LINUX.ORG.RU
ФорумAdmin

Проблема с настройкой sssd и pam

 , ,


0

1

Есть система на alt linux (kworkstation 8.3), которую нужно вогнать в домен AD конфигурации файлов:

hosts: 192.168.100.1 aaa-dc-01 aaa-dc-01.insite.aaaaaa.com aaa insite.aaaaaa.com

krb5.conf:
#includedir /etc/krb5.conf.d/

[logging] default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = INSITE.AAAAAA.COM
dns_lookup_kdc = false
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
# default_realm = EXAMPLE.COM
# default_ccache_name = KEYRING:persistent:%{uid}

[realms]
INSITE.AAAAAA.COM = {
kdc = aaa-dc-01.insite.aaaaaa.com
master_kdc = aaa-dc-01.insite.aaaaaa.com
admin_server = aaa-dc-01.insite.aaaaaa.com }

[domain_realm]
.insite.aaaaaa.com = INSITE.AAAAAA.COM
insite.aaaaaa.com = INSITE.AAAAAA.COM

sssd.conf:
[sssd]
config_file_version = 2
debug_level = 6
services = nss, pam
domains = AAA
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[domain/AAA]
debug_level = 6
id_provider = ad
auth_provider = ad
ad_domain = insite.aaaaaa.com
ad_server = aaa-dc-01.insite.aaaaaa.com
ad_hostname = aaa-dc-01.insite.aaaaaa.com
chpass_provider = ad
access_provider = ad
default_shell = /bin/bash
fallback_homedir = /home/%d/%u
override_homedir = /home/%u
use_fully_qualified_names = False

krb5_realm = INSITE.AAAAAA.COM
krb5_store_password_if_offline = True
ldap_id_mapping = True
ldap_schema = ad

pam.d/system-auth-sss:
#%PAM-1.0
auth required pam_env.so
auth [success=ignore default=1] pam_localuser.so
auth [success=done default=bad] pam_tcb.so shadow fork
prefix=$2y$ count=8 nullok
auth requisite pam_succeed_if.so uid >= 500 quiet
# auth required pam_sss.so
auth sufficient pam_sss.so use_first_pass

account [success=ignore default=1] pam_localuser.so
account [success=done default=bad] pam_tcb.so shadow fork
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

password [success=ignore default=2] pam_localuser.so
password required pam_passwdqc.so config=/etc/passwdqc.conf
password [success=done default=bad] pam_tcb.so use_authtok shadow fork prefix=$2y$ count=8 nullok write_to=tcb
password requisite pam_succeed_if.so uid >= 500 quiet
# password required pam_sss.so
password sufficient pam_sss.so use_authtok

-session optional pam_keyinit.so revoke
-session optional pam_systemd.so
session [success=1 default=ignore] pam_localuser.so
# session [success=1 default=1] pam_sss.so
session optional pam_sss.so
session optional pam_tcb.so
session required pam_mktemp.so
session required pam_mkhomedir.so silent
session required pam_limits.so

nsswitch.conf:
passwd: files sss
shadow: tcb files sss
group: files sss
gshadow: files

hosts:
files mdns4_minimal [NOTFOUND=return] dns myhostname ethers: files netmasks: files networks: files protocols: files rpc: files services: files

bootparams: nisplus [NOTFOUND=return] files

netgroup: nisplus

publickey: nisplus

automount: files aliases: files

Вроде все нужные команды проходят:

[root@aaa-alt-01 pam.d]# kinit kurenal
Password for kurenal@INSITE.AAAAAA.COM:
[root@aaa-alt-01 pam.d]# klist
Ticket cache: KEYRING:persistent:0:0 Default principal:
kurenal@INSITE.AAAAAA.COM
Valid starting Expires Service principal 15.08.2019 16:03:22 16.08.2019 02:03:22 krbtgt/INSITE.AAAAAA.COM@INSITE.AAAAAA.COM renew until 16.08.2019 02:03:22

[root@aaa-alt-01 pam.d]# getent passwd kurenal
kurenal:*:220414917:220400513:Бла БЛа БЛА:/home/kurenal:/bin/bash
[root@aaa-alt-01 pam.d]# id kurenal uid=220414917(kurenal) gid=220400513(domain users) группы=220400513(domain users),220406668(offer remote assistance helpers) и т.д
Но в доменного пользователя зайти не могу. Помогите пожалуйста хоть чем нибудь. Я так понимаю, что проблема в ПАМе, но что там изменить ума не приложу.