某些用户的 Kerberos 身份验证失败（RHEL SSSD、PAM - 直接 AD 集成）

我遇到了一些问题，一些用户无法使用其活动目录帐户登录 RHEL 计算机。我一直在寻找解决方案这么多小时，但似乎找不到任何东西，因此非常感谢您的帮助。

列出最重要的 sssd.conf 设置：

• 服务= nss，pam
• id_provider = 广告
• auth_provider = 广告
• access_provider = 简单

/var/log/sssd/sssd_pam.log：

登录成功的同事：

(2024-09-25 14:50:47): [pam] [pd_set_primary_name] (0x0400): [CID#2] User's primary name is [email protected]
(2024-09-25 14:50:47): [pam] [pam_dp_send_req] (0x0100): [CID#2] Sending request with the following data:
(2024-09-25 14:50:47): [pam] [pam_print_data] (0x0100): [CID#2] command: SSS_PAM_SETCRED
(2024-09-25 14:50:47): [pam] [pam_print_data] (0x0100): [CID#2] domain: corporate.local
(2024-09-25 14:50:47): [pam] [pam_print_data] (0x0100): [CID#2] user: [email protected]
(2024-09-25 14:50:47): [pam] [pam_print_data] (0x0100): [CID#2] service: sshd
(2024-09-25 14:50:47): [pam] [pam_print_data] (0x0100): [CID#2] tty: ssh
(2024-09-25 14:50:47): [pam] [pam_print_data] (0x0100): [CID#2] ruser: not set
(2024-09-25 14:50:47): [pam] [pam_print_data] (0x0100): [CID#2] rhost: 10.20.30.40
(2024-09-25 14:50:47): [pam] [pam_print_data] (0x0100): [CID#2] authtok type: 0 (No authentication token available)
(2024-09-25 14:50:47): [pam] [pam_print_data] (0x0100): [CID#2] newauthtok type: 0 (No authentication token available)
(2024-09-25 14:50:47): [pam] [pam_print_data] (0x0100): [CID#2] priv: 1
(2024-09-25 14:50:47): [pam] [pam_print_data] (0x0100): [CID#2] cli_pid: 2254046
(2024-09-25 14:50:47): [pam] [pam_print_data] (0x0100): [CID#2] child_pid: 0
(2024-09-25 14:50:47): [pam] [pam_print_data] (0x0100): [CID#2] logon name: colleague_b
(2024-09-25 14:50:47): [pam] [pam_print_data] (0x0100): [CID#2] flags: 2
(2024-09-25 14:50:47): [pam] [pam_dom_forwarder] (0x0100): [CID#2] pam_dp_send_req returned 0
(2024-09-25 14:50:47): [pam] [pam_dp_send_req_done] (0x0200): [CID#2] received: [0 (Success)][corporate.local]

同事登录失败：

[pam] [pd_set_primary_name] (0x0400): [CID#11] User's primary name is [email protected]
(2024-09-25 12:36:47): [pam] [pam_dp_send_req] (0x0100): [CID#11] Sending request with the following data:
(2024-09-25 12:36:47): [pam] [pam_print_data] (0x0100): [CID#11] command: SSS_PAM_AUTHENTICATE
(2024-09-25 12:36:47): [pam] [pam_print_data] (0x0100): [CID#11] domain: corporate.local
(2024-09-25 12:36:47): [pam] [pam_print_data] (0x0100): [CID#11] user: [email protected]
(2024-09-25 12:36:47): [pam] [pam_print_data] (0x0100): [CID#11] service: sshd
(2024-09-25 12:36:47): [pam] [pam_print_data] (0x0100): [CID#11] tty: ssh
(2024-09-25 12:36:47): [pam] [pam_print_data] (0x0100): [CID#11] ruser: not set
(2024-09-25 12:36:47): [pam] [pam_print_data] (0x0100): [CID#11] rhost: 10.20.30.40
(2024-09-25 12:36:47): [pam] [pam_print_data] (0x0100): [CID#11] authtok type: 1 (Password)
(2024-09-25 12:36:47): [pam] [pam_print_data] (0x0100): [CID#11] newauthtok type: 0 (No authentication token available)
(2024-09-25 12:36:47): [pam] [pam_print_data] (0x0100): [CID#11] priv: 1
(2024-09-25 12:36:47): [pam] [pam_print_data] (0x0100): [CID#11] cli_pid: 2200955
(2024-09-25 12:36:47): [pam] [pam_print_data] (0x0100): [CID#11] child_pid: 0
(2024-09-25 12:36:47): [pam] [pam_print_data] (0x0100): [CID#11] logon name: colleague_a
(2024-09-25 12:36:47): [pam] [pam_print_data] (0x0100): [CID#11] flags: 2
(2024-09-25 12:36:47): [pam] [pam_dom_forwarder] (0x0100): [CID#11] pam_dp_send_req returned 0
(2024-09-25 12:36:47): [pam] [pam_dp_send_req_done] (0x0200): [CID#11] received: [9 (Authentication service cannot retrieve authentication info)][corporate.local]
(2024-09-25 12:36:47): [pam] [pam_reply] (0x0400): [CID#11] Local auth policy allowed: smartcard [False], passkey [True]

根据 Active Directory，无法登录的同事拥有完全控制权：