Несколько доменов / один лес RHEL7 с SSSD и REALMD - невозможно войти в другой домен

Question

Я выполнил поиск в stackoverflow, но не нашел решения.

У меня есть два домена в одном лесу (domain1 и domain2). Я могу войти с помощью ssh с использованием домена1 и не могу войти с помощью домена2. Я могу kinit билет от домена 2.

Вот несколько конфигов:

[sssd]
debug_level = 3
services = nss, pam
config_file_version = 2
domains = DOMAIN1.TEST.NET, DOMAIN2.TEST.NET 

[domain/DOMAIN1.TEST.NET]
debug_level = 3
override_homedir = /home/%u
create_homedir = true
override_gid = 100
default_shell = /bin/bash

id_provider = ad
auth_provider = ad
access_provider = ad
ldap_id_mapping = true
ldap_schema = ad
dyndns_update = false
ad_gpo_access_control = disabled
#ad_enabled_domains = DOMAIN1.TEST.NET, DOMAIN2.TEST.NET
ldap_idmap_range_size = 1000000
subdomain_enumerate = all
use_fully_qualified_names = false


ad_domain = DOMAIN1.TEST.NET


[domain/DOMAIN2.TEST.NET]
debug_level = 10
override_homedir = /home/%u
create_homedir = true
override_gid = 100
default_shell = /bin/bash

id_provider = ad
auth_provider = ad
access_provider = ad
ldap_id_mapping = true
ldap_schema = ad
dyndns_update = false
ad_gpo_access_control = disabled
#ad_enabled_domains = DOMAIN1.TEST.NET, DOMAIN2.TEST.NET
ldap_idmap_range_size = 1000000
subdomain_enumerate = all
use_fully_qualified_names = false

ad_domain = DOMAIN2.TEST.NET



[nss]
filter_users = root
filter_groups = root

В списке областей я вижу обе области. С kinit из домена2 я получаю билет. Присоединение к области работало на домене 2 с пользователем из домена1, и когда я присоединяюсь, он говорит, что я уже присоединился. Статус systemtctl sssd выдает ошибку, хотя я могу войти в первый домен. В klist -k я вижу только KEYTAB из Domain1 и не могу сделать так, чтобы домен key2 находился в таблице ключей.

sssd[ldap_child[18103]]][18103]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'host/server01.domain1.test.net@ST...onnection.
sssd_be[17222]: GSSAPI client step 1
ssd_be[17222]: GSSAPI client step 1
[be[DOMAIN1.TEST.NET]][17222]: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)

Есть также несколько журналов sssd из домена 2.

Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'atsvtroot1.domain2.test.net' as 'not working'
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [sdap_handle_release] (0x2000): Trace: sh[0x55feb6513de0], connected[1], ops[(nil)], ldap[0x55feb64b3e70], destructor_lock[0], release_memory[0]
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [remove_connection_callback] (0x4000): Successfully removed connection callback.
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [sdap_id_op_connect_done] (0x4000): attempting failover retry on op #1
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [sdap_id_op_connect_step] (0x4000): beginning to connect
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [get_server_status] (0x1000): Status of server 'atsvtroot2.domain2.test.net' is 'name resolved'
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [get_port_status] (0x1000): Port status of port 389 for server 'atsvtroot2.domain2.test.net' is 'not working'
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [get_port_status] (0x0080): SSSD is unable to complete the full connection request, this internal status does not necessarily indicate network port issues.
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [get_server_status] (0x1000): Status of server 'atsvtroot1.domain2.test.net' is 'name resolved'
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [get_port_status] (0x1000): Port status of port 389 for server 'atsvtroot1.domain2.test.net' is 'not working'
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [get_port_status] (0x0080): SSSD is unable to complete the full connection request, this internal status does not necessarily indicate network port issues.
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD'
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [sdap_id_release_conn_data] (0x4000): releasing unused connection
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [be_resolve_server_done] (0x1000): Server resolution failed: [5]: Input/output error
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error])
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [be_mark_offline] (0x2000): Going offline!
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [be_mark_offline] (0x2000): Enable check_if_online_ptask.
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [be_ptask_enable] (0x0400): Task [Check if online (periodic)]: enabling task
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [be_ptask_schedule] (0x0400): Task [Check if online (periodic)]: scheduling task 67 seconds from now [1559627215]
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks.
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [sdap_id_op_connect_done] (0x4000): notify offline to op #1
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [ad_subdomains_refresh_connect_done] (0x0020): Unable to connect to LDAP [11]: Resource temporarily unavailable
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [ad_subdomains_refresh_connect_done] (0x0080): No AD server is available, cannot get the subdomain list while offline
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [be_ptask_done] (0x0040): Task [Subdomains Refresh]: failed with [1432158212]: SSSD is offline
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [be_ptask_execute] (0x0400): Task [Subdomains Refresh]: executing task, timeout 14400 seconds
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [set_server_common_status] (0x0100): Marking server '10.51.51.222' as 'resolving name'
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [set_server_common_status] (0x0100): Marking server '10.x.x.x.' as 'name resolved'
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [be_resolve_server_process] (0x0200): Found address for server 10.x.x.x.x: [10.51.51.222] TTL 7200
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [sssd_async_socket_init_send] (0x0400): Setting 6 seconds timeout for connecting
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][].
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [4]
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [sdap_get_server_opts_from_rootdse] (0x0100): Will look for schema at [CN=Schema,CN=Configuration,DC=domain1,DC=test,DC=net]
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [sdap_kinit_send] (0x0400): Attempting kinit (default, host/server01.domain1.test.net, domain1.test.net, 86400)
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [be_resolve_server_process] (0x0200): Found address for server 10.x.x.x.x.: [10.x.x.x.x] TTL 7200
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [create_tgt_req_send_buffer] (0x0400): buffer size: 68
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for TGT child
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [write_pipe_handler] (0x0400): All data has been sent!
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [child_sig_handler] (0x0100): child [18330] finished successfully.
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [read_pipe_handler] (0x0400): EOF received, client finished
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [sdap_get_tgt_recv] (0x0400): Child responded: 14 [Client 'host/server01.domain1.test.net@DOMAIN1.TEST.NET' not found in Kerberos database], expired on [0]
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad address]
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [sdap_cli_kinit_done] (0x0400): Cannot get a TGT: ret [1432158226](Authentication Failed)
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [sdap_cli_connect_recv] (0x0040): Unable to establish connection [13]: Permission denied

В krb5.conf у меня есть все РЕАЛЫ.

Что мне не хватает. Почему я не могу войти через SSH.

Заранее спасибо.

Answer 1

В krb5.conf необходимо добавить запись для общего родительского царства т.е. TEST.NET.
Поскольку клиентские библиотеки Kerberos должны «знать», как переходить из царства, предоставившего TGT (domain2) для области, которая предоставит билет службы для целевого сервера, с типом host для SSH, HTTP для SPNego и т. Д.

Либо вы явно настроили[capath] правил, или вы позволяете Kerberos перематывать неявный путь зависимости к общему родителю, а затем наматывать на цель.СрДокументация MIT Kerberos для krb5.conf

Для SSSD я не знаю, использует ли он базовый conf Kerberos или нуждается в настраиваемом conf.