在 Solaris 上我得到了很好的 id 映射..在 linux 上却没有，为什么？

Question 1

这SSSD 文档对此进行一些详细介绍。本质上，默认情况下，当 SSSD 用于加入新域时，它会分配一个设计为该域唯一的 UID 块，覆盖 AD 可能已分配的任何 UID 块。这允许使用多个域，并确保来自所有域的用户获得唯一的 UID。

这部分我认为这些文档可以为您提供所需的信息。（基本上，设置ldap_id_mapping = False，重新启动SSSD并清除缓存）

Answer

这SSSD 文档对此进行一些详细介绍。本质上，默认情况下，当 SSSD 用于加入新域时，它会分配一个设计为该域唯一的 UID 块，覆盖 AD 可能已分配的任何 UID 块。这允许使用多个域，并确保来自所有域的用户获得唯一的 UID。

这部分我认为这些文档可以为您提供所需的信息。（基本上，设置ldap_id_mapping = False，重新启动SSSD并清除缓存）

Question 2

替代解决方案，使用此 sssd.conf 效果完美，基于Solaris的ldapclient设置。

[sssd]
domains = server.example
config_file_version = 2
services = nss, pam

[domain/server.example]
ad_domain = server.example
krb5_realm = SERVER.EXAMPLE
realmd_tags = manages-system joined-with-adcli 
cache_credentials = True
krb5_store_password_if_offline = True
default_shell = /bin/bash
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
min_id = 10000
max_id = 20000
override_homedir = /home/%u
access_provider = ldap
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_uri = ldap://windowserver.example.domain
ldap_search_base = dc=server,dc=example
ldap_default_bind_dn = cn=proxyldap,cn=Users,dc=server,dc=example
ldap_default_authtok_type = password
ldap_default_authtok = *********YOURPASSHERE*****
ldap_id_use_start_tls = False
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_schema = rfc2307bis
ldap_user_principal = userPrincipalName
ldap_user_fullname = displayName
ldap_user_name = sAMAccountName
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = msSFU30LoginShell
ldap_group_object_class = group
ldap_force_upper_case_realm = true
ldap_group_uuid = objectGUID
ldap_user_uuid = objectGUID
ldap_user_gid_number = gidNumber
ldap_user_uid_number = uidNumber

Answer

替代解决方案，使用此 sssd.conf 效果完美，基于Solaris的ldapclient设置。

[sssd]
domains = server.example
config_file_version = 2
services = nss, pam

[domain/server.example]
ad_domain = server.example
krb5_realm = SERVER.EXAMPLE
realmd_tags = manages-system joined-with-adcli 
cache_credentials = True
krb5_store_password_if_offline = True
default_shell = /bin/bash
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
min_id = 10000
max_id = 20000
override_homedir = /home/%u
access_provider = ldap
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_uri = ldap://windowserver.example.domain
ldap_search_base = dc=server,dc=example
ldap_default_bind_dn = cn=proxyldap,cn=Users,dc=server,dc=example
ldap_default_authtok_type = password
ldap_default_authtok = *********YOURPASSHERE*****
ldap_id_use_start_tls = False
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_schema = rfc2307bis
ldap_user_principal = userPrincipalName
ldap_user_fullname = displayName
ldap_user_name = sAMAccountName
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = msSFU30LoginShell
ldap_group_object_class = group
ldap_force_upper_case_realm = true
ldap_group_uuid = objectGUID
ldap_user_uuid = objectGUID
ldap_user_gid_number = gidNumber
ldap_user_uid_number = uidNumber

在 Solaris 上我得到了很好的 id 映射..在 linux 上却没有，为什么？

答案1

答案2

相关内容