Users
nsswitch.conf 中必須添加什麼來顯示 AD 使用者和組?
這是對這個問題的跟進。
我有一台已加入域 FOOBAR 的 CentOS 7 機器。可以通過以下方式成功獲取儲存在 AD 中的使用者資訊
id user@FOOBAR.GLOBAL但是,
getent passwd並getent group沒有顯示在 AD 中定義的使用者和組。這些是中的相關行
/etc/nsswitch.conf:passwd: files sss shadow: files sss group: files sss那裡需要添加什麼?
正如@Doug O’Neal 在評論中所建議的那樣,有必要設置
enumerate = true在
/etc/sssd/sssd.conf.現在顯示在 AD 中定義的所有使用者和組
getent passwd。getent group請注意,通常不建議使用此選項。來自
man sssd.conf:(...) enumerate (bool) Determines if a domain can be enumerated. This parameter can have one of the following values: TRUE = Users and groups are enumerated FALSE = No enumerations for this domain Default: FALSE Note: Enabling enumeration has a moderate performance impact on SSSD while enumeration is running. It may take up to several minutes after SSSD startup to fully complete enumerations. During this time, individual requests for information will go directly to LDAP, though it may be slow, due to the heavy enumeration processing. Saving a large number of entries to cache after the enumeration completes might also be CPU intensive as the memberships have to be recomputed. While the first enumeration is running, requests for the complete user or group lists may return no results until it completes. Further, enabling enumeration may increase the time necessary to detect network disconnection, as longer timeouts are required to ensure that enumeration lookups are completed successfully. For more information, refer to the man pages for the specific id_provider in use. For the reasons cited above, enabling enumeration is not recommended, especially in large environments. (...)