在建立信任后,AD用户不能登录到IPA客户端。
在建立信任后,AD用户不能登录到IPA客户端。
提问于 2019-01-24 07:50:13
我在FreeIPA和AD之间建立了信任关系,并将一些AD用户添加到FreeIPA服务器上,所有这些用户都可以成功地登录到IPA服务器端。但可以登录到IPA客户端。下面是我用来向FreeIPA添加工作站的命令
ipa-client-install -U -f --enable-dns-updates --domain example.com --ntp-server=phoenix.example.com --server=phoenix.example.com -p EXAMPLE.COM -p admin -w '$EXAMPLE' --hostname=$HOSTNAME --automount-location=default --no-dns-sshfp --preserve-sssd
在检查了/var/log/message和/var/log/secure之后,我得到了这个警告
/var/log/secure:
Jan 24 15:19:00 greentag sshd[2092]: Received disconnect from 192.168.5.222: 11: disconnected by user
Jan 24 15:19:00 greentag sshd[2092]: pam_unix(sshd:session): session closed for user root
Jan 24 15:19:12 greentag sshd[3856]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.5.222 user=isaac@adexample.com
Jan 24 15:19:12 greentag sshd[3856]: pam_sss(sshd:auth): received for user isaac@adexample.com: 6 (Permission denied)
Jan 24 15:19:12 greentag sshd[3838]: error: PAM: Authentication failure for isaac@adexample.com from 192.168.5.222
Jan 24 15:19:16 greentag sshd[3892]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.5.222 user=isaac@adexample.com
Jan 24 15:19:16 greentag sshd[3892]: pam_sss(sshd:auth): received for user isaac@adexample.com: 6 (Permission denied)
Jan 24 15:19:16 greentag sshd[3838]: error: PAM: Authentication failure for isaac@adexample.com from 192.168.5.222
Jan 24 15:19:16 greentag sshd[3838]: Postponed keyboard-interactive for isaac@adexample.com from 192.168.5.222 port 45318 ssh2 [preauth]
Jan 24 15:19:19 greentag sshd[3895]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.5.222 user=isaac@adexample.com
Jan 24 15:19:19 greentag sshd[3895]: pam_sss(sshd:auth): received for user isaac@adexample.com: 6 (Permission denied)
Jan 24 15:19:19 greentag sshd[3838]: error: PAM: Authentication failure for isaac@adexample.com from 192.168.5.222
Jan 24 15:19:26 greentag sshd[3838]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.5.222 user=isaac@adexample.com
Jan 24 15:19:26 greentag sshd[3838]: pam_sss(sshd:auth): received for user isaac@adexample.com: 6 (Permission denied)
Jan 24 15:19:26 greentag sshd[3838]: Failed password for isaac@adexample.com from 192.168.5.222 port 45318 ssh2
Jan 24 15:19:30 greentag sshd[3838]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.5.222 user=isaac@adexample.com
Jan 24 15:19:30 greentag sshd[3838]: pam_sss(sshd:auth): received for user isaac@adexample.com: 6 (Permission denied)
Jan 24 15:19:30 greentag sshd[3838]: Failed password for isaac@adexample.com from 192.168.5.222 port 45318 ssh2/var/log/message:
Jan 24 15:19:12 greentag [sssd[krb5_child[3889]]]: Cannot find KDC for realm "adexample.COM"
Jan 24 15:19:12 greentag [sssd[krb5_child[3889]]]: Cannot find KDC for realm "adexample.COM"
Jan 24 15:19:12 greentag [sssd[krb5_child[3890]]]: Cannot find KDC for realm "adexample.COM"
Jan 24 15:19:12 greentag [sssd[krb5_child[3890]]]: Cannot find KDC for realm "adexample.COM"但是,当我输入id isaac@adexample.com时,它将向我显示这个用户信息。
回答 1
Unix & Linux用户
回答已采纳
发布于 2019-01-28 09:50:58
问题解决了,似乎我需要手动打开相应的端口。编辑/etc/sysconfig/iptables,附加以下内容
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# -A INPUT -s ad_ip_address -p tcp -m multiport --dports 389,636 -m state --state NEW,ESTABLISHED -j REJECT
-A INPUT -p tcp -m multiport --dports 80,88,443,389,636,88,464,53,138,139,445 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m multiport --dports 88,464,53,123,138,139,389,445 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp -j REJECT
-A INPUT -p tcp -j REJECT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT页面原文内容由Unix & Linux提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://unix.stackexchange.com/questions/496397
复制相关文章
相似问题
腾讯云开发者
