本站教程收集整理的这篇文章主要介绍了openldap – AWS Simple AD:对于使用adtool创建的用户,“KDC不支持加密类型”,但不支持MS Management Console,本站教程本站觉得挺不错的,现在分享给大家,也给大家做个参考。
背景
我正在尝试以我在AWS Directory services Simple AD中创建的用户身份登录(通过SSH,运行sssd的Amazon Linux EC2实例).我正在使用kerberos进行身份验证并使用LDAP识别用户(全部通过sssd.)
问题
我无法以使用adtool创建的用户身份登录,这意味着我很难自动将新用户添加到Simple AD中.当我尝试时,KDC说它不支持加密类型(我假设这是用户的密码?)请参阅下面的“错误消息”部分.
但是,我可以作为内置管理员用户以及我在加入域的Windows Server 2008 EC2实例上通过Microsoft管理控制台创建的用户登录.所以我的设置工作,或者至少部分工作.
TL;需要DR解决方案
我需要知道我在adtool上做错了什么导致我无法以用户创建的用户身份登录.我不知道我做错了什么,我认为这对于那些试图做与我类似的事情的人来说通常很有用.详情如下.
错误信息
当尝试使用adtool创建的用户登录时,这是sssd的输出:
(Thu Dec 31香港vps 15:35:35 2015) [[sssd[krb5_child[5459]]]] [sss_child_krb5_trace_cb] (0x4000): [5459] 1451576135.446649: Response was from master KDC (Thu Dec 31 15:35:35 2015) [[sssd[krb5_child[5459]]]] [sss_child_krb5_trace_cb] (0x4000): [5459] 1451576135.446788: Received error from KDC: -1765328370/KDC has no support for encryption type (Thu Dec 31 15:35:35 2015) [[sssd[krb5_child[5459]]]] [get_and_save_tgt] (0x0020): 996: [-1765328370][KDC has no support for encryption type] (Thu Dec 31 15:35:35 2015) [[sssd[krb5_child[5459]]]] [map_krb5_error] (0x0020): 1065: [-1765328370][KDC has no support for encryption type] (Thu Dec 31 15:35:35 2015) [[sssd[krb5_child[5459]]]] [k5c_send_data] (0x0200): Received error code 1432158209
从客户端来看,它说Permission denied,请再试一次.
建筑
以下是我在Simple AD中的架构:
此设置使我能够使用LDAPS,即使AWS的Simple AD不支持它.
ELB的route53记录是directory.myTeam.mycompany.com,但我用于Simple AD的域是myTeam.mycompany.internal.
运行sssd的机器上的配置
/etc/sssd/sssd.conf:
[sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss,pam domains = myTeam [nss] default_sHell = /bin/bash fallBACk_homedir = /home/%u ldap_user_home_directory = unixHomeDirectory [pam] reconnection_retries = 3 offline_credentials_expiration = 2 offline_Failed_login_attempts = 3 offline_Failed_login_delay = 5 [domain/myTeam] enumerate = true cache_credentials = TRUE id_provider = ldap ldap_uri = ldaps://directory.myTeam.mycompany.com ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt ldap_defaulT_Bind_dn = CN=test-user,CN=users,DC=myTeam,DC=mycompany,DC=internal ldap_default_authtok = REDACTED_password ldap_id_use_start_tls = true ldap_scheR_982_11845@a = AD ldap_force_upper_case_realm = true ldap_id_mapping = true ldap_search_base = CN=users,DC=internal ldap_user_uuid = none ldap_group_uuid = none chpass_provider = krb5 auth_provider = krb5 krb5_server = directory.myTeam.mycompany.com krb5_realm = myTEAm.MYCOMPANY.INTERNAL krb5_changepw_principal = kadmin/changepw krb5_ccachedir = /tmp krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX krb5_auth_timeout = 15 krb5_canonicalize = True
的/ etc / SYSCONfig / authconfig:
IPADOMAINJOINED=no USEMKHOMEDIR=yes USEPAMACCESS=no CAchecREDENTIALS=yes USESSSDAUTH=yes USESHADOW=yes USEWINBIND=no PASSWDALGORITHM=sha512 FORCELEGACY=yes USEFPRINTD=no FORCEsmaRTCARD=no USEDB=no USELDAPAUTH=no USEPASSWDQC=no IPAV2NONTP=no WINBINDKRB5=no USELOCAUTHORIZE=yes USEECRYPTFS=no USECRACKLIB=yes USEIPAV2=no USEWINBINDAUTH=no USEsmaRTCARD=no USELDAP=yes USENIS=no USEKERBEROS=no USESYSNETAUTH=no USESSSD=yes USEPWQUALITY=yes USEHESIOD=no
除了这两个文件之外,我还确保在sshd_config中启用密码验证,并使用sudo authconfig –updateall –enablesssd –enablesssdauth在pam模块中启用sssd.
将/etc/pam.d/system-auth:
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet_success auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unkNown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
软件版本
> uname -a:Linux ip-172-31-31-2 4.1.10-17.31.amzn1.x86_64#1 SMP Sat Oct 24 01:31:37 UTC 2015 x86_64 x86_64 x86_64 GNU / Linux
> sssd 1.12.2
> adtool 1.3.3
> openldap-clients 2.4.23-34.25.amzn1
用户之间的差异
为了显示这些用户在我的目录中的不同,这里是从运行sssd的实例使用ldapsearch查询它们的输出.
使用adtool创建的用户(编辑:您将在下面看到pwdLastSet值存在,我相信这不存在,并且它的存在是我答案的关键):
$ldapsearch -LLL -H ldaps://directory.myTeam.mycompany.com -D CN=Administrator,DC=internal -x -W '(cn=test-user)' Enter LDAP password: dn: CN=test-user,CN=Users,DC=internal objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: test-user instanCEType: 4 whenCreated: 20151230204358.0Z displayName: Test user uSNCreated: 3532 name: test-user objectGUID:: ZhfGzcqLd06x2UBU3UNiZQ== codePage: 0 countryCode: 0 priMaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAHWfr9xoaXwKvEcuoUwQAAA== accountexpires: 9223372036854775807 sAMAccountName: test-user sAMAccountType: 805306368 userPrincipalName: test-user@myTeam.mycompany.internal objectCategory: CN=Person,CN=scheR_982_11845@a,CN=Configuration,DC =internal userAccountControl: 512 lockoutTime: 0 whenChanged: 20151231150317.0Z uSNChanged: 3619 pwdLastSet: 130960477970000000 disTinguishedname: CN=test-user,DC=internal
用户通过Microsoft管理控制台创建:
$ldapsearch -LLL -H ldaps://directory.myTeam.mycompany.com -D CN=Administrator,DC=internal -x -W '(sAMAccountName=test-windows-2008)' Enter LDAP password: dn: CN=Test User,DC=internal objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Test User sn: User givenname: Test instanCEType: 4 whenCreated: 20151230223533.0Z whenChanged: 20151230223534.0Z displayName: Test User uSNCreated: 3563 uSNChanged: 3563 name: Test User objectGUID:: 2cuynP3/9EeRIm1fCUJ9jA== userAccountControl: 512 codePage: 0 countryCode: 0 pwdLastSet: 130959885340000000 priMaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAHWfr9xoaXwKvEcuoVwQAAA== accountexpires: 9223372036854775807 sAMAccountName: test-windows-2008 sAMAccountType: 805306368 userPrincipalName: test-windows-2008@myTeam.mycompany.internal objectCategory: CN=Person,DC =internal disTinguishedname: CN=Test User,DC=internal
我使用adtool和MMC之间的区别在于MMC鼓励我将用户的密码初始化,但我忘了对用adtool创建的用户做同样的事情.以下步骤解决了这个问题,并且重复性如此:
$adtool userunlock -w REDACTED_password 'test-user' $adtool setpass -w REDACTED_password test-user REDACTED_password
在我最初的问题中,在同事完成上述步骤设置密码之后,我今天早上重新询问了原始测试用户,因此输出显示密码已设置,但昨晚我尝试登录时没有设定,因此问题.当我今天再次尝试登录时,它工作正常,经过一番调查,我发现这就是原因.
现在,我只能推测为什么“KDC不支持加密类型”消息出现了:由于没有密码,因此没有加密类型.如果我错了,我很乐意得到纠正.
TL; DR必须记住在使用adtool而不是MMC时解锁用户并设置密码.
本站总结
以上是本站教程为你收集整理的openldap – AWS Simple AD:对于使用adtool创建的用户,“KDC不支持加密类型”,但不支持MS Management Console全部内容,希望文章能够帮你解决openldap – AWS Simple AD:对于使用adtool创建的用户,“KDC不支持加密类型”,但不支持MS Management Console所遇到的程序开发问题。
如果觉得本站教程网站内容还不错,欢迎将本站教程推荐给好友。
本图文内容来源于网友网络收集整理提供,作为学习参考使用,版权属于原作者。
如您有任何意见或建议可联系处理。
