Разрешить пользователям домена * и * локальным пользователям server Centos 7

Мне нужно разрешить доступ пользователям домена (userid и password) к serverу Centos 7, а также к локальным пользователям (SSH-key / без пароля). Я настроил sshd_config как с AllowUsers, так и с AllowGroups и предположил, что если я добавлю локального пользователя к тем, он должен работать. Тем не менее, я получаю post об ошибке, когда местные пользователи пытаются и логин:

sshd[23906]: pam_sss(sshd:account): Access denied for user datahub_push: 10 (User not known to the underlying authentication module) sshd[23906]: fatal: Access denied for user datahub_push by PAM account configuration [preauth] 

Пользователи домена работают нормально и имеют запись в AllowGroups в sshd_config. После некоторого googling есть предложение, которое мне нужно изменить:

 /etc/pam.d/sshd 

… но я не уверен, что изменить, и является ли редактирование этого fileа лучшей практикой? т.е. я должен использовать инструмент authconfig.

Любая помощь очень ценится.

One Solution collect form web for “Разрешить пользователям домена * и * локальным пользователям server Centos 7”

Я исправил это сам! Я добавил следующую строку:

/etc/pam.d/sshd

 account sufficient pam_localuser.so 

После перезагрузки на sshd теперь я могу войти в систему как user домена и локальный user. Вот полный рабочий file:

 #%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account sufficient pam_localuser.so account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare auth требуется pam_sepermit.so #%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account sufficient pam_localuser.so account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare достаточно учетной записи pam_localuser.so #%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account sufficient pam_localuser.so account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare требуется учетная запись pam_nologin.so #%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account sufficient pam_localuser.so account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare учетная запись вkeyает пароль-auth #%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account sufficient pam_localuser.so account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare пароль вkeyает пароль-auth #%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account sufficient pam_localuser.so account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare # pam_selinux.so close должно быть первое правило sessionа #%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account sufficient pam_localuser.so account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare требуется session pam_selinux.so close #%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account sufficient pam_localuser.so account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare требуется session pam_loginuid.so #%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account sufficient pam_localuser.so account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare # pam_selinux.so open должен следовать только за sessionы, которые должны выполняться в userском конtextе #%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account sufficient pam_localuser.so account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare требуется session pam_selinux.so open env_params #%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account sufficient pam_localuser.so account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare session необязательный pam_keyinit.so force revoke #%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account sufficient pam_localuser.so account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare сессия вkeyает пароль-auth #%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account sufficient pam_localuser.so account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare 

Надеюсь, это поможет кому-то другому 🙂

  • Разрешить доступ к паролю для всех пользователей, кроме root?
  • Автоматически увеличивать тайм-аут SSH OpenShift
  • Как я могу маршрутизировать несколько удаленных хостов через обратный ssh-proxy?
  • Избегайте / usr / bin / xauth: ошибка в fileе блокировки /home/user/.Xauthority
  • autossh не убивает ssh при ссылке вниз
  • Входящий SSH прекратил работу над FreeBSD 7.2
  • Убедитесь, что SSH Fingerprint о записи DNS SSHFP не удалось
  • Больше не удается подkeyиться через SSH
  • installation nproc в /etc/security/limit.conf предотвращает input ssh
  • SSH-туннель для 3-х переходов и копирования fileов
  • ssh-copy-id, определяющий, какой key и без пароля
  • Interesting Posts

    Должен ли пул соединений запускаться на моем serverе базы данных или на моем serverе приложений?

    Как удалять image с помощью Hyper-V?

    Невозможно выполнить пинг многоuserской Linux-машины на нестандартном interfaceе

    В глобальном масштабе изменить time сброса mod_proxy?

    Как создать заголовки хостов для внутреннего IP-адреса в IIS 6.0?

    Вkeyение IIS для размещения двух веб-websiteов на 443 с использованием SSL-тормозов ActiveSync

    Получить cron для отправки html-formatированных писем

    Проблемы с обратным прокси-сервером nginx

    Определение магистралей Интерlessа из ASN

    ОШИБКА: не удалось открыть directory /lib/modules/4.2.0-25-generic: less такого fileа или directoryа

    pfsense с 4 WAN IP и исходящим NAT

    Анонимная authentication <anonymousAuthentication> / 403 – Запрещено: доступ запрещен

    Как выполнить ping-server для обнаружения операционной системы или другого программного обеспечения?

    Каков правильный object objectClass для objectов controllerа домена?

    RAID 6 против RAID 10? Что бы вы выбрали