Autentica o protocolo Linux-LDAP-AD (diretório ativo): falha ao efetuar logon com senha (2024)

Dears,

Passei muito tempo nisso e até mesmo verifiquei com sucesso (Auth) Linux-LDAP-openLDAP ok. Mas fique bloqueado com o AD. Agora posso mudar para o usuário a partir da conta root, mas não consigo fazer o login com a senha ( pam_unix (sshd: auth): falha de autenticação ). Eu vou ver se eu posso ligar pam depurar e também levantar o problema aqui. Eu quero listar os passos detalhados aqui para obter ajuda. Não tenho certeza se está relacionado a userPassword (eu já defini dsHeuristics para 000000001) ou unixUserPassword atributo, mas vou continuar a investigar.

  1. Lado do servidor Windows 2012 R2 (AD): Configure o AD DS.Enable SSL for AD. Instalado Gerenciamento de identidades para UNIX Adicione atributos (uidNumber, gidNumber, unixHomeDirectory) ao catálogo global em esquema .Adicionados alguns usuários (luser02, que é o usuário vinculado, luser03, luser04) e group (unixGrp2) com posixAccount / posixGroup, respectivamente. Para verificar isso, posso usar o ldapsearch no CENT OS 6 de destino%código%
# extended LDIF## LDAPv3# base <DC=kelamayi,DC=com> with scope subtree# filter: sAMAccountName=luser03# requesting: ALL## luser03, Users, kelamayi.comdn: CN=luser03,CN=Users,DC=kelamayi,DC=comobjectClass: topobjectClass: posixAccountobjectClass: personobjectClass: organizationalPersonobjectClass: usercn: luser03givenName: luser03distinguishedName: CN=luser03,CN=Users,DC=kelamayi,DC=cominstanceType: 4whenCreated: 20180824095929.0ZwhenChanged: 20180824103333.0ZdisplayName: luser03uSNCreated: 24826memberOf: CN=unigGrp2,DC=kelamayi,DC=commemberOf: CN=unixGrp,DC=kelamayi,DC=comuSNChanged: 24861name: luser03objectGUID:: Q/Bx5j48CEWikaDPlHoyRw==userAccountControl: 66048badPwdCount: 0codePage: 0countryCode: 0badPasswordTime: 0lastLogoff: 0lastLogon: 0pwdLastSet: 131795783694428731primaryGroupID: 513objectSid:: AQUAAAAAAAUVAAAA3G4iEdoCV++319XAWgQAAA==accountExpires: 9223372036854775807logonCount: 0sAMAccountName: luser03sAMAccountType: 805306368userPrincipalName: [emailprotected]objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=kelamayi,DC=comdSCorePropagationData: 16010101000000.0ZuidNumber: 20003gidNumber: 20001unixHomeDirectory: /home/luser03loginShell: /bin/bash# search referenceref: ldap://ForestDnsZones.kelamayi.com/DC=ForestDnsZones,DC=kelamayi,DC=com# search referenceref: ldap://DomainDnsZones.kelamayi.com/DC=DomainDnsZones,DC=kelamayi,DC=com# search referenceref: ldap://kelamayi.com/CN=Configuration,DC=kelamayi,DC=com# search resultsearch: 2result: 0 Success# numResponses: 5# numEntries: 1# numReferences: 3

Eu também posso usar o java api para se conectar ao AD com ldaps. O ldapsearch -x -H ldap://114.116.43.118:389 -D "CN=luser02,CN=Users,DC=kelamayi,DC=com" -b "DC=kelamayi,DC=com" -W sAMAccountName=luser03 também funciona bem.

See Also
Automated Kerberizaton - Apache AmbariSupport | Pentest Tips & TricksThe Job Network hiring Maintenance Technician in Leavenworth, Kansas, United States | LinkedInPayroll Management System Leavenworth KS 66048

getent passwd luser03luser03:*:20003:513:luser03:/home/luser03:/bin/bashgetent passwd 20002luser02:*:20002:513:luser02:/home/luser02:/bin/bashgetent passwd 20003luser03:*:20003:513:luser03:/home/luser03:/bin/bash
  1. Linux (CENT OS 6): vou listar abaixo em anexo.

getent passwd 

binddn CN=luser02,CN=Users,DC=kelamayi,DC=combindpw Passw0rduid nslcdgid ldapuri ldap://114.116.43.118:389/base dc=kelamayi,dc=comssl notls_cacertdir /etc/openldap/cacertsfilter passwd (objectClass=user)filter group (objectClass=group)map passwd uid sAMAccountNamemap passwd homeDirectory unixHomeDirectorymap passwd gecos displayNamemap passwd gidNumber primaryGroupIDmap group uniqueMember member

grep -v '^$\|^\s*\#' /etc/nslcd.conf 

base dc=kelamayi,dc=comuri ldap://114.116.43.118:389/ssl notls_cacertdir /etc/openldap/cacertspam_password md5

grep -v '^$\|^\s*\#' /etc/openldap/ldap.conf 

base dc=kelamayi,dc=comuri ldap://114.116.43.118:389/ssl notls_cacertdir /etc/openldap/cacertspam_password md5

grep -v '^$\|^\s*\#' /etc/pam_ldap.conf

See Also
KDC不支持加密类型(14)。 active-directory kerberos - Dev59

auth required pam_env.soauth sufficient pam_fprintd.soauth sufficient pam_unix.so nullok try_first_passauth requisite pam_succeed_if.so uid >= 500 quietauth sufficient pam_ldap.so use_first_passauth required pam_deny.soaccount required pam_unix.so broken_shadowaccount sufficient pam_localuser.soaccount sufficient pam_succeed_if.so uid < 500 quietaccount [default=bad success=ok user_unknown=ignore] pam_ldap.soaccount required pam_permit.sopassword requisite pam_cracklib.so retry=3 minlen=8 difok=3 ucredit=-1 lcredit=-2 dcredit=-1 ocredit=-1password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtokpassword sufficient pam_ldap.so use_authtokpassword required pam_deny.sosession optional pam_keyinit.so revokesession required pam_limits.sosession [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uidsession required pam_unix.sosession optional pam_ldap.so

grep -v '^$\|^\s*\#' /etc/pam.d/system-auth 

auth required pam_env.soauth sufficient pam_unix.so nullok try_first_passauth requisite pam_succeed_if.so uid >= 500 quietauth sufficient pam_ldap.so use_first_passauth required pam_deny.soaccount required pam_unix.so broken_shadowaccount sufficient pam_localuser.soaccount sufficient pam_succeed_if.so uid < 500 quietaccount [default=bad success=ok user_unknown=ignore] pam_ldap.soaccount required pam_permit.sopassword requisite pam_cracklib.so retry=3 minlen=8 difok=3 ucredit=-1 lcredit=-2 dcredit=-1 ocredit=-1password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtokpassword sufficient pam_ldap.so use_authtokpassword required pam_deny.sosession optional pam_keyinit.so revokesession required pam_limits.sosession [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uidsession required pam_unix.sosession optional pam_ldap.so

grep -v '^$\|^\s*\#' /etc/pam.d/password-auth 

passwd: files ldapshadow: files ldapgroup: files ldaphosts: files dnsbootparams: nisplus [NOTFOUND=return] filesethers: filesnetmasks: filesnetworks: filesprotocols: filesrpc: filesservices: files ldapnetgroup: files ldappublickey: nisplusautomount: files ldapaliases: files nisplus
  1. Testar e depurar:%código%%código%%código%

log do ssh: 

debug1: SSH2_MSG_SERVICE_REQUEST sentdebug1: SSH2_MSG_SERVICE_ACCEPT received here pending for a while,about 10 seconds.debug1: Authentications that can continue: publickey,passworddebug1: Next authentication method: publickeydebug1: Trying private key: /root/.ssh/identitydebug1: Trying private key: /root/.ssh/id_rsadebug1: Trying private key: /root/.ssh/id_dsadebug1: Trying private key: /root/.ssh/id_ecdsadebug1: Next authentication method: password[emailprotected]'s password:debug1: Authentications that can continue: publickey,passwordPermission denied, please try again.[emailprotected]'s password:

depuração do nslcd.Eu não sei porque há um "ldap_result () expirado" no log antes de inserir a senha. (Esse problema de desempenho foi resolvido por Stefan. Obrigado!) 

nslcd: DEBUG: add_uri(ldap://114.116.43.118:389/)nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR,"/etc/openldap/cacerts")nslcd: version 0.7.5 startingnslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directorynslcd: DEBUG: setgroups(0,NULL) donenslcd: DEBUG: setgid(55) donenslcd: DEBUG: setuid(65) donenslcd: accepting connectionsnslcd: [8b4567] DEBUG: connection from pid=2856 uid=0 gid=0nslcd: [8b4567] DEBUG: nslcd_passwd_byname(luser03)nslcd: [8b4567] DEBUG: myldap_search(base="dc=kelamayi,dc=com", filter="(&(objectClass=user)(sAMAccountName=luser03))")nslcd: [8b4567] DEBUG: ldap_initialize(ldap://114.116.43.118:389/)nslcd: [8b4567] DEBUG: ldap_set_rebind_proc()nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)nslcd: [8b4567] DEBUG: ldap_simple_bind_s("CN=luser02,CN=Users,DC=kelamayi,DC=com","***") (uri="ldap://114.116.43.118:389/")nslcd: [8b4567] DEBUG: rebinding to ldap://kelamayi.com/CN=Configuration,DC=kelamayi,DC=comnslcd: [8b4567] DEBUG: ldap_simple_bind_s("CN=luser02,CN=Users,DC=kelamayi,DC=com","***") (uri="ldap://kelamayi.com/CN=Configuration,DC=kelamayi,DC=com")nslcd: [8b4567] ldap_result() timed outnslcd: [8b4567] DEBUG: ldap_abandon()nslcd: [8b4567] DEBUG: ldap_unbind()nslcd: [7b23c6] DEBUG: connection from pid=2856 uid=0 gid=0nslcd: [7b23c6] DEBUG: nslcd_passwd_byname(luser03)nslcd: [7b23c6] DEBUG: myldap_search(base="dc=kelamayi,dc=com", filter="(&(objectClass=user)(sAMAccountName=luser03))")nslcd: [7b23c6] DEBUG: ldap_initialize(ldap://114.116.43.118:389/)nslcd: [7b23c6] DEBUG: ldap_set_rebind_proc()nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)nslcd: [7b23c6] DEBUG: ldap_simple_bind_s("CN=luser02,CN=Users,DC=kelamayi,DC=com","***") (uri="ldap://114.116.43.118:389/")nslcd: [7b23c6] DEBUG: ldap_result(): end of resultsnslcd: [3c9869] DEBUG: connection from pid=2856 uid=0 gid=0nslcd: [3c9869] DEBUG: nslcd_passwd_byname(luser03)nslcd: [3c9869] DEBUG: myldap_search(base="dc=kelamayi,dc=com", filter="(&(objectClass=user)(sAMAccountName=luser03))")nslcd: [3c9869] DEBUG: ldap_initialize(ldap://114.116.43.118:389/)nslcd: [3c9869] DEBUG: ldap_set_rebind_proc()nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)nslcd: [3c9869] DEBUG: ldap_simple_bind_s("CN=luser02,CN=Users,DC=kelamayi,DC=com","***") (uri="ldap://114.116.43.118:389/")nslcd: [3c9869] DEBUG: ldap_result(): end of resultsnslcd: [334873] DEBUG: connection from pid=2856 uid=0 gid=0nslcd: [334873] DEBUG: nslcd_passwd_byname(luser03)nslcd: [334873] DEBUG: myldap_search(base="dc=kelamayi,dc=com", filter="(&(objectClass=user)(sAMAccountName=luser03))")nslcd: [334873] DEBUG: ldap_initialize(ldap://114.116.43.118:389/)nslcd: [334873] DEBUG: ldap_set_rebind_proc()nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)nslcd: [334873] DEBUG: ldap_simple_bind_s("CN=luser02,CN=Users,DC=kelamayi,DC=com","***") (uri="ldap://114.116.43.118:389/")nslcd: [334873] DEBUG: ldap_result(): end of results

/ var / log / secure: 

Aug 24 19:42:07 ecs-c191-0006 sshd[2856]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=114.116.42.247 user=luser03

Tentou ativar a depuração de pam por > Tentei ativar o pam debug com isso: link , mas recebi outro erro quando o build 

patching file modules/pam_unix/pam_unix_passwd.cHunk #1 succeeded at 233 (offset -7 lines).patching file modules/pam_unix/pam_unix.8.xmlpatching file modules/pam_unix/passverify.cHunk #1 succeeded at 1088 (offset -7 lines).patching file modules/pam_unix/passverify.hpatching file modules/pam_unix/support.cHunk #1 FAILED at 495.1 out of 1 hunk FAILED -- saving rejects to file modules/pam_unix/support.c.rej

dias difíceis .....

Autentica o protocolo Linux-LDAP-AD (diretório ativo): falha ao efetuar logon com senha (2024)

References

Top Articles
The Republican from Springfield, Massachusetts
Queensland Sports Events 2024: Latest Calendar & Tickets | Trip.com
Craigslist Myrtle Beach Motorcycles For Sale By Owner
St Thomas Usvi Craigslist
Unitedhealthcare Hwp
Did 9Anime Rebrand
Practical Magic 123Movies
Sprague Brook Park Camping Reservations
Apply A Mudpack Crossword
Sams Gas Price Fairview Heights Il
Betonnen afdekplaten (schoorsteenplaten) ter voorkoming van lekkage schoorsteen. - HeBlad
Colts seventh rotation of thin secondary raises concerns on roster evaluation
Roster Resource Orioles
Talbots.dayforce.com
Mahpeople Com Login
Cvs El Salido
Culver's Flavor Of The Day Taylor Dr
Greenville Sc Greyhound
Bòlèt Florida Midi 30
Loslaten met de Sedona methode
Surplus property Definition: 397 Samples | Law Insider
BJ 이름 찾는다 꼭 도와줘라 | 짤방 | 일베저장소
Pioneer Library Overdrive
Why comparing against exchange rates from Google is wrong
Pay Stub Portal
Craigslist Middletown Ohio
Jt Closeout World Rushville Indiana
Scat Ladyboy
Basil Martusevich
Sf Bay Area Craigslist Com
Mumu Player Pokemon Go
Craigslist Maryland Baltimore
Scioto Post News
2012 Street Glide Blue Book Value
Indiana Wesleyan Transcripts
Craigs List Jonesboro Ar
The TBM 930 Is Another Daher Masterpiece
Publictributes
Skip The Games Grand Rapids Mi
St Anthony Hospital Crown Point Visiting Hours
Conan Exiles Armor Flexibility Kit
Joey Gentile Lpsg
Charli D'amelio Bj
Here's Everything You Need to Know About Baby Ariel
Craigslist Com St Cloud Mn
Woody Folsom Overflow Inventory
56X40X25Cm
Doe mee met ons loyaliteitsprogramma | Victoria Club
Large Pawn Shops Near Me
Sams Gas Price San Angelo
Www.homedepot .Com
Craigslist Free Cats Near Me
Latest Posts
St. John - VI Department of Tourism
How To Visit The Unspoiled Beauty Of St. John In The U.S. Virgin Islands
Article information

Author: Geoffrey Lueilwitz

Last Updated:

Views: 5973

Rating: 5 / 5 (80 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Geoffrey Lueilwitz

Birthday: 1997-03-23

Address: 74183 Thomas Course, Port Micheal, OK 55446-1529

Phone: +13408645881558

Job: Global Representative

Hobby: Sailing, Vehicle restoration, Rowing, Ghost hunting, Scrapbooking, Rugby, Board sports

Introduction: My name is Geoffrey Lueilwitz, I am a zealous, encouraging, sparkling, enchanting, graceful, faithful, nice person who loves writing and wants to share my knowledge and understanding with you.