缘起

近期,DBA报错多台CentOS7的主机无法使用域账号登陆,出现“Permission denied”的错误。确认域账号密码正确无误,使用root可登录,域账号就是无法登陆。由于CentOS7.3以后使用SSSD替换了winbind服务,所以尝试重启SSSD服务,但故障依旧。SSSD服务可以完成重启,但重启之后提示认证失败:

1
2
3
4
5
6
Mar 21 16:06:02 test.targetmachine.com sssd[krb5_child[40570]][40570]: Preauthentication failed
Mar 21 16:06:02 test.targetmachine.com sssd[krb5_child[40570]][40570]: Preauthentication failed
Mar 21 16:06:02 test.targetmachine.com sssd[krb5_child[40570]][40570]: Preauthentication failed
Mar 21 16:06:02 test.targetmachine.com sshd[40474]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=test.targetmachine.com user
Mar 21 16:06:02 test.targetmachine.com sshd[40474]: pam_sss(sshd:auth): received for user sujx: 7 (Authentication failure)
Mar 21 16:06:02 test.targetmachine.com sshd[40474]: Failed password for sujx from 172.17.0.159 port 53160 ssh2

然后,检查sssd日志,发现是krb5.ketab文件错误。

1
sshd[31442]: pam_krb5[31442]: error reading keytab 'FILE: /etc/krb5.keytab'

解决

自动续订Kerberos主机密钥

1
2
3
4
5
6
yum install -y adcli
# 配置/etc/sssd/sssd.conf
# 每30天自动续订kerberos密钥
ad_maximum_machine_account_password_age = 30
# 修改完成之后重启服务
systemctl restart sssd

重新加域

1
2
3
4
realm leave targetmachine.com
realm join targetmachine.com -U sujx
# 输入拥有加域权限的域账号密码
systemctl restart sssd

重新登陆

1
2
3
4
# 使用域账号重新登陆主机
# 使用klist查看kerberos密钥生成时间
yum install -y krb5-workstation
klist -kt /etc/krb5.keytab

常用命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
# 发现域
[root@test ~]# realm discover targetmachine.com
targetmachine.com
type: kerberos
realm-name: targetmachine.com
domain-name: targetmachine.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U
login-policy: allow-realm-logins
targetmachine.com
type: kerberos
realm-name: targetmachine.com
domain-name: targetmachine.com
configured: no

# 列出当前域信息
[root@test ~]# realm list --all
targetmachine.com
type: kerberos
realm-name: targetmachine.com
domain-name: targetmachine.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U
login-policy: allow-realm-logins

# 加入域
realm join targetmachine.com -U admin

# 退出域
realm leave targetmachine.com

参考资料