web-dev-qa-db-ja.com

Centos 7はAWSシンプル広告に参加しましたが、ユーザーにクエリを実行できません

聖なるものすべてを愛するために-これを12時間続けてしっかりと続けてください。

私は自分のcentosマシンをAWSのシンプルなADサービスに追加しました。ここで概説されている手順に従います

https://docs.aws.Amazon.com/directoryservice/latest/adminguide/join_windows_instance.html

そして、ここで概説されている「テストユーザー」を追加しました https://aws.Amazon.com/blogs/security/how-to-manage-identities-in-simple-ad-directories/

レルムが適切に構成されていることがわかります

[root@testhost home]# realm discover corp.example.com
  type: kerberos
  realm-name: CORP.EXAMPLE.COM
  domain-name: corp.example.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
  login-formats: %[email protected]
  login-policy: allow-realm-logins

realm listコマンドも機能し、同じ情報を表示します

次の手順を実行すると、ユーザーが一覧表示されます。

[root@testhost home]# net ads user -S corp.example.com
AWSAdminD-97672D7BEE
Administrator
testuser
krbtgt
Guest

ただし、そのようなidコマンドでユーザーにクエリを実行する場合

[root@testhost home]# id [email protected]
id: [email protected]: no such user

私のkrb5.confは

 [libdefaults]
  dns_lookup_realm = false
  dns_lookup_kdc = false
  ticket_lifetime = 24h
  renew_lifetime = 7d
  forwardable = true
  rdns = false
  pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
  default_ccache_name = KEYRING:persistent:%{uid}
  default_realm = CORP.EXAMPLE.COM

 [realms]
   CORP.EXAMPLE.COM = {
    default_domain = corp.example.com
      kdc = corp.example.com
      admin_server = corp.example.com
   }

  [domain_realm]
    corp.example.com = CORP.EXAMPLE.COM
   .corp.example.com = CORP.EXAMPLE.COM

そして私のSSSD.confは

 [sssd]
 domains = corp.example.com
 config_file_version = 2
 services = nss, pam
 debug_level = 9
 default_domain_suffix = corp.example.com

 [domain/corp.example.com]
 enumerate = True
 ad_server = corp.example.com
 ad_domain = corp.example.com
 krb5_realm = CORP.EXAMPLE.COM
 realmd_tags = manages-system joined-with-adcli
 cache_credentials = False
 id_provider = ad
 krb5_store_password_if_offline = True
 default_Shell = /bin/bash
 ldap_id_mapping = True
 use_fully_qualified_names = True
 fallback_homedir = /home/%u@%d
 access_provider = ad
 debug_level = 9

私のログはこれを/ var/log/messagesに示しています-赤いニシンかもしれません...わからない

sssd [be [corp.example.com]]:GSSAPIエラー:指定されていないGSSエラー。マイナーコードはより多くの情報を提供する可能性があります(サーバーがKerberosデータベースに見つかりません)

僕の /var/log/sssd/sssd_corp.example.com.logユーザーにIDリクエストを行うと、次のように表示されます

(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_attach_req] (0x0400): DP Request [Account #145]: New request. Flags [0x0001].
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_attach_req] (0x0400): Number of active DP request: 1
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [sss_domain_get_state] (0x1000): Domain corp.example.com is Active
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [_dp_req_recv] (0x0400): DP Request [Account #145]: Receiving request data.
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_req_reply_gen_error] (0x0080): DP Request [Account #145]: Finished. Backend is currently offline.
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:1::corp.example.com:[email protected]] from reply table
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_req_destructor] (0x0400): DP Request [Account #145]: Request removed.
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_req_destructor] (0x0400): Number of active DP request: 0
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [sbus_dispatch] (0x4000): dbus conn: 0x56430d094580
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [sbus_dispatch] (0x4000): Dispatching.
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_get_account_info_handler] (0x0200): Got request for [0x1][BE_REQ_USER][[email protected]]
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_attach_req] (0x0400): DP Request [Account #146]: New request. Flags [0x0001].
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_attach_req] (0x0400): Number of active DP request: 1
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [sss_domain_get_state] (0x1000): Domain corp.example.com is Active
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [_dp_req_recv] (0x0400): DP Request [Account #146]: Receiving request data.
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_req_reply_gen_error] (0x0080): DP Request [Account #146]: Finished. Backend is currently offline.
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:1:U:corp.example.com:[email protected]] from reply table

レルムに追加した後、ADのユーザーを一覧表示できないのはなぜですか?

active-directorycentos7sssdaws-directory-service
1
Sim

これは、DNSサーバーをに追加することで解決されました

/etc/resolv.conf

nameserver <dns1>
nameserver <dns2>

ドメインcorp.example.comを/etc/hosts内のKDC/ADディレクトリアドレスのIPにマッピングする代わりに

0
Sim