0x0400): Adding a ghost entry
(Mon Mar  2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [sdap_get_primary_name] (0x0400): Processing object Domain Admins
(Mon Mar  2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [sdap_save_group] (0x0400): Processing group Domain [email protected]
(Mon Mar  2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [sdap_process_ghost_members] (0x0400): Group has 1 members
(Mon Mar  2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [sdap_save_group] (0x0400): Storing info for group Domain [email protected]
(Mon Mar  2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [dp_req_done] (0x0400): DP Request [Account #34]: Request handler finished [0]: Erfolg
(Mon Mar  2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [_dp_req_recv] (0x0400): DP Request [Account #34]: Receiving request data.
(Mon Mar  2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [dp_req_reply_list_success] (0x0400): DP Request [Account #34]: Finished. Success.
(Mon Mar  2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:2::xxxxxxx.net:idnumber=512] from reply table
(Mon Mar  2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [dp_req_destructor] (0x0400): DP Request [Account #34]: Request removed.
(Mon Mar  2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [dp_req_destructor] (0x0400): Number of active DP request: 0

==> /var/log/sssd/sssd_nss.log <==
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x558d3052be70:2:[email protected]]

ldap 日志

Mar  2 15:01:28 ldap2 slapd[359]: conn=1234 op=9 SRCH base="dc=lan,dc=xxxxxxx,dc=net" scope=2 deref=0 filter="(&(gidNumber=512)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))"
Mar  2 15:01:28 ldap2 slapd[359]: conn=1234 op=9 SRCH attr=objectClass cn userPassword gidNumber memberuid modifyTimestamp modifyTimestamp
Mar  2 15:01:28 ldap2 slapd[359]: conn=1234 op=9 SEARCH RESULT tag=101 err=0 nentries=1 text=
Mar  2 15:01:28 ldap2 slapd[359]: conn=1237 fd=25 ACCEPT from IP=192.168.1.130:48108 (IP=0.0.0.0:389)
Mar  2 15:01:28 ldap2 slapd[359]: conn=1237 op=0 BIND dn="" method=163
Mar  2 15:01:28 ldap2 slapd[359]: conn=1237 op=0 RESULT tag=97 err=14 text=SASL(0): successful result: 
Mar  2 15:01:28 ldap2 slapd[359]: conn=1237 op=1 BIND dn="" method=163
Mar  2 15:01:28 ldap2 slapd[359]: conn=1237 op=1 RESULT tag=97 err=14 text=SASL(0): successful result: 
Mar  2 15:01:28 ldap2 slapd[359]: conn=1237 op=2 BIND dn="" method=163
Mar  2 15:01:28 ldap2 slapd[359]: conn=1237 op=2 BIND authcid="host/[email protected]" authzid="host/[email protected]"
Mar  2 15:01:28 ldap2 slapd[359]: conn=1237 op=2 BIND dn="cn=gui,ou=hosts,ou=sssd,ou=services,dc=lan,dc=xxxxxxx,dc=net" mech=GSSAPI sasl_ssf=0 ssf=0
Mar  2 15:01:28 ldap2 slapd[359]: conn=1237 op=2 RESULT tag=97 err=0 text=
Mar  2 15:01:28 ldap2 slapd[359]: conn=1237 op=3 SRCH base="ou=auto.mnt,ou=automount,ou=services,dc=lan,dc=xxxxxxx,dc=net" scope=2 deref=0 filter="(&(objectClass=automount)(|(cn=test)(cn=/)(cn=\2A)))"
Mar  2 15:01:28 ldap2 slapd[359]: conn=1237 op=3 SRCH attr=cn automountInformation
Mar  2 15:01:28 ldap2 slapd[359]: conn=1237 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
Mar  2 15:01:28 ldap2 slapd[359]: conn=1237 op=4 UNBIND
Mar  2 15:01:28 ldap2 slapd[359]: conn=1237 fd=25 closed
Mar  2 15:01:28 ldap2 slapd[359]: conn=1141 op=640 SRCH base="cn=XXXXXXX.NET,cn=krb5,ou=services,dc=lan,dc=xxxxxxx,dc=net" scope=2 deref=0 filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected]))"
Mar  2 15:01:28 ldap2 slapd[359]: conn=1141 op=640 SRCH attr=krbprincipalname krbcanonicalname objectclass krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags krbprincipalexpiration krbticketpolicyreference krbUpEnabled krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth krbLastPwdChange krbLastAdminUnlock krbPrincipalAuthInd krbExtraData krbObjectReferences krbAllowedToDelegateTo krbPwdHistory
Mar  2 15:01:28 ldap2 slapd[359]: conn=1141 op=640 SEARCH RESULT tag=101 err=0 nentries=1 text=
Mar  2 15:01:28 ldap2 slapd[359]: conn=1141 op=641 SRCH base="cn=XXXXXXX.NET,cn=krb5,ou=services,dc=lan,dc=xxxxxxx,dc=net" scope=2 deref=0 filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=krbtgt/[email protected]))"
Mar  2 15:01:28 ldap2 slapd[359]: conn=1141 op=641 SRCH attr=krbprincipalname krbcanonicalname objectclass krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags krbprincipalexpiration krbticketpolicyreference krbUpEnabled krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth krbLastPwdChange krbLastAdminUnlock krbPrincipalAuthInd krbExtraData krbObjectReferences krbAllowedToDelegateTo krbPwdHistory
Mar  2 15:01:28 ldap2 slapd[359]: conn=1141 op=641 SEARCH RESULT tag=101 err=0 nentries=1 text=
Mar  2 15:01:28 ldap2 slapd[359]: conn=1141 op=642 SRCH base="cn=user,cn=XXXXXXX.NET,cn=krb5,ou=services,dc=lan,dc=xxxxxxx,dc=net" scope=0 deref=0 filter="(objectClass=krbPwdPolicy)"
Mar  2 15:01:28 ldap2 slapd[359]: conn=1141 op=642 SRCH attr=cn krbmaxpwdlife krbminpwdlife krbpwdmindiffchars krbpwdminlength krbpwdhistorylength krbpwdmaxfailure krbpwdfailurecountinterval krbpwdlockoutduration krbpwdattributes krbpwdmaxlife krbpwdmaxrenewablelife krbpwdallowedkeysalts
Mar  2 15:01:28 ldap2 slapd[359]: conn=1141 op=642 SEARCH RESULT tag=101 err=0 nentries=1 text=

感谢您花时间查看我的问题

编辑：
/etc/krb5.conf（每台主机都一样）

[libdefaults]
    default_realm = XXXXXXX.NET
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true

[realms]
    XXXXXXX.NET = {
        kdc = kerb.xxxxxxx.net
        admin_server = kerb.xxxxxxx.net
    }   
[domain_realm]
        .xxxxxxx.net = XXXXXXX.NET
        xxxxxxx.net = XXXXXXX.NET
[logging]
    default = FILE:/var/log/krb5.log

我已经根据本教程Integrated Kerberos-OpenLDAP provider on Debian squeeze在 Debian 10 系统上安装了 openLDAP、MIT Kerberos 和 SSD 。
这三个组件中的每一个都位于其自己的 Proxmox LXC 容器上。
ldap: 192.168.1.120 (ldap2)
Kerberos: 192.168.1.128 (kerb)
Client with SSD: 192.168.1.129 (test)
IPs可以通过DNS解析。

问题：
当我调用“id username”时，我没有得到任何结果。
但是使用相同的过滤器，我得到了 ldapsearch 的结果。

在“id test05”之后登录客户端（SSD 日志级别 6）

==> /var/log/sssd/sssd_nss.log <==
(Thu Jan 16 16:03:48 2020) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected!
(Thu Jan 16 16:03:48 2020) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Thu Jan 16 16:03:48 2020) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Thu Jan 16 16:03:48 2020) [sssd[nss]] [nss_getby_name] (0x0400): Input name: test05
(Thu Jan 16 16:03:48 2020) [sssd[nss]] [cache_req_send] (0x0400): CR #1: New request 'User by name'
(Thu Jan 16 16:03:48 2020) [sssd[nss]] [cache_req_process_input] (0x0400): CR #1: Parsing input name [test05]
(Thu Jan 16 16:03:48 2020) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'test05' matched without domain, user is test05
(Thu Jan 16 16:03:48 2020) [sssd[nss]] [cache_req_set_name] (0x0400): CR #1: Setting name [test05]
(Thu Jan 16 16:03:48 2020) [sssd[nss]] [cache_req_select_domains] (0x0400): CR #1: Performing a multi-domain search
(Thu Jan 16 16:03:48 2020) [sssd[nss]] [cache_req_search_domains] (0x0400): CR #1: Search will check the cache and check the data provider
(Thu Jan 16 16:03:48 2020) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #1: Using domain [xxxxxxx.net]
(Thu Jan 16 16:03:48 2020) [sssd[nss]] [cache_req_prepare_domain_data] (0x0400): CR #1: Preparing input data for domain [xxxxxxx.net] rules
(Thu Jan 16 16:03:48 2020) [sssd[nss]] [cache_req_search_send] (0x0400): CR #1: Looking up [email protected]
(Thu Jan 16 16:03:48 2020) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #1: Checking negative cache for [[email protected]]
(Thu Jan 16 16:03:48 2020) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #1: [[email protected]] is not present in negative cache
(Thu Jan 16 16:03:48 2020) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #1: Looking up [[email protected]] in cache
(Thu Jan 16 16:03:48 2020) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #1: Object [[email protected]] was not found in cache
(Thu Jan 16 16:03:48 2020) [sssd[nss]] [cache_req_search_dp] (0x0400): CR #1: Looking up [[email protected]] in data provider
(Thu Jan 16 16:03:48 2020) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x55bd0978aee0:1:[email protected]@xxxxxxx.net]
(Thu Jan 16 16:03:48 2020) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [xxxxxxx.net][0x1][BE_REQ_USER][[email protected]:-]
(Thu Jan 16 16:03:48 2020) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x55bd0978aee0:1:[email protected]@xxxxxxx.net]

==> /var/log/sssd/sssd_xxxxxxx.net.log <==
(Thu Jan 16 16:03:48 2020) [sssd[be[xxxxxxx.net]]] [dp_get_account_info_handler] (0x0200): Got request for [0x1][BE_REQ_USER][[email protected]]
(Thu Jan 16 16:03:48 2020) [sssd[be[xxxxxxx.net]]] [dp_attach_req] (0x0400): DP Request [Account #3]: New request. Flags [0x0001].
(Thu Jan 16 16:03:48 2020) [sssd[be[xxxxxxx.net]]] [dp_attach_req] (0x0400): Number of active DP request: 1
(Thu Jan 16 16:03:48 2020) [sssd[be[xxxxxxx.net]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [ou=users,dc=lan,dc=xxxxxxx,dc=net]
(Thu Jan 16 16:03:48 2020) [sssd[be[xxxxxxx.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=test05)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][ou=users,dc=lan,dc=xxxxxxx,dc=net].
(Thu Jan 16 16:03:48 2020) [sssd[be[xxxxxxx.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: No such object(32), no errmsg set
(Thu Jan 16 16:03:48 2020) [sssd[be[xxxxxxx.net]]] [sdap_search_user_process] (0x0400): Search for users, returned 0 results.
(Thu Jan 16 16:03:48 2020) [sssd[be[xxxxxxx.net]]] [sysdb_search_by_name] (0x0400): No such entry
(Thu Jan 16 16:03:48 2020) [sssd[be[xxxxxxx.net]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory)
(Thu Jan 16 16:03:48 2020) [sssd[be[xxxxxxx.net]]] [dp_req_done] (0x0400): DP Request [Account #3]: Request handler finished [0]: Success
(Thu Jan 16 16:03:48 2020) [sssd[be[xxxxxxx.net]]] [_dp_req_recv] (0x0400): DP Request [Account #3]: Receiving request data.
(Thu Jan 16 16:03:48 2020) [sssd[be[xxxxxxx.net]]] [dp_req_reply_list_success] (0x0400): DP Request [Account #3]: Finished. Success.
(Thu Jan 16 16:03:48 2020) [sssd[be[xxxxxxx.net]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:1::xxxxxxx.net:[email protected]] from reply table
(Thu Jan 16 16:03:48 2020) [sssd[be[xxxxxxx.net]]] [dp_req_destructor] (0x0400): DP Request [Account #3]: Request removed.
(Thu Jan 16 16:03:48 2020) [sssd[be[xxxxxxx.net]]] [dp_req_destructor] (0x0400): Number of active DP request: 0

==> /var/log/sssd/sssd_nss.log <==
(Thu Jan 16 16:03:48 2020) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #1: Looking up [[email protected]] in cache
(Thu Jan 16 16:03:48 2020) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #1: Object [[email protected]] was not found in cache
(Thu Jan 16 16:03:48 2020) [sssd[nss]] [cache_req_search_ncache_add_to_domain] (0x0400): CR #1: Adding [[email protected]] to negative cache
(Thu Jan 16 16:03:48 2020) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/xxxxxxx.net/[email protected]] to negative cache
(Thu Jan 16 16:03:48 2020) [sssd[nss]] [cache_req_process_result] (0x0400): CR #1: Finished: Not found
(Thu Jan 16 16:03:48 2020) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x55bd0978aee0:1:[email protected]@xxxxxxx.net]
(Thu Jan 16 16:03:48 2020) [sssd[nss]] [client_recv] (0x0200): Client disconnected!

ldap2 主机上的 /var/log/syslog（只有 3 行日志级别为 256）

Jan 16 16:03:48 ldap2 slapd[238]: conn=1067 op=6 SRCH base="ou=users,dc=lan,dc=xxxxxxx,dc=net" scope=2 deref=0 filter="(&(uid=test05)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))"
Jan 16 16:03:48 ldap2 slapd[238]: conn=1067 op=6 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host rhost loginDisabled loginExpirationTime loginAllowedTimeMap sshPublicKey userCertificate;binary mail
Jan 16 16:03:48 ldap2 slapd[238]: conn=1067 op=6 SEARCH RESULT tag=101 err=32 nentries=0 text=

如您所见，openLDAP 搜索使用
base: ou=users,dc=lan,dc=xxxxxxx,dc=net
过滤器调用：

(&(uid=test05)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0)))) 

当我直接在 openLDAP 主机上进行此搜索时，我得到一个结果：

ldapsearch -Y GSSAPI -b ou=users,dc=lan,dc=xxxxxxx,dc=net "(&(uid=test05)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))" cn  uid
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <ou=users,dc=lan,dc=xxxxxxx,dc=net> with scope subtree
# filter: (&(uid=test05)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))
# requesting: cn uid 
#
.
# test05, users, lan.xxxxxxx.net
dn: uid=test05,ou=users,dc=lan,dc=xxxxxxx,dc=net
cn: test05
uid: test05

ldap2 主机上的 /var/log/syslog

Jan 16 16:19:08 ldap2 slapd[238]: conn=1068 fd=24 ACCEPT from IP=[::1]:37252 (IP=[::]:389)
Jan 16 16:19:08 ldap2 slapd[238]: conn=1068 op=0 BIND dn="" method=163
Jan 16 16:19:08 ldap2 slapd[238]: conn=1068 op=0 RESULT tag=97 err=14 text=SASL(0): successful result: 
Jan 16 16:19:08 ldap2 slapd[238]: conn=1068 op=1 BIND dn="" method=163
Jan 16 16:19:08 ldap2 slapd[238]: conn=1068 op=1 RESULT tag=97 err=14 text=SASL(0): successful result: 
Jan 16 16:19:08 ldap2 slapd[238]: conn=1068 op=2 BIND dn="" method=163
Jan 16 16:19:08 ldap2 slapd[238]: conn=1068 op=2 BIND authcid="[email protected]" authzid="[email protected]"
Jan 16 16:19:08 ldap2 slapd[238]: conn=1068 op=2 BIND dn="cn=admin,dc=lan,dc=xxxxxxx,dc=net" mech=GSSAPI sasl_ssf=256 ssf=256
Jan 16 16:19:08 ldap2 slapd[238]: conn=1068 op=2 RESULT tag=97 err=0 text=
Jan 16 16:19:08 ldap2 slapd[238]: conn=1068 op=3 SRCH base="ou=users,dc=lan,dc=xxxxxxx,dc=net" scope=2 deref=0 filter="(&(uid=test05)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))"
Jan 16 16:19:08 ldap2 slapd[238]: conn=1068 op=3 SRCH attr=cn uid
Jan 16 16:19:08 ldap2 slapd[238]: conn=1068 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jan 16 16:19:08 ldap2 slapd[238]: conn=1068 op=4 UNBIND
Jan 16 16:19:08 ldap2 slapd[238]: conn=1068 fd=24 closed
Jan 16 16:19:30 ldap2 slapd[238]: conn=1069 fd=24 ACCEPT from IP=[::1]:37254 (IP=[::]:389)
Jan 16 16:19:30 ldap2 slapd[238]: conn=1069 op=0 BIND dn="" method=163
Jan 16 16:19:30 ldap2 slapd[238]: conn=1069 op=0 RESULT tag=97 err=14 text=SASL(0): successful result: 
Jan 16 16:19:30 ldap2 slapd[238]: conn=1069 op=1 BIND dn="" method=163
Jan 16 16:19:30 ldap2 slapd[238]: conn=1069 op=1 RESULT tag=97 err=14 text=SASL(0): successful result: 
Jan 16 16:19:30 ldap2 slapd[238]: conn=1069 op=2 BIND dn="" method=163
Jan 16 16:19:30 ldap2 slapd[238]: conn=1069 op=2 BIND authcid="[email protected]" authzid="[email protected]"
Jan 16 16:19:30 ldap2 slapd[238]: conn=1069 op=2 BIND dn="cn=admin,dc=lan,dc=xxxxxxx,dc=net" mech=GSSAPI sasl_ssf=256 ssf=256
Jan 16 16:19:30 ldap2 slapd[238]: conn=1069 op=2 RESULT tag=97 err=0 text=
Jan 16 16:19:30 ldap2 slapd[238]: conn=1069 op=3 SRCH base="ou=users,dc=lan,dc=xxxxxxx,dc=net" scope=2 deref=0 filter="(&(uid=test05)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))"
Jan 16 16:19:30 ldap2 slapd[238]: conn=1069 op=3 SRCH attr=cn uid
Jan 16 16:19:30 ldap2 slapd[238]: conn=1069 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jan 16 16:19:30 ldap2 slapd[238]: conn=1069 op=4 UNBIND
Jan 16 16:19:30 ldap2 slapd[238]: conn=1069 fd=24 closed

我的 SSSD 配置

cat /etc/sssd/sssd.conf 
[sssd]
config_file_version = 2
services = nss, pam
domains = xxxxxxx.net

[nss]
debug_level = 6
override_shell = /bin/bash
filter_users = root
filter_groups = root

[pam]
offline_credentials_expiration = 60

[domain/xxxxxxx.net]

# A domain with identities provided by LDAP and authentication by Kerberos

debug_level = 6
cache_credentials = true

# -- Authentication provider --
auth_provider = krb5
krb5_server = kerb.xxxxxxx.net
krb5_realm = XXXXXXX.NET
krb5_ccachedir = /tmp

# -- Access provider --
access_provider = permit

# -- Change Password provider --
chpass_provider = krb5

# -- Identity provider --
id_provider = ldap
ldap_uri = ldap://ldap2.xxxxxxx.net
ldap_search_base = dc=lan,dc=xxxxxxx,dc=net
ldap_user_search_base = ou=users,dc=lan,dc=xxxxxxx,dc=net

ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/test.xxxxxxx.net
ldap_krb5_keytab = /etc/ldap/ldap.keytab
ldap_krb5_init_creds = true

# -- SUDO provider -- 
sudo_provider = none

这是我的 LDAP 配置

# config
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcAuthzRegexp: {0}"uid=ldapadm,cn=XXXXXXX.NET,cn=gssapi,cn=auth" "cn=admin,
 dc=lan,dc=xxxxxxx,dc=net"
olcAuthzRegexp: {1}"uid=([^,]+),cn=gssapi,cn=auth" "uid=$1,ou=users,dc=lan,dc=
 xxxxxxx,dc=net"
olcAuthzRegexp: {2}"uid=([^,]+),cn=XXXXXXX.NET,cn=gssapi,cn=auth" "uid=$1,ou
 =users,dc=lan,dc=xxxxxxx,dc=net"
olcAuthzRegexp: {3}"uid=host/([^,]+).XXXXXXX.NET,cn=xxxxxxx.net,cn=gssapi,
 cn=auth" "cn=$1,ou=hosts,dc=lan,dc=xxxxxxx,dc=net"
olcDisallows: bind_anon
olcLogLevel: 256
olcPidFile: /var/run/slapd/slapd.pid
olcRequires: authc
olcSaslHost: ldap2.xxxxxxx.net
olcSaslRealm: XXXXXXX.NET
olcTLSCACertificateFile: /etc/ssl/openldap/certs/ca-chain-cert.pem
olcTLSCertificateFile: /etc/ssl/openldap/certs/ldap2-server-cert.pem
olcTLSCertificateKeyFile: /etc/ssl/openldap/private/ldap2-server-key.pem
olcTLSProtocolMin: 3.1
olcToolThreads: 1

# {0}config, config
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
 ,cn=auth manage by * break
olcRootDN: cn=admin,cn=config

# {1}mdb, config
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=lan,dc=xxxxxxx,dc=net
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=lan,dc
 =xxxxxxx,dc=net" write by dn="cn=sssdman,ou=manager,dc=lan,dc=xxxxxxx,dc=
 net" read by dn="cn=mailman,ou=vmail,ou=services,dc=lan,dc=xxxxxxx,dc=net" 
 read by self write by anonymous auth by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to dn.subtree="ou=vmail,ou=services,dc=lan,dc=xxxxxxx,dc=net" 
 by dn="cn=admin,dc=lan,dc=xxxxxxx,dc=net" write by dn="cn=mailman,ou=vmail,
 ou=services,dc=lan,dc=xxxxxxx,dc=net" read by self write by anonymous auth 
 by * none
olcAccess: {3}to dn.subtree="cn=krb5,ou=services,dc=lan,dc=xxxxxxx,dc=net" b
 y dn="cn=admin,dc=lan,dc=xxxxxxx,dc=net" write by dn="cn=adm-srv,cn=krb5,ou
 =services,dc=lan,dc=xxxxxxx,dc=net" write by dn="cn=kdc-srv,cn=krb5,ou=serv
 ices,dc=lan,dc=xxxxxxx,dc=net" read by * none
olcAccess: {4}to * by dn="cn=admin,dc=lan,dc=xxxxxxx,dc=net" write by dn="cn
 =sssdman,ou=manager,dc=lan,dc=xxxxxxx,dc=net" read by self write by anonymo
 us auth by * none
olcLastMod: TRUE
olcRootDN: cn=admin,dc=lan,dc=xxxxxxx,dc=net
olcRootPW: {SSHA}...

我现在正在为这个问题苦苦挣扎两天。谷歌没有帮助。

有人可以帮我解决这个问题吗？