Linux

在 Solaris 上我得到了很好的 id 映射..在 linux 上沒有,為什麼?

  • December 11, 2018

我使用 Active Directory 伺服器進行身份驗證,Solaris 按照這個Howto可以正常工作。

一切正常,我的使用者“user1”獲得了在 Windows AD 上分配的正確 UID,即 10000。

在linux上,我按照這個howto,我可以加入AD..user作品但是..id完全不同,不是10000而是“uid=744201108”,如何在linux上獲得正確的uid?這是我的sssd

[sssd]
domains = server.example
config_file_version = 2
services = nss, pam

[domain/server.example]
ad_domain = server.example
krb5_realm = SERVER.EXAMPLE
realmd_tags = manages-system joined-with-adcli 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = false
fallback_homedir = /home/%u@%d
access_provider = ad

# needed to use correct active directory properties (Windows Server 2003)
ldap_schema = ad
ldap_user_object_class = person
ldap_user_name = msSFU30Name
ldap_user_uid_number = msSFU30UidNumber
ldap_user_gid_number = msSFU30GidNumber
ldap_user_home_directory = msSFU30HomeDirectory
ldap_user_shell = msSFU30LoginShell
ldap_user_gecos = displayName
ldap_group_object_class = group
ldap_group_name = msSFU30Name
ldap_group_gid_number = msSFU30GidNumber

# id 
ldap_idmap_autorid_compat = true

SSSD 文件對此進行了詳細介紹。本質上,預設情況下,當 SSSD 用於加入新域時,它會分配一個 UID 塊,該塊設計為該域唯一,覆蓋 AD 可能已分配的任何 UID。這允許使用多個域,並確保來自所有域的使用者都獲得唯一的 UID。

我認為這部分文件可以為您提供所需的資訊。(基本上,設置ldap_id_mapping = False、重啟 SSSD 並清除記憶體)

替代解決方案,使用這個 sssd.conf 完美,基於 solaris 的 ldapclient 設置。

[sssd]
domains = server.example
config_file_version = 2
services = nss, pam

[domain/server.example]
ad_domain = server.example
krb5_realm = SERVER.EXAMPLE
realmd_tags = manages-system joined-with-adcli 
cache_credentials = True
krb5_store_password_if_offline = True
default_shell = /bin/bash
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
min_id = 10000
max_id = 20000
override_homedir = /home/%u
access_provider = ldap
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_uri = ldap://windowserver.example.domain
ldap_search_base = dc=server,dc=example
ldap_default_bind_dn = cn=proxyldap,cn=Users,dc=server,dc=example
ldap_default_authtok_type = password
ldap_default_authtok = *********YOURPASSHERE*****
ldap_id_use_start_tls = False
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_schema = rfc2307bis
ldap_user_principal = userPrincipalName
ldap_user_fullname = displayName
ldap_user_name = sAMAccountName
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = msSFU30LoginShell
ldap_group_object_class = group
ldap_force_upper_case_realm = true
ldap_group_uuid = objectGUID
ldap_user_uuid = objectGUID
ldap_user_gid_number = gidNumber
ldap_user_uid_number = uidNumber

引用自:https://unix.stackexchange.com/questions/487416

相關問答

Linux

SSSD Centos 7 AD Binding - 只有部分使用者能夠登錄

  • March 11, 2016
檢視問答
Linux

無法使用 rsync 將目錄從遠端主機拉到本地

  • September 27, 2022
檢視問答
Linux

rsync 無法使用 -o StrictHostKeyChecking=no 選項

  • September 26, 2022
檢視問答
Ubuntu

Active Directory 中的 Linux:永久使用者

  • August 8, 2021
檢視問答
Linux

即使目標文件存在,rsync 也無法正常工作

  • July 23, 2021
檢視問答
Linux

在 Linux 上自動加入域

  • July 12, 2021
檢視問答