SSSD与Microsoft AD集成，用于基于SSH密钥的登录 [英] SSSD Integration with Microsoft AD for SSH Key based Login

查看：895 发布时间：2020/9/30 20:09:26 active-directory centos7 sssd

本文介绍了SSSD与Microsoft AD集成，用于基于SSH密钥的登录的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我已经在使用Realm连接到Microsoft AD Forest的linux计算机上配置了SSSD。

我的最终目标是使用Microsoft AD中存储的SSH密钥登录到CentOS计算机。

以下是设置详细信息：

用于Microsoft AD的EC2 Windows

配置了SSSD的EC2 Amazon Linux

我能够使用AD用户名和密码登录linux计算机。

我现在已经将SSH公钥存储在Microsoft AD altSecurityIdentities 用户属性以及 sshPublicKeys 属性中。

下面是SSSD的配置文件

  [sssd] 
域= test.com 
 config_file_version = 2 
服务= nss，pam，ssh，sudo 
 debug_level = 10 
 
 [domain / test.com] 
 ad_domain = test.com 
 ad_server = test.com 
 krb5_realm = TEST.COM 
 realmd_tags =管理系统加入桑巴舞
 cache_credentials =真实
 id_provider =广告
 krb5_store_password_if_offline =真实
 default_shell = / bin / bash 
 ldap_id_mapping =真实
 use_fully_qualified_names = False 
 fallback_homedir = / home /％u 
 access_provider =广告
 #SSH按键
 ldap_user_extra_attrs = altSecurityIdentities：altSecurityIdentities 
 ldap_user_ssh_public_key = altSecurityIdentities 
 ldap_use_tokengroups = True 
 
 [nss] = b $ b_debug 10

我在sssd_nsss日志中遇到错误

  [sssd [nss]] [cache_req_search_send]（0x0400）：CR＃476：找到对象，但需要刷新。 
 [sssd [nss]] [cache_req_search_dp]（0x0400）：CR＃476：在数据提供者
 [sssd [nss]] [sss_dp_issue_request]（0x0400）中查找[demo_user@test.com]：发出[0x55bf7f9683e0：3：demo_user @ test.com @ test.com]的请求
 [sssd [nss]] [sss_dp_get_account_msg]（0x0400）：为[test.com] [0x3] [BE_REQ_INITGROUPS]创建请求name=demo_user@test.com：-] 
 [sssd [nss]] [sbus_add_timeout]（0x2000）：0x55bf80d3c120 
 [sssd [nss]] [sss_dp_internal_get_send]（0x0400）：输入请求[0x3ef0f3e 3：demo_user @ test.com @ test.com] 
 [sssd [nss]] [sbus_remove_timeout]（0x2000）：0x55bf80d3c120 
 [sssd [nss]] [sbus_dispatch]（0x4000）：dbus conn： 0x55bf80d27fe0 
 [sssd [nss]] [sbus_dispatch]（0x4000）：调度。 
 [sssd [nss]] [sss_dp_get_reply]（0x0010）：数据提供者返回了错误[org.freedesktop.sssd.Error.DataProvider.Offline] 
 [sssd [nss]] [cache_req_common_dp_recv]（ 0x0040）：CR＃476：数据提供程序错误：3、5，5，无法从数据提供程序
 [sssd [nss]]中获取答复[cache_req_common_dp_recv]（0x0400）：CR＃476：由于错误，我们将返回缓存的数据
 [sssd [nss]] [cache_req_search_cache]（0x0400）：CR＃476：在缓存
 [sssd [nss]]中查找[demo_user@test.com] [ldb]（0x4000） ：添加了定时事件 ldb_kv_callback：0x55bf80d3bc90 
 
 [sssd [nss]] [ldb]（0x4000）：添加了定时事件 ldb_kv_timeout：0x55bf80d2bb90 $ b [bs] [ldb]（0x4000）：运行计时器事件0x55bf80d3bc90 ldb_kv_callback。 
 [sssd [nss]] [ldb]（0x4000）：销毁计时器事件0x55bf80d2bb90 ldb_kv_timeout； 
 [sssd [nss]] [ldb]（0x4000）：销毁计时器事件0x55bf80d3bc90 ldb_kv_callback； 
 [sssd [nss]] [ldb]（0x4000）：添加了定时事件 ldb_kv_callback：0x55bf80d3bc90 
 [sssd [nss]] [ldb]（0x4000）：添加了定时事件 ldb_kv_timeout； ：0x55bf80d2bb90 
 [sssd [nss]] [ldb]（0x4000）：运行计时器事件0x55bf80d3bc90 ldb_kv_callback； 
 [sssd [nss]] [ldb]（0x4000）：销毁计时器事件0x55bf80d2bb90 ldb_kv_timeout； 
 [sssd [nss]] [ldb]（0x4000）：销毁计时器事件0x55bf80d3bc90 ldb_kv_callback； 
 [sssd [nss]] [ldb]（0x4000）：添加了定时事件 ldb_kv_callback：0x55bf80d43d00 
 [sssd [nss]] [ldb]（0x4000）：添加了定时事件 ldb_kv_timeout； ：0x55bf80d41100 
 [sssd [nss]] [ldb]（0x4000）：运行计时器事件0x55bf80d43d00 ldb_kv_callback； 
 [sssd [nss]] [ldb]（0x4000）：添加了定时事件 ldb_kv_callback：0x55bf80d46b00 
 [sssd [nss]] [ldb]（0x4000）：添加了定时事件 ldb_kv_timeout； ：0x55bf80d46bd0 
 [sssd [nss]] [ldb]（0x4000）：销毁计时器事件0x55bf80d41100 ldb_kv_timeout； 
 [sssd [nss]] [ldb]（0x4000）：销毁计时器事件0x55bf80d43d00 ldb_kv_callback； 
 [sssd [nss]] [ldb]（0x4000）：运行计时器事件0x55bf80d46b00 ldb_kv_callback； 
 [sssd [nss]] [ldb]（0x4000）：销毁计时器事件0x55bf80d46bd0 ldb_kv_timeout； 
 [sssd [nss]] [ldb]（0x4000）：销毁计时器事件0x55bf80d46b00 ldb_kv_callback； 
 
 [sssd [nss]] [cache_req_search_ncache_filter]（0x0400）：CR＃476：此请求类型不支持负缓存过滤结果
 [sssd [nss]] [cache_req_search_done]（ 0x0400）：CR＃476：返回更新的对象[demo_user@test.com] 
 [sssd [nss]] [cache_req_create_and_add_result]（0x0400）：CR＃476：在域test.com 
中找到2个条目[sssd [nss]] [sss_dp_req_destructor]（0x0400）：删除请求：[0x55bf7f9683e0：3：demo_user @ test.com @ test.com] 
 [sssd [nss]] [cache_req_done]（0x0400）：＃ 476：完成：成功
 [sssd [nss]] [nss_protocol_done]（0x4000）：发送回复：成功

SSSD_SSH日志如下

  [sssd [ssh]] [sss_dp_get_reply]（0x0010）：数据提供者返回了一个错误[org.freedesktop。 sssd.Error.DataProvider.Offline] 
 [sssd [ssh]] [sss_dp_get_reply]（0x0010）：数据提供者返回了错误[org.freedesktop.ssssd.Error.DataProvider.Offline] 
 [sssd [ssh]] [sss_dp_get_reply]（0x0010）：D ata提供程序返回错误[org.freedesktop.sssd.Error.DataProvider.Offline] 
 [sssd [ssh]] [sss_dp_get_reply]（0x0010）：数据提供程序返回了错误[org.freedesktop.sssd.Error。 DataProvider.Offline] 
 [sssd [ssh]] [sss_dp_get_reply]（0x0010）：数据提供程序返回了错误[org.freedesktop.sssd.Error.DataProvider.Offline] 
 [sssd [ssh]] [sss_dp_get_reply]（0x0010）：数据提供者返回了错误[org.freedesktop.sssd.Error.DataProvider.Offline] 
 [sssd [ssh]] [sss_dp_get_reply]（0x0010）：数据提供者返回了错误[ org.freedesktop.sssd.Error.DataProvider.Offline] 
 [sssd [ssh]] [sss_dp_get_reply]（0x0010）：数据提供程序返回了一个错误[org.freedesktop.sssd.Error.DataProvider.Offline] 
 [sssd [ssh]] [sss_dp_get_reply]（0x0010）：数据提供程序返回错误[org.freedesktop.sssd.Error.DataProvider.Offline] 
 [sssd [ssh]] [sss_dp_get_reply]（0x0010） ：数据提供者返回了一个错误[org.freedesktop.sssd.Error.DataProvider.Offl ine]

当我尝试使用ssh使用以下命令登录时

  ssh demo_user @ test.com @< IP>

我收到以下错误

  demo_user @ test.com @< IP> ;：权限被拒绝（公钥，gssapi-keyex，gssapi-with-mic）。

我尝试过以下事情

id demo_user@test.com

uid = 1277801117（demo_user）gid = 1277800513（域用户）组= 1277800513（域用户）

我尝试重新启动SSSD Demon，但没有在少数论坛中建议。

有没有办法让我工作呢？

解决方案

  [sssd [nss]] [sss_dp_get_reply]（0x0010）：数据提供程序返回了一个错误[org.freedesktop。 sssd.Error.DataProvider.Offline] 
 [sssd [nss]] [cache_req_common_dp_recv]（0x0040）：CR＃476：数据提供者错误：3、5，无法从数据提供者
中获得回复[sssd [nss]] [cache_req_common_dp_recv]（0x0400）：CR＃476：由于错误，我们将返回缓存的数据

这告诉您数据提供者处于脱机状态，并且您使用 id 命令看到的输出来自缓存。请检查SSSD域日志（sssd _ *。test.com.log）为什么客户端无法与后端通信。

此问题一经解决，请验证您的<$ c $正确设置了c> ssh_config 可以从AD中获取公钥。此文件中需要以下选项：

  AuthorizedKeysCommand / usr / bin / sss_ssh_authorizedkeys 
 AuthorizedKeysCommandUser root

您可以通过手动运行该工具来验证ssh密钥代理是否按预期工作：

 ＃sss_ssh_authorizedkeys demo_user

但是，只有在SSSD数据提供者可以成功地与广告后端。

I have configured SSSD on a linux machine which is connected to a Microsoft AD Forest using Realm.

My End Goal is to Login into CentOS machine using the SSH keys stored in Microsoft AD

Below are Setup Details:

EC2 Windows for Microsoft AD
EC2 Amazon Linux with SSSD Configured

I am able to login into the linux machine using the AD Username and Password.

I have now stored the SSH Public keys in the Microsoft AD altSecurityIdentities user attributes as well as sshPublicKeys attribute.

Below are the Config file for SSSD

[sssd]
domains = test.com
config_file_version = 2
services = nss, pam, ssh, sudo
debug_level=10

[domain/test.com]
ad_domain = test.com
ad_server = test.com
krb5_realm = TEST.COM
realmd_tags = manages-system joined-with-samba 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad
#SSH KEY FETCH
ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities
ldap_user_ssh_public_key = altSecurityIdentities
ldap_use_tokengroups = True

[nss]
debug_level=10

I am getting below error in the sssd_nsss logs

[sssd[nss]] [cache_req_search_send] (0x0400): CR #476: Object found, but needs to be refreshed.
[sssd[nss]] [cache_req_search_dp] (0x0400): CR #476: Looking up [demo_user@test.com] in data provider
[sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x55bf7f9683e0:3:demo_user@test.com@test.com]
[sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [test.com][0x3][BE_REQ_INITGROUPS][name=demo_user@test.com:-]
[sssd[nss]] [sbus_add_timeout] (0x2000): 0x55bf80d3c120
[sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x55bf7f9683e0:3:demo_user@test.com@test.com]
[sssd[nss]] [sbus_remove_timeout] (0x2000): 0x55bf80d3c120
[sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0x55bf80d27fe0
[sssd[nss]] [sbus_dispatch] (0x4000): Dispatching.
[sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
[sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #476: Data Provider Error: 3, 5, Failed to get reply from Data Provider
[sssd[nss]] [cache_req_common_dp_recv] (0x0400): CR #476: Due to an error we will return cached data
[sssd[nss]] [cache_req_search_cache] (0x0400): CR #476: Looking up [demo_user@test.com] in cache
[sssd[nss]] [ldb] (0x4000): Added timed event "ldb_kv_callback": 0x55bf80d3bc90

[sssd[nss]] [ldb] (0x4000): Added timed event "ldb_kv_timeout": 0x55bf80d2bb90
[sssd[nss]] [ldb] (0x4000): Running timer event 0x55bf80d3bc90 "ldb_kv_callback"
[sssd[nss]] [ldb] (0x4000): Destroying timer event 0x55bf80d2bb90 "ldb_kv_timeout"
[sssd[nss]] [ldb] (0x4000): Destroying timer event 0x55bf80d3bc90 "ldb_kv_callback"
[sssd[nss]] [ldb] (0x4000): Added timed event "ldb_kv_callback": 0x55bf80d3bc90
[sssd[nss]] [ldb] (0x4000): Added timed event "ldb_kv_timeout": 0x55bf80d2bb90
[sssd[nss]] [ldb] (0x4000): Running timer event 0x55bf80d3bc90 "ldb_kv_callback"
[sssd[nss]] [ldb] (0x4000): Destroying timer event 0x55bf80d2bb90 "ldb_kv_timeout"
[sssd[nss]] [ldb] (0x4000): Destroying timer event 0x55bf80d3bc90 "ldb_kv_callback"
[sssd[nss]] [ldb] (0x4000): Added timed event "ldb_kv_callback": 0x55bf80d43d00
[sssd[nss]] [ldb] (0x4000): Added timed event "ldb_kv_timeout": 0x55bf80d41100
[sssd[nss]] [ldb] (0x4000): Running timer event 0x55bf80d43d00 "ldb_kv_callback"
[sssd[nss]] [ldb] (0x4000): Added timed event "ldb_kv_callback": 0x55bf80d46b00
[sssd[nss]] [ldb] (0x4000): Added timed event "ldb_kv_timeout": 0x55bf80d46bd0
[sssd[nss]] [ldb] (0x4000): Destroying timer event 0x55bf80d41100 "ldb_kv_timeout"
[sssd[nss]] [ldb] (0x4000): Destroying timer event 0x55bf80d43d00 "ldb_kv_callback"
[sssd[nss]] [ldb] (0x4000): Running timer event 0x55bf80d46b00 "ldb_kv_callback"
[sssd[nss]] [ldb] (0x4000): Destroying timer event 0x55bf80d46bd0 "ldb_kv_timeout"
[sssd[nss]] [ldb] (0x4000): Destroying timer event 0x55bf80d46b00 "ldb_kv_callback"

[sssd[nss]] [cache_req_search_ncache_filter] (0x0400): CR #476: This request type does not support filtering result by negative cache
[sssd[nss]] [cache_req_search_done] (0x0400): CR #476: Returning updated object [demo_user@test.com]
[sssd[nss]] [cache_req_create_and_add_result] (0x0400): CR #476: Found 2 entries in domain test.com
[sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x55bf7f9683e0:3:demo_user@test.com@test.com]
[sssd[nss]] [cache_req_done] (0x0400): CR #476: Finished: Success
[sssd[nss]] [nss_protocol_done] (0x4000): Sending reply: success

The SSSD_SSH logs are below

[sssd[ssh]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
[sssd[ssh]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
[sssd[ssh]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
[sssd[ssh]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
[sssd[ssh]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
[sssd[ssh]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
[sssd[ssh]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
[sssd[ssh]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
[sssd[ssh]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
[sssd[ssh]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]

When I try to login using ssh using the below command

ssh demo_user@test.com@<IP>

I get the below error

demo_user@test.com@<IP>: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

I have tried below things

Dig
id demo_user@test.com

uid=1277801117(demo_user) gid=1277800513(domain users) groups=1277800513(domain users)

I have tried restarting the SSSD Demon but it did not help as suggested in few forums

Is there a way I can make this work

解决方案

[sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
[sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #476: Data Provider Error: 3, 5, Failed to get reply from Data Provider
[sssd[nss]] [cache_req_common_dp_recv] (0x0400): CR #476: Due to an error we will return cached data

This tells you that the data provider is offline and the output you see with the id command is coming from the cache. Please check the SSSD domain log (sssd_*.test.com.log) why the client can't talk to the backend.

Once this is fixed, please verify your ssh_config is setup correctly to fetch the public key from AD. The following options need to be in this file:

AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser root

You can verify that the ssh key proxy works as expected by running the tool manually:

# sss_ssh_authorizedkeys demo_user

But again, this will not work until the SSSD data provider can successfully talk to the AD backend.

这篇关于SSSD与Microsoft AD集成，用于基于SSH密钥的登录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！

查看全文

SSSD与Microsoft AD集成，用于基于SSH密钥的登录 [英] SSSD Integration with Microsoft AD for SSH Key based Login

问题描述

相关文章

其他开发最新文章

热门教程

热门工具

登录关闭

SSSD与Microsoft AD集成，用于基于SSH密钥的登录 [英] SSSD Integration with Microsoft AD for SSH Key based Login

问题描述

相关文章

其他开发最新文章

热门教程

热门工具

登录 关闭

登录关闭