不使用LDAP后端的SSSD密码更改
Environment info:
AD on win 2k8r2
Ubuntu 12.04.5 LTS
SSSD v1.8.6
everything is in the same vlan我在我们的Ubuntu服务器上使用了LDAP / SSSD解决方案。auth流程工作正常--即用户可以很好地登录并做他们需要的任何事情。
当任何人试图更改密码时,他们会看到以下内容:
user@host:~$ passwd
Current Password:
New Password:
Reenter new Password:
Password change failed.
passwd: Authentication token manipulation error
passwd: password unchanged新密码满足所有AD要求。
我在/var/log/auth.log中看到了这一点:
Aug 18 15:22:12 hostname passwd[7544]: pam_unix(passwd:chauthtok): user "user" does not exist in /etc/passwd
Aug 18 15:22:16 hostname passwd[7544]: pam_unix(passwd:chauthtok): user "user" does not exist in /etc/passwd
Aug 18 15:22:21 hostname passwd[7544]: pam_sss(passwd:chauthtok): system info: [Generic error (see e-text)]
Aug 18 15:22:21 hostname passwd[7544]: pam_sss(passwd:chauthtok): User info message: Password change failed.
Aug 18 15:22:21 hostname passwd[7544]: pam_sss(passwd:chauthtok): Password change failed for user user: 20 (Authentication token manipulation error)我尝试在sssd.conf中为ldap_default_bind_dn使用几种不同的设置,所有这些设置都允许用户使用,但不允许更改密码。不知道是什么阻止了它-感觉它应该只是一个配置改变,这一切都会很好,但不确定我需要改变什么。
配置文件:
/etc/sssd/sssd.conf
[sssd]
config_file_version = 2
domains = LDAP
services = nss, pam
debug_level = 10
[nss]
[pam]
[domain/LDAP]
enumerate = false
id_provider = ldap
#ldap_access_filter = memberOf=cn=XXXX,cn=XXXX,dc=XXXX,dc=XXXX
ldap_uri = ldap://xxx.xxx.xxx.xxx # AD server ip
ldap_search_base = ou=XXXX,dc=XXXX,dc=XXXX
ldap_tls_reqcert = demand
ldap_id_use_start_tls = false
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
ldap_schema = rfc2307bis
ldap_user_object_class = person
ldap_group_object_class = group
ldap_default_bind_dn = cn=XXXX,cn=XXXX,dc=XXXX,dc=XXXX
ldap_default_authtok_type = password
ldap_default_authtok = *********
ldap_user_gecos = displayName
ldap_user_home_directory = unixHomeDirectory
min_id = 10000
ldap_user_principal = userPrincipalName
ldap_force_upper_case_realm = True
auth_provider = krb5
chpass_provider = krb5
krb5_server = xxx.xxx.xxx.xxx # AD server ip
krb5_kpasswd = xxx.xxx.xxx.xxx # AD Server ip
krb5_realm = XXXX.XXXX #Upper caseof the domain
krb5_changepw_principle = kadmin/changepw
krb5_auth_timeout = 15
krb5_store_password_if_offline = true
krb5_renewable_lifetime = 14d
krb5_renew_interval = 60
debug_level = 9/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = XXXX.XXXX # capitalised domain
realm = XXXX.XXXX # capitalised domain
dns_lookup_realm = true
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_etypes = arcfour-hmac-md5
default_etypes_des = des-cbc-crc
default_tkt_enctypes = arcfour-hmac-md5
default_tgs_enctypes = arcfour-hmac-md5
[realms]
XXXX.XXXX= {
kdc = xxx.xxx.xxx.xxx:88 # AD Server IP
kpasswd_server = xxx.xxx.xxx.xxx:464 #AD server IP
default_domain = XXXX.XXXX # Capitalised domain
}
[domain_realm]
.xxxx.xxxx = XXXX.XXXX # lower = CAP domain
xxxx.xxxx = XXXX.XXXX/etc/pan.d/通用密码:
password [success=2 default=ignore] pam_unix.so obscure sha512
password sufficient pam_sss.so
password requisite pam_deny.so
password required pam_permit.so回答 3
Ask Ubuntu用户
发布于 2015-04-28 14:36:44
经过大量的研究和测试。以下是允许用户在使用SSSD和ldap后端时使用passwd函数更改密码的答案。如果他们确实可以通过ssh对SSSD客户端进行身份验证,那么更改他们的密码会产生以下问题:"passwd:验证令牌操作错误“来自LDAP ACL。需要对userPassword属性的自写访问
使用olc时,将以下内容添加到ldap配置文件中。编辑olcDatabase={2}bdb.ldif olcAccess:
{0}to attrs=userPassword,shadowLastChange by self write by anonymous
auth by dn="cn=Manager,dc=domain.com" write by * none确保添加了更多内容,以便允许对任何其他属性进行读和写。
olcAccess: {2}to * by * read by users read by anonymous auth你只需要为所有的用户做一次。{0}to attrs=userPassword...正如我上面列出的那样,ACL作为一个ACL应用于ldap服务器,并在全球范围内应用。如果手动编辑olcDatabase={2}bdb.ldif olcAccess,就必须更改CRC,但这很容易,因为上面有很多可读的内容。
另一个用户在客户机/etc/sssd/sssd.conf上发布了更改的绑定凭据,如下所示:
ldap_default_bind_dn = cn=Manager,dc=mydomain,dc=fqdn.com ldap_default_authtok_type = password ldap_default_auttok = secret修改/etc/sssd/sssd.conf绑定凭据对我不起作用,但允许用户自写他们的userPassword属性.您可能并不总是希望这样做,但是对于在带有SSSD和LDAP后端的linux客户机上使用passwd函数,您需要它。
Ask Ubuntu用户
发布于 2014-08-19 05:01:55
已修复。
这与sssd.conf中的ldap绑定有关。作为临时工作,我在那里使用了管理员用户/传递,我可以使用passwd更改密码。我对AD一无所知,所以我会更多地使用它,但至少我知道问题在于绑定用户的权限。
Ask Ubuntu用户
发布于 2016-04-29 14:37:57
在/etc/sssd/sssd.conf中添加以下内容:
[domain/LDAP]
...
# changing passwords not working otherwise
# see https://fedorahosted.org/sssd/ticket/2204
krb5_use_enterprise_principal = falsehttps://askubuntu.com/questions/512766
复制相似问题
腾讯云开发者
