必须向nsswitch.conf添加哪些内容才能显示AD用户和组？

Question

这是这个问题的后续行动.

我有一台CentOS 7机器，它加入了域FOOBAR。可以通过以下方式成功获取存储在AD中的用户的信息

id user@FOOBAR.GLOBAL

但是，getent passwd和getent group没有显示AD中定义的用户和组。

以下是/etc/nsswitch.conf中的相关行：

passwd:     files sss
shadow:     files sss
group:      files sss

在那里需要加些什么？

Answer 1

正如@Doug‘’Neal在评论中所建议的，有必要设置

enumerate = true

在/etc/sssd/sssd.conf中。

现在，getent passwd和getent group显示AD中定义的所有用户和组。

请注意，通常不建议使用此选项。来自man sssd.conf：

(...)
    enumerate (bool)
       Determines if a domain can be enumerated. This parameter can have one of the
       following values:

       TRUE = Users and groups are enumerated

       FALSE = No enumerations for this domain

       Default: FALSE

       Note: Enabling enumeration has a moderate performance impact on SSSD while enumeration
       is running. It may take up to several minutes after SSSD startup to fully complete 
       enumerations. During this time, individual requests for information will go directly
       to LDAP, though it may be slow, due to the heavy enumeration processing. Saving a large 
       number of entries to cache after the enumeration completes might also be CPU intensive
       as the memberships have to be recomputed.

       While the first enumeration is running, requests for the complete user or group lists
       may return no results until it completes.

       Further, enabling enumeration may increase the time necessary to detect network
       disconnection, as longer timeouts are required to ensure that enumeration
       lookups are completed successfully. For more information, refer to the man pages for 
       the specific id_provider in use.

       For the reasons cited above, enabling enumeration is not recommended, especially in 
       large environments.
(...)