Dears,
Passei muito tempo nisso e até mesmo verifiquei com sucesso (Auth) Linux-LDAP-openLDAP ok. Mas fique bloqueado com o AD. Agora posso mudar para o usuário a partir da conta root, mas não consigo fazer o login com a senha ( pam_unix (sshd: auth): falha de autenticação ). Eu vou ver se eu posso ligar pam depurar e também levantar o problema aqui. Eu quero listar os passos detalhados aqui para obter ajuda. Não tenho certeza se está relacionado a userPassword (eu já defini dsHeuristics para 000000001) ou unixUserPassword atributo, mas vou continuar a investigar.
- Lado do servidor Windows 2012 R2 (AD): Configure o AD DS.Enable SSL for AD. Instalado Gerenciamento de identidades para UNIX Adicione atributos (uidNumber, gidNumber, unixHomeDirectory) ao catálogo global em esquema .Adicionados alguns usuários (luser02, que é o usuário vinculado, luser03, luser04) e group (unixGrp2) com posixAccount / posixGroup, respectivamente. Para verificar isso, posso usar o ldapsearch no CENT OS 6 de destino%código%
# extended LDIF## LDAPv3# base <DC=kelamayi,DC=com> with scope subtree# filter: sAMAccountName=luser03# requesting: ALL## luser03, Users, kelamayi.comdn: CN=luser03,CN=Users,DC=kelamayi,DC=comobjectClass: topobjectClass: posixAccountobjectClass: personobjectClass: organizationalPersonobjectClass: usercn: luser03givenName: luser03distinguishedName: CN=luser03,CN=Users,DC=kelamayi,DC=cominstanceType: 4whenCreated: 20180824095929.0ZwhenChanged: 20180824103333.0ZdisplayName: luser03uSNCreated: 24826memberOf: CN=unigGrp2,DC=kelamayi,DC=commemberOf: CN=unixGrp,DC=kelamayi,DC=comuSNChanged: 24861name: luser03objectGUID:: Q/Bx5j48CEWikaDPlHoyRw==userAccountControl: 66048badPwdCount: 0codePage: 0countryCode: 0badPasswordTime: 0lastLogoff: 0lastLogon: 0pwdLastSet: 131795783694428731primaryGroupID: 513objectSid:: AQUAAAAAAAUVAAAA3G4iEdoCV++319XAWgQAAA==accountExpires: 9223372036854775807logonCount: 0sAMAccountName: luser03sAMAccountType: 805306368userPrincipalName: [emailprotected]objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=kelamayi,DC=comdSCorePropagationData: 16010101000000.0ZuidNumber: 20003gidNumber: 20001unixHomeDirectory: /home/luser03loginShell: /bin/bash# search referenceref: ldap://ForestDnsZones.kelamayi.com/DC=ForestDnsZones,DC=kelamayi,DC=com# search referenceref: ldap://DomainDnsZones.kelamayi.com/DC=DomainDnsZones,DC=kelamayi,DC=com# search referenceref: ldap://kelamayi.com/CN=Configuration,DC=kelamayi,DC=com# search resultsearch: 2result: 0 Success# numResponses: 5# numEntries: 1# numReferences: 3
Eu também posso usar o java api para se conectar ao AD com ldaps. O ldapsearch -x -H ldap://114.116.43.118:389 -D "CN=luser02,CN=Users,DC=kelamayi,DC=com" -b "DC=kelamayi,DC=com" -W sAMAccountName=luser03
também funciona bem.
getent passwd luser03luser03:*:20003:513:luser03:/home/luser03:/bin/bashgetent passwd 20002luser02:*:20002:513:luser02:/home/luser02:/bin/bashgetent passwd 20003luser03:*:20003:513:luser03:/home/luser03:/bin/bash
- Linux (CENT OS 6): vou listar abaixo em anexo.
getent passwd
binddn CN=luser02,CN=Users,DC=kelamayi,DC=combindpw Passw0rduid nslcdgid ldapuri ldap://114.116.43.118:389/base dc=kelamayi,dc=comssl notls_cacertdir /etc/openldap/cacertsfilter passwd (objectClass=user)filter group (objectClass=group)map passwd uid sAMAccountNamemap passwd homeDirectory unixHomeDirectorymap passwd gecos displayNamemap passwd gidNumber primaryGroupIDmap group uniqueMember member
grep -v '^$\|^\s*\#' /etc/nslcd.conf
base dc=kelamayi,dc=comuri ldap://114.116.43.118:389/ssl notls_cacertdir /etc/openldap/cacertspam_password md5
grep -v '^$\|^\s*\#' /etc/openldap/ldap.conf
base dc=kelamayi,dc=comuri ldap://114.116.43.118:389/ssl notls_cacertdir /etc/openldap/cacertspam_password md5
grep -v '^$\|^\s*\#' /etc/pam_ldap.conf
auth required pam_env.soauth sufficient pam_fprintd.soauth sufficient pam_unix.so nullok try_first_passauth requisite pam_succeed_if.so uid >= 500 quietauth sufficient pam_ldap.so use_first_passauth required pam_deny.soaccount required pam_unix.so broken_shadowaccount sufficient pam_localuser.soaccount sufficient pam_succeed_if.so uid < 500 quietaccount [default=bad success=ok user_unknown=ignore] pam_ldap.soaccount required pam_permit.sopassword requisite pam_cracklib.so retry=3 minlen=8 difok=3 ucredit=-1 lcredit=-2 dcredit=-1 ocredit=-1password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtokpassword sufficient pam_ldap.so use_authtokpassword required pam_deny.sosession optional pam_keyinit.so revokesession required pam_limits.sosession [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uidsession required pam_unix.sosession optional pam_ldap.so
grep -v '^$\|^\s*\#' /etc/pam.d/system-auth
auth required pam_env.soauth sufficient pam_unix.so nullok try_first_passauth requisite pam_succeed_if.so uid >= 500 quietauth sufficient pam_ldap.so use_first_passauth required pam_deny.soaccount required pam_unix.so broken_shadowaccount sufficient pam_localuser.soaccount sufficient pam_succeed_if.so uid < 500 quietaccount [default=bad success=ok user_unknown=ignore] pam_ldap.soaccount required pam_permit.sopassword requisite pam_cracklib.so retry=3 minlen=8 difok=3 ucredit=-1 lcredit=-2 dcredit=-1 ocredit=-1password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtokpassword sufficient pam_ldap.so use_authtokpassword required pam_deny.sosession optional pam_keyinit.so revokesession required pam_limits.sosession [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uidsession required pam_unix.sosession optional pam_ldap.so
grep -v '^$\|^\s*\#' /etc/pam.d/password-auth
passwd: files ldapshadow: files ldapgroup: files ldaphosts: files dnsbootparams: nisplus [NOTFOUND=return] filesethers: filesnetmasks: filesnetworks: filesprotocols: filesrpc: filesservices: files ldapnetgroup: files ldappublickey: nisplusautomount: files ldapaliases: files nisplus
- Testar e depurar:%código%%código%%código%
log do ssh:
debug1: SSH2_MSG_SERVICE_REQUEST sentdebug1: SSH2_MSG_SERVICE_ACCEPT received here pending for a while,about 10 seconds.debug1: Authentications that can continue: publickey,passworddebug1: Next authentication method: publickeydebug1: Trying private key: /root/.ssh/identitydebug1: Trying private key: /root/.ssh/id_rsadebug1: Trying private key: /root/.ssh/id_dsadebug1: Trying private key: /root/.ssh/id_ecdsadebug1: Next authentication method: password[emailprotected]'s password:debug1: Authentications that can continue: publickey,passwordPermission denied, please try again.[emailprotected]'s password:
depuração do nslcd.Eu não sei porque há um "ldap_result () expirado" no log antes de inserir a senha. (Esse problema de desempenho foi resolvido por Stefan. Obrigado!)
nslcd: DEBUG: add_uri(ldap://114.116.43.118:389/)nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR,"/etc/openldap/cacerts")nslcd: version 0.7.5 startingnslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directorynslcd: DEBUG: setgroups(0,NULL) donenslcd: DEBUG: setgid(55) donenslcd: DEBUG: setuid(65) donenslcd: accepting connectionsnslcd: [8b4567] DEBUG: connection from pid=2856 uid=0 gid=0nslcd: [8b4567] DEBUG: nslcd_passwd_byname(luser03)nslcd: [8b4567] DEBUG: myldap_search(base="dc=kelamayi,dc=com", filter="(&(objectClass=user)(sAMAccountName=luser03))")nslcd: [8b4567] DEBUG: ldap_initialize(ldap://114.116.43.118:389/)nslcd: [8b4567] DEBUG: ldap_set_rebind_proc()nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)nslcd: [8b4567] DEBUG: ldap_simple_bind_s("CN=luser02,CN=Users,DC=kelamayi,DC=com","***") (uri="ldap://114.116.43.118:389/")nslcd: [8b4567] DEBUG: rebinding to ldap://kelamayi.com/CN=Configuration,DC=kelamayi,DC=comnslcd: [8b4567] DEBUG: ldap_simple_bind_s("CN=luser02,CN=Users,DC=kelamayi,DC=com","***") (uri="ldap://kelamayi.com/CN=Configuration,DC=kelamayi,DC=com")nslcd: [8b4567] ldap_result() timed outnslcd: [8b4567] DEBUG: ldap_abandon()nslcd: [8b4567] DEBUG: ldap_unbind()nslcd: [7b23c6] DEBUG: connection from pid=2856 uid=0 gid=0nslcd: [7b23c6] DEBUG: nslcd_passwd_byname(luser03)nslcd: [7b23c6] DEBUG: myldap_search(base="dc=kelamayi,dc=com", filter="(&(objectClass=user)(sAMAccountName=luser03))")nslcd: [7b23c6] DEBUG: ldap_initialize(ldap://114.116.43.118:389/)nslcd: [7b23c6] DEBUG: ldap_set_rebind_proc()nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)nslcd: [7b23c6] DEBUG: ldap_simple_bind_s("CN=luser02,CN=Users,DC=kelamayi,DC=com","***") (uri="ldap://114.116.43.118:389/")nslcd: [7b23c6] DEBUG: ldap_result(): end of resultsnslcd: [3c9869] DEBUG: connection from pid=2856 uid=0 gid=0nslcd: [3c9869] DEBUG: nslcd_passwd_byname(luser03)nslcd: [3c9869] DEBUG: myldap_search(base="dc=kelamayi,dc=com", filter="(&(objectClass=user)(sAMAccountName=luser03))")nslcd: [3c9869] DEBUG: ldap_initialize(ldap://114.116.43.118:389/)nslcd: [3c9869] DEBUG: ldap_set_rebind_proc()nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)nslcd: [3c9869] DEBUG: ldap_simple_bind_s("CN=luser02,CN=Users,DC=kelamayi,DC=com","***") (uri="ldap://114.116.43.118:389/")nslcd: [3c9869] DEBUG: ldap_result(): end of resultsnslcd: [334873] DEBUG: connection from pid=2856 uid=0 gid=0nslcd: [334873] DEBUG: nslcd_passwd_byname(luser03)nslcd: [334873] DEBUG: myldap_search(base="dc=kelamayi,dc=com", filter="(&(objectClass=user)(sAMAccountName=luser03))")nslcd: [334873] DEBUG: ldap_initialize(ldap://114.116.43.118:389/)nslcd: [334873] DEBUG: ldap_set_rebind_proc()nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)nslcd: [334873] DEBUG: ldap_simple_bind_s("CN=luser02,CN=Users,DC=kelamayi,DC=com","***") (uri="ldap://114.116.43.118:389/")nslcd: [334873] DEBUG: ldap_result(): end of results
/ var / log / secure:
Aug 24 19:42:07 ecs-c191-0006 sshd[2856]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=114.116.42.247 user=luser03
Tentou ativar a depuração de pam por > Tentei ativar o pam debug com isso: link , mas recebi outro erro quando o build
patching file modules/pam_unix/pam_unix_passwd.cHunk #1 succeeded at 233 (offset -7 lines).patching file modules/pam_unix/pam_unix.8.xmlpatching file modules/pam_unix/passverify.cHunk #1 succeeded at 1088 (offset -7 lines).patching file modules/pam_unix/passverify.hpatching file modules/pam_unix/support.cHunk #1 FAILED at 495.1 out of 1 hunk FAILED -- saving rejects to file modules/pam_unix/support.c.rej
dias difíceis .....