时间戳

首页 > 解决方案 > CentOS 7 SSSD 无法创建 GSSAPI 加密的 LDAP 连接

active-directory - CentOS 7 SSSD 无法创建 GSSAPI 加密的 LDAP 连接

问题描述

我想为 CentOS 7 第一次配置 SSSD,我们有一个林但有多个域:

xx.company.com
eu.company.com
na.company.com
ap.company.com

域之间已经存在信任关系。我收到以下错误:

Sep 16 12:56:46 XXA-ANSTLNX14 [sssd[ldap_child[4201]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'host/XXa-anstlnx14.eu.COMPANY.COM@EU.COMPANY.COM' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection.

下面是 Kerberos 配置文件:

cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = EU.COMPANY.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_ccache_name = KEYRING:persistent:%{uid}

[realms]
XX.COMPANY.COM = {
kdc = XXa-XXdc01.XX.COMPANY.COM
kdc = XXc-XXdc01.XX.COMPANY.COM
kdc = XXs-XXdc01.XX.COMPANY.COM
admin_server = XXa-XXdc01.XX.COMPANY.COM
default_domain = XX.COMPANY.COM
}
EU.COMPANY.COM = {
kdc = XXa-eudc01.eu.COMPANY.COM
kdc = XXc-eudc01.eu.COMPANY.COM
kdc = XXs-eudc01.eu.COMPANY.COM
admin_server = XXa-eudc01.eu.COMPANY.COM
default_domain = eu.COMPANY.COM
}
NA.COMPANY.COM = {
kdc = XXa-nadc01.na.COMPANY.COM
kdc = XXc-nadc01.na.COMPANY.COM
kdc = XXs-nadc01.na.COMPANY.COM
admin_server = XXa-nadc01.na.COMPANY.COM
default_domain = na.COMPANY.COM
}
AP.COMPANY.COM = {
kdc = XXa-apdc01.ap.COMPANY.COM
kdc = XXc-apdc01.ap.COMPANY.COM
kdc = XXs-apdc01.ap.COMPANY.COM
admin_server = XXa-apdc01.ap.COMPANY.COM
default_domain = ap.COMPANY.COM
}
DMZ.COMPANY.COM = {
kdc = XXa-dmzdc01.dmz.COMPANY.COM
kdc = XXc-dmzdc01.dmz.COMPANY.COM
kdc = XXs-dmzdc01.dmz.COMPANY.COM
admin_server = XXa-dmzdc01.dmz.COMPANY.COM
default_domain = dmz.COMPANY.COM
}
COMPANY.COM = {
kdc = XXa-autdc01.COMPANY.COM
kdc = XXc-autdc01.COMPANY.COM
kdc = XXs-autdc01.COMPANY.COM
admin_server = XXa-autdc01.COMPANY.COM
default_domain = COMPANY.COM
}

[domain_realm]
.XX.COMPANY.COM = XX.COMPANY.COM
XX.COMPANY.COM = XX.COMPANY.COM
.eu.COMPANY.COM = EU.COMPANY.COM
eu.COMPANY.COM = EU.COMPANY.COM
.na.COMPANY.COM = NA.COMPANY.COM
na.COMPANY.COM = NA.COMPANY.COM
.ap.COMPANY.COM = AP.COMPANY.COM
ap.COMPANY.COM = AP.COMPANY.COM
.dmz.COMPANY.COM = DMZ.COMPANY.COM
dmz.COMPANY.COM = DMZ.COMPANY.COM
.COMPANY.COM = COMPANY.COM

我不确定这是否是 Kerberos 配置问题(到目前为止,我看到生成了 keytab 文件)还是需要在 SSSD 中进行调整

# klist -kte
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   3 09/16/19 13:46:43 host/xxxa-anstlnx19.xxx.COMPANY.COM@xxx.COMPANY.COM (des-cbc-crc)
   3 09/16/19 13:46:43 host/xxxA-ANSTLNX19@xxx.COMPANY.COM (des-cbc-crc)
   3 09/16/19 13:46:43 host/xxxa-anstlnx19.xxx.COMPANY.COM@xxx.COMPANY.COM (des-cbc-md5)
   3 09/16/19 13:46:43 host/xxxA-ANSTLNX19@xxx.COMPANY.COM (des-cbc-md5)
   3 09/16/19 13:46:43 host/xxxa-anstlnx19.xxx.COMPANY.COM@xxx.COMPANY.COM (aes128-cts-hmac-sha1-96)
   3 09/16/19 13:46:43 host/xxxA-ANSTLNX19@xxx.COMPANY.COM (aes128-cts-hmac-sha1-96)
   3 09/16/19 13:46:43 host/xxxa-anstlnx19.xxx.COMPANY.COM@xxx.COMPANY.COM (aes256-cts-hmac-sha1-96)
   3 09/16/19 13:46:43 host/xxxA-ANSTLNX19@xxx.COMPANY.COM (aes256-cts-hmac-sha1-96)
   3 09/16/19 13:46:43 host/xxxa-anstlnx19.xxx.COMPANY.COM@xxx.COMPANY.COM (arcfour-hmac)
   3 09/16/19 13:46:43 host/xxxA-ANSTLNX19@xxx.COMPANY.COM (arcfour-hmac)
   3 09/16/19 13:46:43 xxxA-ANSTLNX19$@xxx.COMPANY.COM (des-cbc-crc)
   3 09/16/19 13:46:43 xxxA-ANSTLNX19$@xxx.COMPANY.COM (des-cbc-md5)
   3 09/16/19 13:46:43 xxxA-ANSTLNX19$@xxx.COMPANY.COM (aes128-cts-hmac-sha1-96)
   3 09/16/19 13:46:43 xxxA-ANSTLNX19$@xxx.COMPANY.COM (aes256-cts-hmac-sha1-96)
   3 09/16/19 13:46:43 xxxA-ANSTLNX19$@xxx.COMPANY.COM (arcfour-hmac)

谢谢

标签: active-directorycentoscentos7sssd

解决方案

为了解决这个问题,我编辑了 sssd 配置文件,但只添加了一个域而不是所有域:

域 = xx.company.com

推荐阅读