使用带有代理授权的GSSAPI针对OpenLDAP服务器的NSS查询失败

SASL/GSSAPI needs Kerberos authentication against the LDAP server with proxy authorization if using LDAP authentication with nss-pam-ldapd on a Debian Buster operating system. I try to configure this on my Raspberry Pis to have single sign on but cannot get it to work.

uid=anyuser,ou=people,ou=home,dc=hoeft-online,dc=de

libnss-ldapdlibpam-ldapdlibsasl2-modules-gssapi-mitlibpam-krb5libpam-ldapd

rpi ~$ sudo apt install libsasl2-modules-gssapi-mit libnss-ldapd ldap-utils

/etc/nslcd.conf/etc/nsswitch.conf

rpi ~$ sudo dpkg-reconfigure nslcd
rpi ~$ sudo dpkg-reconfigure libnss-ldapd

我在对话框中给出的设置是：

rpi ~$ sudo cat /etc/nslcd.conf
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldap://kdc-master.home.hoeft-online.de

# The search base that will be used for all queries.
base ou=home,dc=hoeft-online,dc=de

# The LDAP protocol version to use.
#ldap_version 3

# The DN to bind with for normal lookups.
#binddn cn=annonymous,dc=example,dc=net
#bindpw secret

# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com

# SSL options
#ssl off
#tls_reqcert never
tls_cacertfile /etc/ssl/certs/ca-certificates.crt

# The search scope.
#scope sub

sasl_mech GSSAPI
krb5_ccname /var/run/nslcd/nslcd.tkt
sasl_authzid dn:uid=anyuser,ou=people,ou=home,dc=hoeft-online,dc=de

~$ cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files ldap
group:          files ldap
shadow:         files ldap
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

getent passwd/etc/passwd/etc/passwdgetent

最佳答案

简短的答案

/etc/krb5.keytabhost/*nscdsudo systemctl disable --now nscd.servicenslcd

rpi ~$ sudo apt install libsasl2-modules-gssapi-mit ldap-utils
rpi ~$ kinit -p ingo
rpi ~$ ldapwhoami -Y GSSAPI -H ldap://kdc-master.home.hoeft-online.de -D "uid=anyuser,ou=people,ou=home,dc=hoeft-online,dc=de"
SASL/GSSAPI authentication started
SASL username: ingo@HOME.HOEFT-ONLINE.DE
SASL SSF: 256
SASL data security layer installed.
dn:uid=ingo,ou=people,ou=home,dc=hoeft-online,dc=de

然后安装：

rpi ~$ sudo apt install libnss-ldapd kstart

只需在安装对话框中接受默认设置即可。 Wie用这些配置文件覆盖它们。将它们与您的设置一起使用： nslcd.conf

~$ sudo cat /etc/nslcd.conf
# The user and group nslcd should run as.
uid nslcd
gid nslcd

# Logging options, default is info
#log syslog debug

# The location at which the LDAP server(s) should be reachable.
uri ldap://kdc-master.home.hoeft-online.de

# The search base that will be used for all queries.
base ou=home,dc=hoeft-online,dc=de

# The DN to bind with for normal lookups.
binddn uid=anyuser,ou=people,ou=home,dc=hoeft-online,dc=de

# SSL options
#ssl off
#tls_reqcert never
tls_cacertfile /etc/ssl/certs/ca-certificates.crt

# SASL options
sasl_mech GSSAPI
krb5_ccname /var/run/nslcd/nslcd.tkt

nsswitch.conf

~$ cat /etc/nsswitch.conf
passwd:         files ldap
group:          files ldap
shadow:         files ldap
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

/etc/passwd

rpi ~$ sudo systemctl restart nslcd.service
rpi ~$ getent passwd | grep ingo

使用Kerberos身份验证设置PAM登录：

rpi ~$ sudo apt install libpam-krb5
rpi ~$ sudo pam-auth-update
# select what you need
[*] Kerberos authentication
[*] Unix authentication
[ ] Create home directory on login

# check
rpi ~$ kdestroy
rpi ~$ su -l ingo
password:
ingo@rpi ~$ klist
ingo@rpi ~$ logout
rpi ~$

安装nscd缓存后台驻留程序（如果已经可用，则启用它）：

rpi ~$ sudo apt install nscd

而已。

使用带有代理授权的GSSAPI针对OpenLDAP服务器的NSS查询失败

最佳答案

简短的答案

更多细节