SSSD拒绝使用su登录LDAP：密码错误

我已经使用用户帐户设置了LDAP服务器。我已经成功配置了Rails应用程序以针对该LDAP服务器进行身份验证。我现在正在尝试将SSSD配置为针对LDAP进行身份验证，但它不喜欢单个用户密码。

错误：

$ su - leopetr4
Password:
su: incorrect password

SSSD可以识别用户，但不能识别密码：

$ id leopetr4
uid=9583(leopetr4) gid=9583(leopetr4) groups=9583(leopetr4)

用户记录如下所示：

# ldapsearch -x -W -D "cn=admin,dc=my_domain,dc=com"  -H ldaps://my_hostname.my_domain.com "(uid=leopetr4)"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=my_domain,dc=com> (default) with scope subtree
# filter: (uid=leopetr4)
# requesting: ALL
#

# leopetr4, People, my_domain.com
dn: uid=leopetr4,ou=People,dc=my_domain,dc=com
uid: leopetr4
cn: Leo Petr 40
sn: 40
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: inetOrgPerson
shadowLastChange: 16736
shadowMin: 1
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 9583
gidNumber: 9583
homeDirectory: /mnt/home/leopetr4
mail: leo.petr+40@example.com
gecos: Leo Petr 40
userPassword:: e1NIQX1vUk5PMWozMXdtdDVIVkVhZmNtNWYvU1Jmam89

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

这是上述base64解码后的用户密码哈希：

{SHA}oRNO1j31wmt5HVEafcm5f/SRfjo=

它与输出完全匹配 slappaswd -c {SHA} "that_password"

这是SSSD配置：

# cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = LOCAL,LDAP
debug_level = 5

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5

[domain/LDAP]
cache_credentials = true

id_provider = ldap
auth_provider = ldap

ldap_uri = ldaps://my_hostname.my_domain.com
ldap_search_base = dc=my_domain,dc=com
ldap_id_use_start_tls = true
ldap_tls_reqcert = never
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt

debug_level = 5

这是我尝试执行以下操作时的SSSD日志su - leopetr4：

# tail -f /var/log/secure /var/log/sssd/*.log

==> /var/log/sssd/sssd_LDAP.log <==
(Mon Nov 30 12:32:10 2015) [sssd[be[LDAP]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=leopetr4]
(Mon Nov 30 12:32:10 2015) [sssd[be[LDAP]]] [sdap_save_user] (0x0080): Failed to retrieve UUID [22][Invalid argument].
(Mon Nov 30 12:32:10 2015) [sssd[be[LDAP]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success

==> /var/log/sssd/sssd.log <==
(Mon Nov 30 12:32:12 2015) [sssd] [service_send_ping] (0x0100): Pinging LDAP
(Mon Nov 30 12:32:12 2015) [sssd] [service_send_ping] (0x0100): Pinging nss
(Mon Nov 30 12:32:12 2015) [sssd] [service_send_ping] (0x0100): Pinging pam
(Mon Nov 30 12:32:12 2015) [sssd] [ping_check] (0x0100): Service LDAP replied to ping
(Mon Nov 30 12:32:12 2015) [sssd] [ping_check] (0x0100): Service nss replied to ping
(Mon Nov 30 12:32:12 2015) [sssd] [ping_check] (0x0100): Service pam replied to ping

==> /var/log/secure <==
Nov 30 12:32:12 my_domain su: pam_unix(su-l:auth): authentication failure; logname=root uid=1004 euid=0 tty=pts/3 ruser=leonsp rhost=  user=leopetr4

==> /var/log/sssd/sssd_LDAP.log <==
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=leopetr4]
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [sdap_save_user] (0x0080): Failed to retrieve UUID [22][Invalid argument].
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [sdap_process_group_send] (0x0040): No Members. Done!
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [sdap_save_group] (0x0080): Failed to retrieve UUID [22][Invalid argument].
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [be_pam_handler] (0x0100): Got request with the following data
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): domain: LDAP
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): user: leopetr4
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): service: su-l
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): tty: pts/3
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): ruser: leonsp
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): rhost:
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): authtok type: 0
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): newauthtok type: 0
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): priv: 0
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): cli_pid: 1586655
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [pam_print_data] (0x0100): logon name: not set
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 7, <NULL>) [Success]
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [be_pam_handler_callback] (0x0100): Sending result [7][LDAP]
(Mon Nov 30 12:32:12 2015) [sssd[be[LDAP]]] [be_pam_handler_callback] (0x0100): Sent result [7][LDAP]

==> /var/log/secure <==
Nov 30 12:32:12 my_domain su: pam_sss(su-l:auth): authentication failure; logname=root uid=1004 euid=0 tty=pts/3 ruser=leonsp rhost= user=leopetr4
Nov 30 12:32:12 my_domain su: pam_sss(su-l:auth): received for user leopetr4: 7 (Authentication failure)

这是我尝试执行以下操作时的LDAP服务器日志su - leopetr4：

Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 1 descriptor
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on:
Nov 27 21:21:08 my_hostname slapd[15353]:
Nov 27 21:21:08 my_hostname slapd[15353]: slap_listener_activate(9):
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 busy
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: >>> slap_listener(ldaps:///)
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: listen=9, new connection on 31
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: added 31r (active) listener=(nil)
Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 fd=31 ACCEPT from IP=256.256.256.256:29338 (IP=0.0.0.0:636)
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 2 descriptors
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on:
Nov 27 21:21:08 my_hostname slapd[15353]:  31r
Nov 27 21:21:08 my_hostname slapd[15353]:
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: read active on 31
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: connection_get(31)
Nov 27 21:21:08 my_hostname slapd[15353]: connection_get(31): got connid=3358
Nov 27 21:21:08 my_hostname slapd[15353]: connection_read(31): checking for input on id=3358
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 1 descriptor
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on:
Nov 27 21:21:08 my_hostname slapd[15353]:
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 1 descriptor
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on:
Nov 27 21:21:08 my_hostname slapd[15353]:  31r
Nov 27 21:21:08 my_hostname slapd[15353]:
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: read active on 31
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: connection_get(31)
Nov 27 21:21:08 my_hostname slapd[15353]: connection_get(31): got connid=3358
Nov 27 21:21:08 my_hostname slapd[15353]: connection_read(31): checking for input on id=3358
Nov 27 21:21:08 my_hostname slapd[15353]: connection_read(31): unable to get TLS client DN, error=49 id=3358
Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 fd=31 TLS established tls_ssf=256 ssf=256
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 1 descriptor
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on:
Nov 27 21:21:08 my_hostname slapd[15353]:
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 1 descriptor
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on:
Nov 27 21:21:08 my_hostname slapd[15353]:  31r
Nov 27 21:21:08 my_hostname slapd[15353]:
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: read active on 31
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: connection_get(31)
Nov 27 21:21:08 my_hostname slapd[15353]: connection_get(31): got connid=3358
Nov 27 21:21:08 my_hostname slapd[15353]: connection_read(31): checking for input on id=3358
Nov 27 21:21:08 my_hostname slapd[15353]: op tag 0x77, time 1448680868
Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 op=0 do_extended
Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Nov 27 21:21:08 my_hostname slapd[15353]: do_extended: oid=1.3.6.1.4.1.1466.20037
Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 op=0 STARTTLS
Nov 27 21:21:08 my_hostname slapd[15353]: send_ldap_extended: err=1 oid= len=0
Nov 27 21:21:08 my_hostname slapd[15353]: send_ldap_response: msgid=1 tag=120 err=1
Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 op=0 RESULT oid= err=1 text=TLS already started
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 1 descriptor
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on:
Nov 27 21:21:08 my_hostname slapd[15353]:
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 1 descriptor
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on:
Nov 27 21:21:08 my_hostname slapd[15353]:  31r
Nov 27 21:21:08 my_hostname slapd[15353]:
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: read active on 31
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: connection_get(31)
Nov 27 21:21:08 my_hostname slapd[15353]: connection_get(31): got connid=3358
Nov 27 21:21:08 my_hostname slapd[15353]: connection_read(31): checking for input on id=3358
Nov 27 21:21:08 my_hostname slapd[15353]: op tag 0x42, time 1448680868
Nov 27 21:21:08 my_hostname slapd[15353]: ber_get_next on fd 31 failed errno=0 (Success)
Nov 27 21:21:08 my_hostname slapd[15353]: connection_read(31): input error=-2 id=3358, closing.
Nov 27 21:21:08 my_hostname slapd[15353]: connection_closing: readying conn=3358 sd=31 for close
Nov 27 21:21:08 my_hostname slapd[15353]: connection_close: deferring conn=3358 sd=31
Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 op=1 do_unbind
Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 op=1 UNBIND
Nov 27 21:21:08 my_hostname slapd[15353]: connection_resched: attempting closing conn=3358 sd=31
Nov 27 21:21:08 my_hostname slapd[15353]: connection_close: conn=3358 sd=31
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: removing 31
Nov 27 21:21:08 my_hostname slapd[15353]: conn=3358 fd=31 closed
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on 1 descriptor
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: activity on:
Nov 27 21:21:08 my_hostname slapd[15353]:
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL
Nov 27 21:21:08 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL
Nov 27 21:21:09 my_hostname slapd[15353]: daemon: activity on 1 descriptor
Nov 27 21:21:09 my_hostname slapd[15353]: daemon: activity on:
Nov 27 21:21:09 my_hostname slapd[15353]:  26r
Nov 27 21:21:09 my_hostname slapd[15353]:
Nov 27 21:21:09 my_hostname slapd[15353]: daemon: read active on 26
Nov 27 21:21:09 my_hostname slapd[15353]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Nov 27 21:21:09 my_hostname slapd[15353]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Nov 27 21:21:09 my_hostname slapd[15353]: daemon: epoll: listen=9 active_threads=0 tvp=NULL
Nov 27 21:21:09 my_hostname slapd[15353]: daemon: epoll: listen=10 active_threads=0 tvp=NULL
Nov 27 21:21:09 my_hostname slapd[15353]: daemon: epoll: listen=11 active_threads=0 tvp=NULL
Nov 27 21:21:09 my_hostname slapd[15353]: connection_get(26)
Nov 27 21:21:09 my_hostname slapd[15353]: connection_get(26): got connid=3331
Nov 27 21:21:09 my_hostname slapd[15353]: connection_read(26): checking for input on id=3331
Nov 27 21:21:09 my_hostname slapd[15353]: op tag 0x63, time 1448680869
Nov 27 21:21:09 my_hostname slapd[15353]: conn=3331 op=122 do_search
Nov 27 21:21:09 my_hostname slapd[15353]: >>> dnPrettyNormal: <dc=my_domain,dc=com>
Nov 27 21:21:09 my_hostname slapd[15353]: <<< dnPrettyNormal: <dc=my_domain,dc=com>, <dc=my_domain,dc=com>
Nov 27 21:21:09 my_hostname slapd[15353]: SRCH "dc=my_domain,dc=com" 2 0
Nov 27 21:21:09 my_hostname slapd[15353]:     0 0 0
Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter
Nov 27 21:21:09 my_hostname slapd[15353]: AND
Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter_list
Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter
Nov 27 21:21:09 my_hostname slapd[15353]: EQUALITY
Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter 0
Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter
Nov 27 21:21:09 my_hostname slapd[15353]: EQUALITY
Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter 0
Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter
Nov 27 21:21:09 my_hostname slapd[15353]: AND
Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter_list
Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter
Nov 27 21:21:09 my_hostname slapd[15353]: PRESENT
Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter 0
Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter
Nov 27 21:21:09 my_hostname slapd[15353]: NOT
Nov 27 21:21:09 my_hostname slapd[15353]: begin get_filter
Nov 27 21:21:09 my_hostname slapd[15353]: EQUALITY
Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter 0
Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter 0
Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter_list
Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter 0
Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter_list
Nov 27 21:21:09 my_hostname slapd[15353]: end get_filter 0
Nov 27 21:21:09 my_hostname slapd[15353]:     filter: (&(uid=leopetr4)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))
Nov 27 21:21:09 my_hostname slapd[15353]:     attrs:
Nov 27 21:21:09 my_hostname slapd[15353]:  objectClass
Nov 27 21:21:09 my_hostname slapd[15353]:  uid
Nov 27 21:21:09 my_hostname slapd[15353]:  userPassword
Nov 27 21:21:09 my_hostname slapd[15353]:  uidNumber
Nov 27 21:21:09 my_hostname slapd[15353]:  gidNumber
Nov 27 21:21:09 my_hostname slapd[15353]:  gecos
Nov 27 21:21:09 my_hostname slapd[15353]:  homeDirectory
Nov 27 21:21:09 my_hostname slapd[15353]:  loginShell
Nov 27 21:21:09 my_hostname slapd[15353]:  krbPrincipalName
Nov 27 21:21:09 my_hostname slapd[15353]:  cn
Nov 27 21:21:09 my_hostname slapd[15353]:  modifyTimestamp
Nov 27 21:21:09 my_hostname slapd[15353]:  modifyTimestamp
Nov 27 21:21:09 my_hostname slapd[15353]:  shadowLastChange
Nov 27 21:21:09 my_hostname slapd[15353]:  shadowMin
Nov 27 21:21:09 my_hostname slapd[15353]:  shadowMax
Nov 27 21:21:09 my_hostname slapd[15353]:  shadowWarning
Nov 27 21:21:09 my_hostname slapd[15353]:  shadowInactive
Nov 27 21:21:09 my_hostname slapd[15353]:  shadowExpire
Nov 27 21:21:09 my_hostname slapd[15353]:  shadowFlag
Nov 27 21:21:09 my_hostname slapd[15353]:  krbLastPwdChange
Nov 27 21:21:09 my_hostname slapd[15353]:  krbPasswordExpiration
Nov 27 21:21:09 my_hostname slapd[15353]:  pwdAttribute
Nov 27 21:21:09 my_hostname slapd[15353]:  authorizedService
Nov 27 21:21:09 my_hostname slapd[15353]:  accountExpires
Nov 27 21:21:09 my_hostname slapd[15353]:  userAccountControl
Nov 27 21:21:09 my_hostname slapd[15353]:  nsAccountLock
Nov 27 21:21:09 my_hostname slapd[15353]:  host
Nov 27 21:21:09 my_hostname slapd[15353]:  loginDisabled
Nov 27 21:21:09 my_hostname slapd[15353]:  loginExpirationTime
Nov 27 21:21:09 my_hostname slapd[15353]:  loginAllowedTimeMap
Nov 27 21:21:09 my_hostname slapd[15353]:  sshPublicKey
Nov 27 21:21:09 my_hostname slapd[15353]:
Nov 27 21:21:09 my_hostname slapd[15353]: conn=3331 op=122 SRCH base="dc=my_domain,dc=com" scope=2 deref=0 filter="(&(uid=leopetr4)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))"
Nov 27 21:21:09 my_hostname slapd[15353]: conn=3331 op=122 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublicKey
Nov 27 21:21:09 my_hostname slapd[15353]: ==> limits_get: conn=3331 op=122 self="[anonymous]" this="dc=my_domain,dc=com"
Nov 27 21:21:09 my_hostname slapd[15353]: => hdb_search

编辑：这/var/log/secure是登录尝试：

Nov 28 13:09:10 my_hostname su: pam_unix(su-l:auth): authentication failure; logname=root uid=1004 euid=0 tty=pts/1 ruser=leonsp rhost=  user=leopetr4
Nov 28 13:09:10 my_hostname su: pam_sss(su-l:auth): authentication failure; logname=root uid=1004 euid=0 tty=pts/1 ruser=leonsp rhost= user=leopetr4
Nov 28 13:09:10 my_hostname su: pam_sss(su-l:auth): received for user leopetr4: 7 (Authentication failure)

这是pam配置：

# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 minlen=8 dcredit=-1 ucredit=0 lcredit=-1 ocredit=0 type= reject_username
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so
session     optional      pam_ldap.so

PAM LDAP配置：

# cat /etc/pam_ldap.conf | grep -v '^#' | grep -v '^$'
base dc=my_domain,dc=com
uri ldaps://my_hostname.my_domain.com
ssl start_tls
tls_cacertdir /etc/openldap/cacerts
pam_password md5

也：

# authconfig --test | grep hashing
 password hashing algorithm is sha512

编辑2：通过pamtester进行身份验证有效，但通过su仍然不起作用：

[leonsp@my_hostname ~]$ pamtester login leopetr4 authenticate
Password:
pamtester: successfully authenticated

[leonsp@my_hostname ~]$ pamtester su leopetr4 authenticate
Password:
pamtester: Authentication failure

[leonsp@my_hostname ~]$ pamtester su-l leopetr4 authenticate
Password:
pamtester: successfully authenticated

SSSD为什么不让我以该用户身份登录？
我需要做一些事情来配置SSSD以匹配基本{SHA}哈希吗？
如何login确定su/ 认证和/ 认证之间的区别su-l？

— 狮子座
source

根据sssd日志，sssd既对您进行了身份验证，又允许其访问。我会查看您的发行版中的/ var / log / secure文件或等效文件，以查看其中有哪些PAM消息以及是否还有其他PAM模块在起作用。btl使用tls_reqcert = never并不是一个好主意，因为这样一来，即使您的CA不信任的证书也将被允许。哦，最后su发出的错误密码消息可能有任何含义-这只是实用程序具有的默认错误消息。

— jhrozek 2015年

@jhrozek我已经/var/log/secure为问题添加了pam配置详细信息

— Leo

您还可以编辑问题，以便日志也捕获身份验证失败吗？因为即使/ var / log / secure显示auth失败，但sssd_be日志仍显示成功：（Fri Nov 27 21:15:54 2015）[sssd [be [LDAP]]] [be_pam_handler_callback]（0x0100）：发送结果[ 0] [LDAP]能否请您编辑文件，以便捕获相同的PAM登录名，并且还有PAM响应程序日志？

— jhrozek 2015年

@jhrozek我已经重新捕获/var/log/secure并/var/log/sssd/*.log输出su - leopetr4。

— Leo

嗯，这真的很奇怪，域日志中没有其他内容了吗？您可以增加debug_level（最高为10）吗？顺便说一句，我检查了sdap_save_user源，获取UUID的失败不是致命的。

— jhrozek 2015年