Winbind错误的UID/GID
Winbind错误的UID/GID
提问于 2014-09-30 07:48:06
下面是一个场景:
我有两台机器:
Ubuntu,运行ldap来授权用户
,使用winbind对用户进行身份验证。
要挂载shares,我使用fstab和nfs共享。
问题是:
在Ubuntu上,getent passwd中的用户如下所示:
john:x:3000052:1901:John Doe:/home/john:/bin/bash但是在CentOs上,相同的用户在getent passwd中使用的是这样的:
john:*:16777228:16777218:John Doe:/home/john:/bin/bash如您所见,UID和GID不匹配,当用户试图访问CentOS上的主服务器时,就会拒绝授予权限。对于AD用户,我希望CentOS具有与Ubuntu完全相同的UID和GID。
我设法在smb.conf中找到了idmap的一些内容,但我还没有让它发挥作用。
[global]
idmap workgroup = MOSEK
idmap config MOSEK:backend = rid
idmap config MOSEK:base_rid = 0
idmap config MOSEK:range = 3000040 - 4999999
#--authconfig--start-line--
# Generated by authconfig on 2014/09/30 08:26:52
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future
workgroup = MOSEK
...autogenerated stuff
#--authconfig--end-line--但这不管用。
我希望我对我想做的事情很清楚
编辑:
好的,这是authconfig为我生成的内容。因为你的回答,我认为这可能是相关的。
#--authconfig--start-line--
# Generated by authconfig on 2014/09/30 08:26:52
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future
workgroup = MOSEK
password server = nyborg.mosek.zentyal
realm = MOSEK.ZENTYAL
security = ads
idmap config * : range = 1000-999999
template homedir = /home/%U
template shell = /bin/bash
kerberos method = secrets only
winbind use default domain = true
winbind offline logon = false
winbind enum users = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind enum users = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind enum users = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind enum users = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind enum users = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
#--authconfig--end-line-- EDIT2:当我尝试给sssd.conf正确的权限时,它给了我一个新的错误:
[root@centosy sssd]# journalctl -xn
-- Logs begin at Mon 2014-10-06 10:14:59 CEST, end at Tue 2014-10-07 10:28:42 CEST. --
Oct 07 10:28:36 centosy.mosek.zentyal sssd[be[5567]: Starting up
Oct 07 10:28:38 centosy.mosek.zentyal sssd[be[5568]: Starting up
Oct 07 10:28:41 centosy.mosek.zentyal sssd[5570]: Starting up
Oct 07 10:28:41 centosy.mosek.zentyal sssd[5569]: Starting up
Oct 07 10:28:41 centosy.mosek.zentyal sssd[5571]: Starting up
Oct 07 10:28:41 centosy.mosek.zentyal sssd[5572]: Starting up
Oct 07 10:28:42 centosy.mosek.zentyal sssd[be[5573]: Starting up
Oct 07 10:28:42 centosy.mosek.zentyal systemd[1]: sssd.service: control process exited, code=exited status=1
Oct 07 10:28:42 centosy.mosek.zentyal systemd[1]: Failed to start System Security Services Daemon.
-- Subject: Unit sssd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit sssd.service has failed.
--
-- The result is failed.
Oct 07 10:28:42 centosy.mosek.zentyal systemd[1]: Unit sssd.service entered failed state.EDIT3:
好的,我听从了你的指导,下面是我从头到尾所做的事情:
[root@centosy sssd]# authconfig --update --disableldap --ldapbasedn="dc=mosek,dc=zentyal" --ldapserver="ldap://172.16.0.5" --enablerfc2307bis --disablekrb5 --enablekrb5kdcdns --krb5realm=mosek.zentyal --enablesssd --enablesssdauth --enablemkhomedir --enablepamaccess --enablelocauthorize --smbrealm=mosek.zentyal --smbservers=nyborg.mosek.zentyal --smbworkgroup=MOSEK --smbsecurity=ads
getsebool: SELinux is disabled
[root@centosy sssd]# net ads join createupn=host/`hostname -f`@MOSEK.ZENTYAL -U tomas
Ignoring unknown parameter "idmap workgroup"
Ignoring unknown parameter "idmap workgroup"
Enter tomas's password:
Using short domain name -- MOSEK
Joined 'CENTOSY' to dns domain 'mosek.zentyal'这是我的sssd.conf:
[sssd]
config_file_version = 2
domains = mosek.zentyal
services = nss, pam
debug_level = 0
[nss]
[pam]
[domain/mosek.zentyal]
debug_level = 5
cache_credentials = false
enumerate = false
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/nyborg.mosek.zentyal@MOSEK.ZENTYAL
ldap_sasl_canonicalize = false
ldap_user_search_base = ou=Users,dc=mosek,dc=zentyal
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_name = sAMAccountName
ldap_user_shell = loginShell
ldap_group_name = msSFU30Name
ldap_group_object_class = group
ldap_group_search_base = ou=Groups,dc=mosek,dc=zentyal
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_disable_referrals = true
ldap_id_mapping = false
ldap_schema = rfc2307bis
krb5_realm = MOSEK.ZENTYAL
krb5_canonicalize = false
krb5_server = mosek.zentyal所以现在我重新启动sssd:
[root@centosy sssd]# service sssd restart
Redirecting to /bin/systemctl restart sssd.service编辑4:
这是我的nsswitch.conf:
passwd: files sss
shadow: files sss
group: files sss
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: files sss
aliases: files nisplus回答 1
Server Fault用户
发布于 2014-10-01 16:38:42
您遇到的问题是使用rid idmap。
这使用一种算法为您在范围内设置的限制之间的UID生成一个随机数,这在主机之间始终是不同的。
但是,您需要的是ads idmap,这意味着id需要存在于AD和ldap中。
如果您只关心访问UNIX组和基本属性,而不是所有AD组,那么winbind是不必要的。
配置填充/etc/krb5.conf的kerberos,并具有类似于以下内容的smb.conf:
[global] workgroup = ADIRE client signing = yes client use spnego = yes kerberos method = secrets and keytab log file = /var/log/samba/%m.log password server = adire.XXX.XX.uk realm = ADIRE.XXX.XXX.UK security = ads client ldap sasl wrapping = sign
为了使这更容易,您可以让sssd控制一切,但首先让它工作!
关于您有哪些选项的一个很好的总体概念是这里。
要将CentOS主机配置为使用带有LDAP属性的AD身份验证,可以使用以下authconfig命令(替换域详细信息):
authconfig --update --disableldap --ldapbasedn="dc=adire,dc=domain,dc=co,dc=uk" --ldapserver="ldap://ad1.adire.domain.co.uk:ldap://ad2.adire.domain.co.uk" --enablerfc2307bis --disablekrb5 --enablekrb5kdcdns --krb5realm=ADIRE.DOMAIN.CO.UK --enablesssd --enablesssdauth --enablemkhomedir --enablepamaccess --enablelocauthorize --smbrealm=ADIRE.DOMAIN.CO.UK --smbservers="ad1.adire.domain.co.uk ad2.adire.domain.co.uk" --smbworkgroup=ADIRE --smbsecurity=ads然后将主机加入到域并创建一个kerberos /etc/krb5.keytab文件:
net ads join createupn=host/`hostname -f`@ADIRE.DOMAIN.CO.UK -U priviledged_user
kinit @ADIRE.DOMAIN.CO.UK
net ads keytab create
net ads keytab add host/`hostname -f`@ADIRE.DOMAIN.CO.UK这将启用sssd,您可以在(/etc/sssd/sssd.conf)中拥有所有映射:
[sssd]
config_file_version = 2
domains = adire.domain.co.uk
services = nss, pam
debug_level = 0
[nss]
[pam]
[domain/adire.domain.co.uk]
debug_level = 5
cache_credentials = false
enumerate = false
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/servername.domain.co.uk@ADIRE.DOMAIN.CO.UK
ldap_sasl_canonicalize = false
ldap_user_search_base = OU=User Accounts,DC=adire,DC=domain,DC=co,DC=uk
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_name = sAMAccountName
ldap_user_shell = loginShell
ldap_group_name = msSFU30Name
ldap_group_object_class = group
ldap_group_search_base = OU=Groups,DC=adire,DC=domain,DC=co,DC=uk
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_disable_referrals = true
ldap_id_mapping = false
ldap_schema = rfc2307bis
krb5_realm = ADIRE.DOMAIN.CO.UK
krb5_canonicalize = false
krb5_server = adire.domain.co.uk确保sssd设置为在启动时启动,并在运行authconfig命令并加入域后重新启动。
页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://serverfault.com/questions/632343
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号