Active-Directory
如何將 Active Directory 組轉換為 NIS 網路組?
目標是能夠添加
+ : @DL-MyCompany-MyTeam : ALL
到 /etc/security/access.conf 並讓它按預期工作。這是我的 sssd.conf:
[domain/default] cache_credentials = True [sssd] config_file_version = 2 services = nss, pam domains = LDAP [nss] filter_users = backup, bin, daemon, games, gnats, irc, landscape, libuuid, list, lp, mail, man, messagebus, news, ntp, proxy, root, smmsp, smmta, sshd, sync, sys, syslog, uucp, whoopsie, www-data allowed_shells = /bin/bash, /bin/tcsh vetoed_shells = /bin/sh shell_fallback = /bin/bash [pam] [domain/LDAP] id_provider = ldap auth_provider = ldap cache_credentials = TRUE ldap_referrals = false ldap_uri = ldaps://10.244.128.118, ldaps://ldap.corp.example.com ldap_search_base = dc=corp,dc=example,dc=com ldap_schema = rfc2307bis ldap_default_bind_dn = CN=_example,OU=ServiceAccounts,OU=Accounts_User,DC=corp,DC=example,DC=com ldap_default_authtok_type = password ldap_default_authtok = secret-key ldap_tls_reqcert = never ldap_id_use_start_tls = true ldap_tls_cacert = /etc/ssl/certs/CORP-root.cer ldap_user_search_base = ou=Accounts_User,dc=corp,dc=example,dc=com ldap_group_search_base = ou=Accounts_Group,dc=corp,dc=example,dc=com?sub?gidNumber=* ldap_user_object_class = user ldap_user_name = sAMAccountName ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_user_principal = userPrincipalName ldap_group_object_class = group override_gid = 65534
**更新:**我添加了@Andy 的建議,然後將調試設置為 10。這是在日誌中:
(Thu Apr 2 12:41:33 2015) [sssd[be[LDAP]]] [be_get_account_info] (0x0100): Got request for [4098][1][name=DL-MyCompany-MyTeam] (Thu Apr 2 12:41:33 2015) [sssd[be[LDAP]]] [be_req_set_domain] (0x0400): Changing request domain from [LDAP] to [LDAP] (Thu Apr 2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Thu Apr 2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [ou=Accounts_Group,dc=corp,dc=example,dc=com] (Thu Apr 2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(&(cn=DL-MyCompany-MyTeam)(objectclass=group)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))(gidNumber=*))][ou=Accounts_Group,dc=corp,dc=example,dc=com]. (Thu Apr 2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Thu Apr 2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu Apr 2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Thu Apr 2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Thu Apr 2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Thu Apr 2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId] (Thu Apr 2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Thu Apr 2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (Thu Apr 2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 10 (Thu Apr 2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x998d80], connected[1], ops[0x9dc280], ldap[0x991dc0] (Thu Apr 2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Thu Apr 2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Thu Apr 2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. (Thu Apr 2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_id_op_done] (0x4000): releasing operation connection
我還必須指出,我們沒有在 Linux 端使用 Kerberos,這些主機也沒有加入 AD 領域。
首先,我要向您以艱難的方式成功地完成 sssd-ad 表示敬意。
對您的設置最簡單的解決方法是將 AD 組視為“ldap”組,而不是網路組 - 從組名的開頭刪除 @
+ : DL-MyCompany-MyTeam : ALL
我不確定嵌套組是否會按預期工作。
此外,確保 pam_access 在 /etc/pam.d 中使用