Active-Directory

如何將 Active Directory 組轉換為 NIS 網路組?

  • April 2, 2015

目標是能夠添加

+ : @DL-MyCompany-MyTeam : ALL

到 /etc/security/access.conf 並讓它按預期工作。這是我的 sssd.conf:

[domain/default]
cache_credentials = True

[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP

[nss]
filter_users = backup, bin, daemon, games, gnats, irc, landscape, libuuid, list, lp, mail, man, messagebus, news, ntp, proxy, root, smmsp, smmta, sshd, sync, sys, syslog, uucp, whoopsie, www-data
allowed_shells = /bin/bash, /bin/tcsh
vetoed_shells = /bin/sh
shell_fallback = /bin/bash

[pam]

[domain/LDAP]
id_provider = ldap
auth_provider = ldap
cache_credentials = TRUE
ldap_referrals = false
ldap_uri = ldaps://10.244.128.118, ldaps://ldap.corp.example.com
ldap_search_base = dc=corp,dc=example,dc=com
ldap_schema = rfc2307bis
ldap_default_bind_dn = CN=_example,OU=ServiceAccounts,OU=Accounts_User,DC=corp,DC=example,DC=com
ldap_default_authtok_type = password
ldap_default_authtok = secret-key
ldap_tls_reqcert = never
ldap_id_use_start_tls = true
ldap_tls_cacert = /etc/ssl/certs/CORP-root.cer

ldap_user_search_base = ou=Accounts_User,dc=corp,dc=example,dc=com
ldap_group_search_base = ou=Accounts_Group,dc=corp,dc=example,dc=com?sub?gidNumber=*

ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_user_principal = userPrincipalName

ldap_group_object_class = group

override_gid = 65534

**更新:**我添加了@Andy 的建議,然後將調試設置為 10。這是在日誌中:

(Thu Apr  2 12:41:33 2015) [sssd[be[LDAP]]] [be_get_account_info] (0x0100): Got request for [4098][1][name=DL-MyCompany-MyTeam]
(Thu Apr  2 12:41:33 2015) [sssd[be[LDAP]]] [be_req_set_domain] (0x0400): Changing request domain from [LDAP] to [LDAP]
(Thu Apr  2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection
(Thu Apr  2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [ou=Accounts_Group,dc=corp,dc=example,dc=com]
(Thu Apr  2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(&(cn=DL-MyCompany-MyTeam)(objectclass=group)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))(gidNumber=*))][ou=Accounts_Group,dc=corp,dc=example,dc=com].
(Thu Apr  2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Thu Apr  2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Thu Apr  2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
(Thu Apr  2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Thu Apr  2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member]
(Thu Apr  2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId]
(Thu Apr  2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Thu Apr  2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged]
(Thu Apr  2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 10
(Thu Apr  2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x998d80], connected[1], ops[0x9dc280], ldap[0x991dc0]
(Thu Apr  2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Thu Apr  2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set
(Thu Apr  2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results.
(Thu Apr  2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_id_op_done] (0x4000): releasing operation connection

我還必須指出,我們沒有在 Linux 端使用 Kerberos,這些主機也沒有加入 AD 領域。

首先,我要向您以艱難的方式成功地完成 sssd-ad 表示敬意。

對您的設置最簡單的解決方法是將 AD 組視為“ldap”組,而不是網路組 - 從組名的開頭刪除 @

+ : DL-MyCompany-MyTeam : ALL

我不確定嵌套組是否會按預期工作。

此外,確保 pam_access 在 /etc/pam.d 中使用

引用自:https://serverfault.com/questions/679703