缘起

近期,DBA报错多台CentOS7的主机无法使用域账号登陆,出现“Permission denied”的错误。确认域账号密码正确无误,使用root可登录,域账号就是无法登陆。由于CentOS7。 3以后使用SSSD替换了winbind服务,所以尝试重启SSSD服务,但故障依旧。SSSD服务可以完成重启,但重启之后提示认证失败:

Mar 21 16:06:02 test.targetmachine.com sssd[krb5_child[40570]][40570]: Preauthentication failed
Mar 21 16:06:02 test.targetmachine.com sssd[krb5_child[40570]][40570]: Preauthentication failed
Mar 21 16:06:02 test.targetmachine.com sssd[krb5_child[40570]][40570]: Preauthentication failed
Mar 21 16:06:02 test.targetmachine.com sshd[40474]: pam_sss( sshd:auth ): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=test.targetmachine.com user
Mar 21 16:06:02 test.targetmachine.com sshd[40474]: pam_sss( sshd:auth ): received for user sujx: 7 ( Authentication failure )
Mar 21 16:06:02 test.targetmachine.com sshd[40474]: Failed password for sujx from 172. 17. 0. 159 port 53160 ssh2

然后,检查sssd日志,发现是krb5。 ketab文件错误。

sshd[31442]: pam_krb5[31442]: error reading keytab 'FILE: /etc/krb5. keytab'

解决

自动续订Kerberos主机密钥

yum install -y adcli
# 配置/etc/sssd/sssd.conf
# 每30天自动续订kerberos密钥
ad_maximum_machine_account_password_age = 30
# 修改完成之后重启服务
systemctl restart sssd

重新加域

realm leave targetmachine.com
realm join targetmachine.com -U sujx
# 输入拥有加域权限的域账号密码
systemctl restart sssd

重新登陆

# 使用域账号重新登陆主机
# 使用klist查看kerberos密钥生成时间
yum install -y krb5-workstation
klist -kt /etc/krb5. keytab

常用命令

# 发现域
[root@test ~]# realm discover targetmachine.com
targetmachine.com
  type: kerberos
  realm-name: targetmachine.com
  domain-name: targetmachine.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
  login-formats: %U
  login-policy: allow-realm-logins
targetmachine.com
  type: kerberos
  realm-name: targetmachine.com
  domain-name: targetmachine.com
  configured: no

# 列出当前域信息
[root@test ~]# realm list --all
targetmachine.com
  type: kerberos
  realm-name: targetmachine.com
  domain-name: targetmachine.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
  login-formats: %U
  login-policy: allow-realm-logins
  
  # 加入域
  realm join targetmachine.com -U admin
  
  # 退出域
  realm leave targetmachine.com

参考资料