Я настроил sssd на centos 8 и ldap на centos 7. Я могу получить подробную информацию о тестирующем пользователе, используя getent passwd и getent group, но при тестировании его для getent shadow я не получаю никаких подробностей для тестового пользователя. Это вызывает ошибки входа в систему для testuser. Я не уверен, что настроено неправильно.


# cat /etc/sssd/sssd.conf
[sssd]
debug_level=7
config_file_version = 2
reconnection_retries = 3
enable_files_domain = False
services = nss, pam, ssh
domains = ldap.corp.com

[nss]
debug_level=7
reconnection_retries = 3
pwfield = x
homedir_substring = /home

[pam]
debug_level=7
reconnection_retries = 3

[ssh]
debug_level=7
debug_timestamps = True

[domain/ldap.corp.com]
debug_level=7
debug_timestamps = True
description = LDAP Client Login

enumeration = true
id_provider = ldap
auth_provider = ldap
access_provider = ldap
chpass_provider = ldap

ldap_access_order = filter
ldap_access_filter = (&(objectclass=posixAccount))
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_reqcert = allow
ldap_uri = ldap://ldap01.corp.com
ldap_search_base = dc=corp,dc=com
ldap_default_bind_dn = cn=ldapadm,dc=corp,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = xxxxxxxxx
cache_credentials = true

ldap_group_search_base = ou=Group,dc=corp,dc=com
ldap_user_search_base = ou=Users,dc=corp,dc=com
#ldap_sudo_search_base = ou=sudoers,dc=corp,dc=com
ldap_user_object_class = posixAccount
ldap_group_object_class = posixGroup
ldap_group_member = memberUid
ldap_pwd_policy = shadow

# cat /etc/authselect/password-auth
auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        [default=1 ignore=ignore success=ok]         pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
auth        sufficient                                   pam_unix.so nullok try_first_pass
auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient                                   pam_sss.so forward_pass
auth        required                                     pam_deny.so

account     required                                     pam_unix.so
account     sufficient                                   pam_localuser.so
account     sufficient                                   pam_succeed_if.so uid 

# getent passwd testuser1
testuser1:x:1005:1005:testuser1:/home/testuser1:/bin/bash
# getent group testuser1
testuser1:x:1005:
# getent shadow testuser1
#

# ssh [email protected]
[email protected]'s password:
Connection closed by 192.168.10.11 port 22
#

# tail /var/log/secure
Jul 23 13:23:14 rhel01 sshd[2074]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.10.11 user=testuser1
Jul 23 13:23:14 rhel01 sshd[2074]: Failed password for testuser1 from 192.168.10.11 port 49462 ssh2
Jul 23 13:23:14 rhel01 sshd[2074]: fatal: Access denied for user testuser1 by PAM account configuration [preauth]




# cat /etc/authselect/password-auth
auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        [default=1 ignore=ignore success=ok]         pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
auth        sufficient                                   pam_unix.so nullok try_first_pass
auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient                                   pam_sss.so forward_pass
auth        required                                     pam_deny.so

account     required                                     pam_unix.so
account     sufficient                                   pam_localuser.so
account     sufficient                                   pam_succeed_if.so uid 

password    requisite                                    pam_pwquality.so try_first_pass local_users_only
password    sufficient                                   pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient                                   pam_sss.so use_authtok
password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
-session    optional                                     pam_systemd.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so
session     optional                                     pam_sss.so

Ниже приведен журнал отладки из / var / log / secure:

Jul 23 15:08:24 rhel01 sshd[3024]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.10.11 user=testuser1
Jul 23 15:08:24 rhel01 sshd[3024]: debug1: PAM: password authentication accepted for testuser1
Jul 23 15:08:24 rhel01 sshd[3024]: debug3: mm_answer_authpassword: sending result 1
Jul 23 15:08:24 rhel01 sshd[3024]: debug3: mm_request_send entering: type 13
Jul 23 15:08:24 rhel01 sshd[3024]: debug3: mm_request_receive_expect entering: type 102
Jul 23 15:08:24 rhel01 sshd[3024]: debug3: mm_request_receive entering
Jul 23 15:08:24 rhel01 sshd[3024]: debug1: do_pam_account: called
Jul 23 15:08:24 rhel01 sshd[3024]: debug2: do_pam_account: auth information in SSH_AUTH_INFO_0
Jul 23 15:08:24 rhel01 sshd[3024]: debug3: PAM: do_pam_account pam_acct_mgmt = 9 (Authentication service cannot retrieve authentication info)
Jul 23 15:08:24 rhel01 sshd[3024]: debug3: mm_request_send entering: type 103
Jul 23 15:08:24 rhel01 sshd[3024]: Failed password for testuser1 from 192.168.10.11 port 49554 ssh2
Jul 23 15:08:24 rhel01 sshd[3024]: debug3: mm_auth_password: user authenticated [preauth]
Jul 23 15:08:24 rhel01 sshd[3024]: debug3: user_specific_delay: user specific delay 0.000ms [preauth]
Jul 23 15:08:24 rhel01 sshd[3024]: debug3: ensure_minimum_time_since: elapsed 107.666ms, delaying 14.497ms (requested 7.635ms) [preauth]
Jul 23 15:08:24 rhel01 sshd[3024]: debug3: mm_do_pam_account entering [preauth]
Jul 23 15:08:24 rhel01 sshd[3024]: debug3: mm_request_send entering: type 102 [preauth]
Jul 23 15:08:24 rhel01 sshd[3024]: debug3: mm_request_receive_expect entering: type 103 [preauth]
Jul 23 15:08:24 rhel01 sshd[3024]: debug3: mm_request_receive entering [preauth]
Jul 23 15:08:24 rhel01 sshd[3024]: debug3: mm_do_pam_account returning 0 [preauth]
Jul 23 15:08:24 rhel01 sshd[3024]: fatal: Access denied for user testuser1 by PAM account configuration [preauth]
Jul 23 15:08:24 rhel01 sshd[3024]: debug1: do_cleanup [preauth]
Jul 23 15:08:24 rhel01 sshd[3024]: debug3: PAM: sshpam_thread_cleanup entering [preauth]
Jul 23 15:08:24 rhel01 sshd[3024]: debug3: mm_request_send entering: type 124 [preauth]
answer

Вам не нужно теневая карта при использовании SSSD с LDAP бэкэндом. И из соображений безопасности точно не стоит пытаться его реализовать.

Это потому, что проверка пароля, проходящая через PAM, выполняется sssd с отправкой простого запроса привязки LDAP на сервер LDAP. Таким образом, нет необходимости отображать хэши паролей в карте теней.