Solaris

Solaris 客戶端 ldap 和 Samba4 AD ldap 伺服器:一些奇怪的事情

  • January 24, 2021

我已將 Solaris 配置為使用 ldap 使用者。ldap 伺服器是 Samba4 DC,客戶端是 Solaris 11.4。

我已經用這個命令“加入”了伺服器

ldapclient manual \
-a credentialLevel=proxy \
-a authenticationMethod=sasl/gssapi \
-a proxyDN=cn=proxyldap,cn=Users,dc=mydom,dc=priv \
-a proxyPassword=******* \
-a defaultSearchBase=dc=mydom,dc=priv \
-a debugLevel=6 \
-a domainName=mydom.priv \
-a "defaultServerList=10.3.0.4" \
-a attributeMap=group:userpassword=unixUserPassword\
-a attributeMap=group:gidnumber=gidNumber \
-a attributeMap=passwd:cn=cn \
-a attributeMap=passwd:gidnumber=gidNumber \
-a attributeMap=passwd:uidnumber=uidNumber \
-a attributeMap=passwd:homedirectory=homeDirectory \
-a attributeMap=passwd:loginshell=loginShell \
-a attributeMap=shadow:userpassword=unixUserPassword \
-a objectClassMap=group:posixGroup=group \
-a objectClassMap=passwd:posixAccount=user \
-a serviceSearchDescriptor=passwd:dc=mydom,dc=priv?sub \
-a serviceSearchDescriptor=group:dc=mydom,dc=priv?sub

配置返回OK

手指工作,在 Solaris 上搜尋使用者“pino”

finger pino
Login name: pino                        In real life: pino
Directory: /home/pino                   Shell: /bin/bash
Never logged in.
No unread mail
No Plan.

ldaplist 返回錯誤!

ldaplist passwd
ldaplist: libsldap.so.1 internal error

ldaplist -a sasl/GSSAPI passwd
ldaplist: (standalone auth error)
Configuration syntax error: Unable to set parameter from a client in __ns_ldap_setParam()

getent passwd 有效,但只有 50%

getent passwd |grep pino
pino:x:3000014:100:pino:/home/pino:/bin/bash

getent passwd pino

身份證不起作用

id pino
id: invalid user name: "pino"

我想念什麼?

/etc/nsswitch.conf 沒問題

cp /etc/nsswitch.ldap /etc/nsswitch.conf

找到了解決方案/解決方法,但只有 50%

使用此配置(並且 Samba 接受未加密的 gssapi 強身份驗證),所有命令都可以正常工作(ldaplist ok、id ok、su ok)。

  ldapclient -v manual \
    -a credentialLevel=proxy \
    -a authenticationMethod=simple \
    -a proxyDN=cn=proxyldap,cn=Users,dc=mydom,dc=priv \
    -a proxyPassword=******* \
    -a defaultSearchBase=dc=mydom,dc=priv \
    -a debugLevel=6 \
    -a domainName=mydom.priv \
    -a "defaultServerList=10.3.0.4" \
    -a attributeMap=group:userpassword=unixUserPassword\
    -a attributeMap=group:gidnumber=gidNumber \
    -a attributeMap=passwd:cn=cn \
    -a attributeMap=passwd:gidnumber=gidNumber \
    -a attributeMap=passwd:uidnumber=uidNumber \
    -a attributeMap=passwd:homedirectory=HomeDirectory \
    -a attributeMap=passwd:unixhomedirectory=unixHomeDirectory \
    -a attributeMap=passwd:loginshell=loginShell \
    -a attributeMap=passwd:gecos=gecos \
    -a attributeMap=shadow:userpassword=unixUserPassword \
    -a objectClassMap=group:posixGroup=group \
    -a objectClassMap=passwd:posixAccount=user \
    -a objectClassMap=shadow:shadowAccount=user \
    -a serviceSearchDescriptor=passwd:dc=mydom,dc=priv?sub \
    -a serviceSearchDescriptor=group:dc=mydom,dc=priv?sub

但如果我想在 Samba 上啟用強身份驗證,在 Solaris 上啟用 gssapi 身份驗證..

  ldapclient -v manual \
    -a credentialLevel=proxy \
    -a authenticationMethod=sasl/gssapi \
    -a proxyDN=cn=proxyldap,cn=Users,dc=mydom,dc=priv \
    -a proxyPassword=******* \
    -a defaultSearchBase=dc=mydom,dc=priv \
    -a debugLevel=6 \
    -a domainName=mydom.priv \
    -a "defaultServerList=10.3.0.4" \
    -a attributeMap=group:userpassword=unixUserPassword\
    -a attributeMap=group:gidnumber=gidNumber \
    -a attributeMap=passwd:cn=cn \
    -a attributeMap=passwd:gidnumber=gidNumber \
    -a attributeMap=passwd:uidnumber=uidNumber \
    -a attributeMap=passwd:homedirectory=HomeDirectory \
    -a attributeMap=passwd:unixhomedirectory=unixHomeDirectory \
    -a attributeMap=passwd:loginshell=loginShell \
    -a attributeMap=passwd:gecos=gecos \
    -a attributeMap=shadow:userpassword=unixUserPassword \
    -a objectClassMap=group:posixGroup=group \
    -a objectClassMap=passwd:posixAccount=user \
    -a objectClassMap=shadow:shadowAccount=user \
    -a serviceSearchDescriptor=passwd:dc=mydom,dc=priv?sub \
    -a serviceSearchDescriptor=group:dc=mydom,dc=priv?sub

所有返回錯誤。一個好的解決方案可以使用 starttls,但我想使用 sasl。我在 samba 伺服器上為 proxyldap 使用者創建了主體

#!/bin/sh
NAME=proxyldap
SERV=ldap
HOST=solaris11
DOMAIN=mydom.priv
samba-tool user delete $NAME
samba-tool user create $NAME 22unix33AA@@@@
net ads enctypes set $NAME 24
samba-tool spn add $SERV/$DOMAIN $NAME
samba-tool spn add $SERV/$HOST.$DOMAIN $NAME
samba-tool domain exportkeytab $HOST.keytab --principal=$SERV/$DOMAIN
samba-tool domain exportkeytab $HOST.keytab --principal=$SERV/$HOST.$DOMAIN

在 solaris 上複製 krb5.keytab 上的選項卡

(echo rkt solaris1.keytab; echo wkt /etc/krb5/krb5.keytab )|ktutil
 644  (echo rkt solaris2.keytab; echo wkt /etc/krb5/krb5.keytab )|ktutil

但沒有任何效果。清楚或沒有,我想念什麼?ATM 我接受這個可悲的解決方案,如果有人知道更好的工作解決方案,請提出,我會接受這個答案作為最終解決方案。

引用自:https://unix.stackexchange.com/questions/630321

相關問答

Solaris

如何找到 Solaris 盒子用來驗證使用者的 LDAP 連接詳細資訊?

  • January 6, 2019
檢視問答
Solaris

重新啟動 LDAP 客戶端服務

  • August 19, 2015
檢視問答
Solaris

使用 Solaris 預打包命令瀏覽 LDAP 結構?

  • May 17, 2013
檢視問答
Linux-Mint

是什麼讓我的 Linux 工作站能夠訪問 Windows 網路目錄?

  • October 4, 2022
檢視問答
Linux

無法使用 rsync 將目錄從遠端主機拉到本地

  • September 27, 2022
檢視問答
Linux

rsync 無法使用 -o StrictHostKeyChecking=no 選項

  • September 26, 2022
檢視問答