我有 389 目录 ldap 服务器。我的基础架构上有基于 debian 和 redhat 的服务器。
我对 Ubuntu 14-16 版和 Centos 6 服务器没有任何问题。但是我在 Centos 7.x 版本中遇到了 sssd 和 ldap 服务的问题。
我的所有更改都在下面逐步列出。我找不到丢失或错误的地方。我要疯了。
亲爱的社区,我需要你的帮助。我知道它太长了。
[root@ldap-test-client]$ cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core)
[root@ldap-test-client]$ uname -a
Linux ldap-test-client 3.10.0-862.el7.x86_64 #1 SMP Fri Apr 20 16:44:24 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
包裹信息;
[root@ldap-test-client]$ yum list installed |grep sssd
Failed to set locale, defaulting to C
python-sssdconfig.noarch 1.16.0-19.el7_5.5 @updates
sssd.x86_64 1.16.0-19.el7_5.5 @updates
sssd-ad.x86_64 1.16.0-19.el7_5.5 @updates
sssd-client.x86_64 1.16.0-19.el7_5.5 @updates
sssd-common.x86_64 1.16.0-19.el7_5.5 @updates
sssd-common-pac.x86_64 1.16.0-19.el7_5.5 @updates
sssd-ipa.x86_64 1.16.0-19.el7_5.5 @updates
sssd-krb5.x86_64 1.16.0-19.el7_5.5 @updates
sssd-krb5-common.x86_64 1.16.0-19.el7_5.5 @updates
sssd-ldap.x86_64 1.16.0-19.el7_5.5 @updates
sssd-proxy.x86_64 1.16.0-19.el7_5.5 @updates
[root@ldap-test-client]$ ps aux |grep sssd
root 697 0.0 0.5 282124 6036 ? Ss 11:09 0:00 /usr/sbin/sssd -i --logger=files
root 709 0.0 0.9 306216 9636 ? S 11:09 0:00 /usr/libexec/sssd/sssd_be --domain LDAP --uid 0 --gid 0 --logger=files
root 715 0.0 2.9 289932 29996 ? S 11:09 0:00 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
root 716 0.0 0.5 269592 5520 ? S 11:09 0:00 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
testuser+ 1391 0.0 0.0 112676 728 pts/0 R+ 11:17 0:00 grep --color=auto sssd
sssd 和 ldap 配置,
[root@ldap-test-client]$ pwd
/etc/sssd
[root@ldap-test-client]$ ll
total 8
drwx--x--x. 2 sssd sssd 23 Aug 6 11:19 conf.d
-rw------- 1 root root 933 Aug 6 11:31 sssd.conf
[root@ldap-test-client]$ cat sssd.conf
[domain/LDAP]
autofs_provider = ldap
cache_credentials = true
ldap_search_base = dc=domain,dc=com
ldap_user_search_base = ou=People,dc=domain,dc=com
ldap_group_search_base = ou=groups,dc=domain,dc=com
ldap_sudo_search_base = ou=sudoers,dc=domain,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://ldapserver.domain.com:389
ldap_id_use_start_tls = true
#ldap_tls_cacertdir = /etc/openldap/cacerts
#ldap_schema = rfc2307bis
#ldap_auth_disable_tls_never_use_in_production = true
#use_fully_qualified_names = True
#enumeration = False
debug_level = 9
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = ldap
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
#entry_cache_timeout = 300
entry_cache_nowait_percentage = 75
[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
[autofs]
[root@ldap-test-client]$ cat /etc/openldap/ldap.conf /etc/ldap.conf /etc/ssh/ldap.conf
#TLS_CACERTDIR /etc/openldap/cacerts
#TLS_CACERTDIR /etc/openldap/certs
TLS_REQCERT never
TLS never
URI ldap://ldapserver.domain.com:389
BASE ou=People,dc=domain,dc=com
ssh 和 nsswitch 配置,
[root@ldap-test-client]$ pwd
/etc/ssh
[root@ldap-test-client]$ cat sshd_config-edit
Port 22
Protocol 2
SyslogFacility AUTHPRIV
LogLevel INFO
LoginGraceTime 15
PermitRootLogin no
MaxAuthTries 6
HostbasedAuthentication no
IgnoreRhosts yes
PermitEmptyPasswords no
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512,hmac-sha2-256
X11Forwarding no
PermitUserEnvironment no
ClientAliveInterval 1800
ClientAliveCountMax 1
Subsystem sftp /usr/libexec/openssh/sftp-server
[root@ldap-test-client]$ cat ssh_config
Host *
GSSAPIAuthentication yes
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
SendEnv XMODIFIERS
[root@ldap-test-client]$ cat /etc/nsswitch.conf
passwd: files sss
shadow: files sss
group: files sss
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files sss
netmasks: files sss
networks: files sss
protocols: files sss
rpc: files sss
services: files sss
netgroup: files sss
publickey: nisplus
automount: files sss
aliases: files nisplus
sudoers: files sss
sudoers: files sss
[root@ldap-test-client]$ telnet ldapserver.domain.com 389
Trying 192.168.0.165...
Connected to 192.168.0.165.
Escape character is '^]'.
pam.d system-auth 和 password-auth 配置
[root@ldap-test-client]$ pwd
/etc/pam.d
[root@ldap-test-client]$ cat system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_fprintd.so
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
[root@ldap-test-client]$ cat password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
sssd 和审计服务日志
[root@ldap-test-client]$ tail -f /var/log/sssd/*
==> /var/log/sssd/ldap_child.log <==
==> /var/log/sssd/sssd_LDAP.log <==
(Mon Aug 6 15:34:41 2018) [sssd[be[LDAP]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Mon Aug 6 15:34:41 2018) [sssd[be[LDAP]]] [dp_get_account_info_handler] (0x0200): Got request for [0x1][BE_REQ_USER][name=testuser@ldap]
(Mon Aug 6 15:34:41 2018) [sssd[be[LDAP]]] [dp_attach_req] (0x0400): DP Request [Account #2]: New request. Flags [0x0001].
(Mon Aug 6 15:34:41 2018) [sssd[be[LDAP]]] [dp_attach_req] (0x0400): Number of active DP request: 1
(Mon Aug 6 15:34:41 2018) [sssd[be[LDAP]]] [sss_domain_get_state] (0x1000): Domain LDAP is Active
(Mon Aug 6 15:34:41 2018) [sssd[be[LDAP]]] [_dp_req_recv] (0x0400): DP Request [Account #2]: Receiving request data.
(Mon Aug 6 15:34:41 2018) [sssd[be[LDAP]]] [dp_req_reply_gen_error] (0x0080): DP Request [Account #2]: Finished. Backend is currently offline.
(Mon Aug 6 15:34:41 2018) [sssd[be[LDAP]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:1::LDAP:name=testuser@ldap] from reply table
(Mon Aug 6 15:34:41 2018) [sssd[be[LDAP]]] [dp_req_destructor] (0x0400): DP Request [Account #2]: Request removed.
(Mon Aug 6 15:34:41 2018) [sssd[be[LDAP]]] [dp_req_destructor] (0x0400): Number of active DP request: 0
==> /var/log/sssd/sssd.log <==
==> /var/log/sssd/sssd_nss.log <==
(Mon Aug 6 15:34:41 2018) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
==> /var/log/sssd/sssd_pam.log <==
==> /var/log/sssd/sssd_LDAP.log <==
(Mon Aug 6 15:34:48 2018) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): dbus conn: 0x56174ff78030
(Mon Aug 6 15:34:48 2018) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): Dispatching.
(Mon Aug 6 15:34:48 2018) [sssd[be[LDAP]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider
(Mon Aug 6 15:34:48 2018) [sssd[be[LDAP]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Mon Aug 6 15:34:48 2018) [sssd[be[LDAP]]] [dp_get_account_info_handler] (0x0200): Got request for [0x1][BE_REQ_USER][name=testuser@ldap]
(Mon Aug 6 15:34:48 2018) [sssd[be[LDAP]]] [dp_attach_req] (0x0400): DP Request [Account #3]: New request. Flags [0x0001].
(Mon Aug 6 15:34:48 2018) [sssd[be[LDAP]]] [dp_attach_req] (0x0400): Number of active DP request: 1
(Mon Aug 6 15:34:48 2018) [sssd[be[LDAP]]] [sss_domain_get_state] (0x1000): Domain LDAP is Active
(Mon Aug 6 15:34:48 2018) [sssd[be[LDAP]]] [_dp_req_recv] (0x0400): DP Request [Account #3]: Receiving request data.
(Mon Aug 6 15:34:48 2018) [sssd[be[LDAP]]] [dp_req_reply_gen_error] (0x0080): DP Request [Account #3]: Finished. Backend is currently offline.
(Mon Aug 6 15:34:48 2018) [sssd[be[LDAP]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:1::LDAP:name=testuser@ldap] from reply table
(Mon Aug 6 15:34:48 2018) [sssd[be[LDAP]]] [dp_req_destructor] (0x0400): DP Request [Account #3]: Request removed.
(Mon Aug 6 15:34:48 2018) [sssd[be[LDAP]]] [dp_req_destructor] (0x0400): Number of active DP request: 0
==> /var/log/sssd/sssd_nss.log <==
(Mon Aug 6 15:34:48 2018) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
==> /var/log/sssd/sssd_LDAP.log <==
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): dbus conn: 0x56174ff78030
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): Dispatching.
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [dp_get_account_info_handler] (0x0200): Got request for [0x1][BE_REQ_USER][name=testuser@ldap]
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [dp_attach_req] (0x0400): DP Request [Account #4]: New request. Flags [0x0001].
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [dp_attach_req] (0x0400): Number of active DP request: 1
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [sss_domain_get_state] (0x1000): Domain LDAP is Active
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [_dp_req_recv] (0x0400): DP Request [Account #4]: Receiving request data.
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [dp_req_reply_gen_error] (0x0080): DP Request [Account #4]: Finished. Backend is currently offline.
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:1::LDAP:name=testuser@ldap] from reply table
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [dp_req_destructor] (0x0400): DP Request [Account #4]: Request removed.
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [dp_req_destructor] (0x0400): Number of active DP request: 0
==> /var/log/sssd/sssd_nss.log <==
(Mon Aug 6 15:34:49 2018) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
==> /var/log/sssd/sssd_LDAP.log <==
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): dbus conn: 0x56174ff78030
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): Dispatching.
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [dp_get_account_info_handler] (0x0200): Got request for [0x1][BE_REQ_USER][name=testuser@ldap]
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [dp_attach_req] (0x0400): DP Request [Account #5]: New request. Flags [0x0001].
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [dp_attach_req] (0x0400): Number of active DP request: 1
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [sss_domain_get_state] (0x1000): Domain LDAP is Active
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [_dp_req_recv] (0x0400): DP Request [Account #5]: Receiving request data.
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [dp_req_reply_gen_error] (0x0080): DP Request [Account #5]: Finished. Backend is currently offline.
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:1::LDAP:name=testuser@ldap] from reply table
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [dp_req_destructor] (0x0400): DP Request [Account #5]: Request removed.
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [dp_req_destructor] (0x0400): Number of active DP request: 0
==> /var/log/sssd/sssd_nss.log <==
(Mon Aug 6 15:34:49 2018) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
==> /var/log/sssd/sssd_LDAP.log <==
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): dbus conn: 0x56174ff78030
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): Dispatching.
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [dp_get_account_info_handler] (0x0200): Got request for [0x1][BE_REQ_USER][name=testuser@ldap]
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [dp_attach_req] (0x0400): DP Request [Account #6]: New request. Flags [0x0001].
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [dp_attach_req] (0x0400): Number of active DP request: 1
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [sss_domain_get_state] (0x1000): Domain LDAP is Active
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [_dp_req_recv] (0x0400): DP Request [Account #6]: Receiving request data.
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [dp_req_reply_gen_error] (0x0080): DP Request [Account #6]: Finished. Backend is currently offline.
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:1::LDAP:name=testuser@ldap] from reply table
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [dp_req_destructor] (0x0400): DP Request [Account #6]: Request removed.
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [dp_req_destructor] (0x0400): Number of active DP request: 0
==> /var/log/sssd/sssd_nss.log <==
(Mon Aug 6 15:34:49 2018) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
==> /var/log/sssd/sssd_LDAP.log <==
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): dbus conn: 0x56174ff78030
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): Dispatching.
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [dp_get_account_info_handler] (0x0200): Got request for [0x1][BE_REQ_USER][name=testuser@ldap]
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [dp_attach_req] (0x0400): DP Request [Account #7]: New request. Flags [0x0001].
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [dp_attach_req] (0x0400): Number of active DP request: 1
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [sss_domain_get_state] (0x1000): Domain LDAP is Active
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [_dp_req_recv] (0x0400): DP Request [Account #7]: Receiving request data.
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [dp_req_reply_gen_error] (0x0080): DP Request [Account #7]: Finished. Backend is currently offline.
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:1::LDAP:name=testuser@ldap] from reply table
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [dp_req_destructor] (0x0400): DP Request [Account #7]: Request removed.
(Mon Aug 6 15:34:49 2018) [sssd[be[LDAP]]] [dp_req_destructor] (0x0400): Number of active DP request: 0
==> /var/log/sssd/sssd_nss.log <==
(Mon Aug 6 15:34:49 2018) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
我正在尝试使用“ssh testuser @ ldap-test-client”命令进行 ssh 连接。ssh 请求进入服务器的审计日志。
[root@ldap-test-client]$ tail -f audit.log
type=CRYPTO_KEY_USER msg=audit(1533557907.241:533): pid=2043 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:13:c9:73:32:4e:40:e6:23:fa:01:94:01:1d:06:75:ee:40:cb:36:a8:4a:b2:b8:15:5c:d1:a5:bb:eb:80:d8:03 direction=? spid=2043 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1533557907.241:534): pid=2043 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:39:21:b3:e2:23:1d:49:5a:d9:b9:b2:c5:6a:24:01:df:45:89:fb:91:c5:19:61:43:ff:71:29:6f:1e:a7:32:fd direction=? spid=2043 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1533557907.241:535): pid=2043 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:4a:94:74:27:67:91:8a:07:15:8f:d3:af:f7:2c:92:b4:25:4a:bd:5b:ae:78:82:5a:71:01:03:2c:0a:15:e2:c6 direction=? spid=2043 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1533557907.305:536): pid=2042 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-server cipher=chacha20-poly1305@openssh.com ksize=512 mac=<implicit> pfs=curve25519-sha256 spid=2043 suid=74 rport=53218 laddr=192.168.0.220 lport=22 exe="/usr/sbin/sshd" hostname=? addr=10.212.134.201 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1533557907.305:537): pid=2042 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-client cipher=chacha20-poly1305@openssh.com ksize=512 mac=<implicit> pfs=curve25519-sha256 spid=2043 suid=74 rport=53218 laddr=192.168.0.220 lport=22 exe="/usr/sbin/sshd" hostname=? addr=10.212.134.201 terminal=? res=success'
**The following lines appear after entering the password.**
type=USER_AUTH msg=audit(1533557924.276:538): pid=2042 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=? acct="?" exe="/usr/sbin/sshd" hostname=10.212.134.201 addr=10.212.134.201 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1533557926.436:539): pid=2042 uid=0 auid=4294967295 ses=4294967295 msg='op=password acct="(unknown)" exe="/usr/sbin/sshd" hostname=? addr=10.212.134.201 terminal=ssh res=failed'
我的 ldap 连接测试;
[root@ldap-test-client]$ id testuser
uid=11000(testuser) gid=10010(sysmaster) groups=10010(sysmaster)
[root@ldap-test-client]$ ldapsearch -x -H ldap://ldapserver.domain.com:389 -b uid=testuser,ou=People,dc=domain,dc=com -s base -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=testuser,ou=People,dc=domain,dc=com> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
# testuser, People, domain.com
dn: uid=testuser,ou=People,dc=domain,dc=com
givenName: Test
sn: User
loginShell: /bin/bash
gidNumber: 10010
uidNumber: 11000
mail: testuser@domain.com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: ldappublickey
objectClass: hostobject
objectClass: sudoers
objectClass: sudorole
uid: testuser
cn: Test User
homeDirectory: /home/testuser
host: ALL
sudoHost: ALL
sudoCommand: ALL
sudoOption: !aunthenticate
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1