在远程桌面(运行 CentOS7)上安装 SSSD 时遇到问题,并且偶尔使用我的 AD 凭据登录(包括通过 ssh)时遇到问题。以 root 身份登录并检查 sssd 进程的状态,我明白了...
[root@airflowetl tmp]# systemctl status sssd
● sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2020-01-22 16:52:28 HST; 8 months 6 days ago
Main PID: 122026 (sssd)
CGroup: /system.slice/sssd.service
├─122026 /usr/sbin/sssd -i --logger=files
├─122027 /usr/libexec/sssd/sssd_be --domain co.local --uid 0 --gid 0 --logger=files
├─122028 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
└─122029 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
Sep 29 00:47:26 airflowetl.co.local sssd_be[122027]: GSSAPI client step 1
Sep 29 00:47:26 airflowetl.co.local sssd_be[122027]: GSSAPI client step 1
Sep 29 00:47:26 airflowetl.co.local sssd_be[122027]: GSSAPI client step 2
Sep 29 00:57:35 airflowetl.co.local [sssd[krb5_child[28812]]][28812]: KDC has no support for encryption type
Sep 29 00:57:49 airflowetl.co.local [sssd[krb5_child[28986]]][28986]: KDC has no support for encryption type
Sep 29 00:57:49 airflowetl.co.local [sssd[krb5_child[28986]]][28986]: KDC has no support for encryption type
Sep 29 00:58:20 airflowetl.co.local [sssd[krb5_child[29397]]][29397]: Preauthentication failed
Sep 29 00:58:20 airflowetl.co.local [sssd[krb5_child[29397]]][29397]: Preauthentication failed
Sep 29 00:58:20 airflowetl.co.local [sssd[krb5_child[29397]]][29397]: Preauthentication failed
从这里我可以su进入我的常规 AD 关联帐户,通常一段时间后,我看到...
[root@airflowetl tmp]# systemctl status sssd
● sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2020-01-22 16:52:28 HST; 8 months 6 days ago
Main PID: 122026 (sssd)
CGroup: /system.slice/sssd.service
├─122026 /usr/sbin/sssd -i --logger=files
├─122027 /usr/libexec/sssd/sssd_be --domain co.local --uid 0 --gid 0 --logger=files
├─122028 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
└─122029 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
Sep 29 01:02:15 airflowetl.co.local [sssd[krb5_child[32905]]][32905]: KDC has no support for encryption type
Sep 29 01:02:15 airflowetl.co.local [sssd[krb5_child[32905]]][32905]: KDC has no support for encryption type
Sep 29 01:02:15 airflowetl.co.local [sssd[krb5_child[32905]]][32905]: KDC has no support for encryption type
Sep 29 01:02:26 airflowetl.co.local sssd_be[122027]: GSSAPI client step 1
Sep 29 01:02:26 airflowetl.co.local sssd_be[122027]: GSSAPI client step 1
Sep 29 01:02:26 airflowetl.co.local sssd[be[co.local]][122027]: GSSAPI Error: Unspecified GSS failure. Minor code may p...ype)
Sep 29 01:02:26 airflowetl.co.local sssd_be[122027]: GSSAPI client step 1
Sep 29 01:02:26 airflowetl.co.local sssd_be[122027]: GSSAPI client step 1
Sep 29 01:02:26 airflowetl.co.local sssd_be[122027]: GSSAPI client step 1
Sep 29 01:02:26 airflowetl.co.local sssd_be[122027]: GSSAPI client step 2
...然后尝试使用我的 AD 凭据登录远程桌面确实有效(如果su从 root 进入我的帐户与此有任何关联,则 IDK )。
我的/etc/krb5.conf文件看起来像...
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
# default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = CO.LOCAL
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
CO.LOCAL = {
}
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
co.local = CO.LOCAL
.co.local = CO.LOCAL
有谁知道为什么会发生这种情况?任何进一步的调试建议(很难测试,因为似乎很少发生,而且我对 SSSD 没有太多经验来强制它发生)?