我安装了Debian Squeeze和sssd.当我尝试通过ssh用户’alexwinner’登录服务器时,我在日志中看到:
(Fri May 11 18:56:03 2012) [[sssd[krb5_child[26281]]]] [get_and_save_tgt] (1): 523: [-1765328360][Preauthentication failed]
但是当我执行kinit alexwinner一切都好的时候,我收到了罚单.
这是我的sssd.conf
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = MYDOMAIN.COM
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
; entry_cache_timeout = 600
; entry_cache_nowait_timeout = 300
[pam]
reconnection_retries = 3
[domain/MYDOMAIN.COM]
description = LDAP domain with AD server
enumerate = true
min_id = 1000
cache_credentials = false
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
krb5_realm = MYDOMAIN.COM
krb5_kdcip = 172.27.250.141
krb5_kpasswd = 172.27.250.141
ldap_pwd_policy = none
ldap_id_use_start_tls = false
ldap_tls_reqcert = never
ldap_uri = ldap://172.27.250.141:3268/
ldap_schema = rfc2307bis
ldap_default_bind_dn = ECAAuthUser@mydomain.com
ldap_default_authtok_type = password
ldap_default_authtok = veryhardpassword
ldap_user_search_base = ou=linux,ou=users,ou=pro,dc=mydomain,DC=com
ldap_user_object_class = user
ldap_user_uid_number = uidNumber
ldap_user_gid_number = GIDNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_user_principal = userPrincipalName
ldap_user_name = sAMAccountName
ldap_user_gecos = displayName
ldap_user_uuid = objectGUID
ldap_group_search_base = OU=Linux,OU=Roles,DC=mydomain,DC=com
ldap_group_object_class = group
ldap_group_name = Name
ldap_group_gid_number = GidNumber
ldap_force_upper_case_realm = True
这是我的krb5.conf
[libdefaults]
default_realm = MYDOMAIN.COM
forwardable = true
[realms]
MYDOMAIN.COM = {
kdc = 172.27.250.141
admin_server = 172.27.250.141
}
我试图看到tcpdump用于kerberos包,并且看到padata与login和kinit不同.
我能做什么?