linux– 使用LDAP和sssd的Centos 7 ssh登录失败

概述我已经在Centos 7上运行了一个LDAP服务器.id,getent passwd,用户工作.但'ssh'失败了.从/ var / log / secure看来,身份验证似乎成功了,但是pam不喜欢其他东西.我不确定如何缩小问题所在.在/ var /日志/安全：May 11 16:33:40 localhost sshd[45055]: pam_unix(

我已经在Centos 7上运行了一个LDAP服务器.ID,getent passwd,用户工作.但’ssh’失败了.从/ var / log / secure看来,身份验证似乎成功了,但是pam不喜欢其他东西.我不确定如何缩小问题所在.

在/ var /日志/安全：

May 11 16:33:40 localhost sshd[45055]: pam_unix(sshd:auth): authentication failure; logname= uID=0 euID=0 tty=ssh ruser= rhost=ldapserver.abc.com  user=user1May 11 16:33:40 localhost sshd[45055]: pam_sss(sshd:auth): authentication success; logname= uID=0 euID=0 tty=ssh ruser= rhost=ldapserver.abc.com user=user1May 11 16:33:40 localhost sshd[45055]: pam_sss(sshd:account): Access denIEd for user user1: 6 (Permission denIEd)May 11 16:33:40 localhost sshd[45055]: Failed password for user1 from ldapserver.abc.com port 55185 ssh2May 11 16:33:40 localhost sshd[45055]: fatal: Access denIEd for user user1 by PAM account configuration [preauth]

/etc/sssd/sssd.conf：

[sssd]services = nss,pam,autofs,sshconfig_file_version = 2domains = default[nss]homedir_substring = /homefilter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,newsnsdc,nscd[domain/default]enumerate = Falseldap_tls_reqcert = neverautofs_provIDer = ldapcache_credentials = Truekrb5_realm = #ldap_search_base = dc=abc,dc=comID_provIDer = ldapauth_provIDer = ldapchpass_provIDer = ldapaccess_provIDer = ldapldap_tls_cacert = /etc/openldap/certs/cacert.pemldap_uri = ldaps://ldapserver.abc.com:636ldap_ID_use_start_tls = Falseldap_default_bind_dn = uID=nssproxy,ou=users,dc=abc,dc=comldap_chpass_uri = ldaps://ldapserver.abc.com:636ldap_default_authtok_type = passwordldap_default_authtok = 12345deBUG_level = 4[pam]deBUG_level = 4[sudo][autofs][ssh]deBUG_level = 9[pac][ifp]

/etc/pam.d/password-auth-ac：

#%PAM-1.0# This file is auto-generated.# User changes will be destroyed the next time authconfig is run.auth        required      pam_env.soauth        sufficIEnt    pam_unix.so nullok try_first_passauth        requisite     pam_succeed_if.so uID >= 1000 quIEt_successauth        sufficIEnt    pam_sss.so use_first_passauth        required      pam_deny.soaccount     required      pam_unix.soaccount     sufficIEnt    pam_localuser.soaccount     sufficIEnt    pam_succeed_if.so uID < 1000 quIEtaccount     [default=bad success=ok user_unkNown=ignore] pam_sss.soaccount     required      pam_permit.sopassword    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=password    sufficIEnt    pam_unix.so sha512 shadow nullok try_first_pass use_authtokpassword    sufficIEnt    pam_sss.so use_authtokpassword    required      pam_deny.sosession     optional      pam_keyinit.so revokesession     required      pam_limits.so-session     optional      pam_systemd.sosession     [success=1 default=ignore] pam_succeed_if.so service in crond quIEt use_uIDsession     required      pam_unix.sosession     optional      pam_sss.so

/etc/pam.d/system-auth-ac：

#%PAM-1.0# This file is auto-generated.# User changes will be destroyed the next time authconfig is run.auth        required      pam_env.soauth        sufficIEnt    pam_fprintd.soauth        sufficIEnt    pam_unix.so nullok try_first_passauth        requisite     pam_succeed_if.so uID >= 1000 quIEt_successauth        sufficIEnt    pam_sss.so use_first_passauth        required      pam_deny.soaccount     required      pam_unix.soaccount     sufficIEnt    pam_localuser.soaccount     sufficIEnt    pam_succeed_if.so uID < 1000 quIEtaccount     [default=bad success=ok user_unkNown=ignore] pam_sss.soaccount     required      pam_permit.sopassword    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=password    sufficIEnt    pam_unix.so sha512 shadow nullok try_first_pass use_authtokpassword    sufficIEnt    pam_sss.so use_authtokpassword    required      pam_deny.sosession     optional      pam_keyinit.so revokesession     required      pam_limits.so-session     optional      pam_systemd.sosession     [success=1 default=ignore] pam_succeed_if.so service in crond quIEt use_uIDsession     required      pam_unix.sosession     optional      pam_sss.so

/etc/nsswitch.conf中：

passwd:     files sssshadow:     files sssgroup:      files sss#initgroups: files#hosts:     db files nisplus nis dnshosts:      files dnsbootparams: nisplus [NOTFOUND=return] filesethers:     filesnetmasks:   filesnetworks:   filesprotocols:  filesrpc:        filesservices:   files sssnetgroup:   files ssspublickey:  nisplusautomount:  files sssaliases:    files nisplus

最佳答案

sssd does not support authentication over an unencrypted channel

手册页中的这一行应作为答案专门发布. 总结

以上是内存溢出为你收集整理的linux – 使用LDAP和sssd的Centos 7 ssh登录失败全部内容，希望文章能够帮你解决linux – 使用LDAP和sssd的Centos 7 ssh登录失败所遇到的程序开发问题。

如果觉得内存溢出网站内容还不错，欢迎将内存溢出网站推荐给程序员好友。