我们通过以下方式将 Active Directory 同步到 Linux 服务器(centOS 7)固态硬盘请注意,用户在 AD 中设置为其成员的某些组不会显示在启用 sssd 的 Linux 服务器上。
例如。我可以在 AD 中创建一个组 g1 并将 AD 用户 user001 设置为该组的成员,但是当 ssh 进入 Linux 服务器并执行id user001为该用户列出的组时,不包括该新创建的组。
[sssd]
domains = co.local
config_file_version = 2
services = nss, pam, pac
[domain/co.local]
ad_domain = co.local
krb5_realm = CO.LOCAL
auth_provider = ad
access_provider = ad
chpass_provider = ad
realmd_tags = manages-system joined-with-samba
cache_credentials = False
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
ldap_schema = ad
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
use_fully_qualified_names = False
fallback_homedir = /home/%u
default_domain_suffix = co.local
enumerate = true
查看 sssd 服务的日志,我看到......
[root@myserver~]# service sssd status -l
Redirecting to /bin/systemctl status -l sssd.service
● sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; disabled; vendor preset: disabled)
Active: active (running) since Fri 2020-02-21 17:25:19 HST; 3 days ago
Main PID: 11677 (sssd)
CGroup: /system.slice/sssd.service
├─11677 /usr/sbin/sssd -i --logger=files
├─11678 /usr/libexec/sssd/sssd_be --domain co.local --uid 0 --gid 0 --logger=files
├─11679 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
├─11680 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
└─11681 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --logger=files
Feb 25 14:10:29 myserver.co.local sssd_be[11678]: GSSAPI client step 1
Feb 25 14:10:29 myserver.co.local sssd[be[co.local]][11678]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC has no support for encryption type)
Feb 25 14:10:29 myserver.co.local sssd_be[11678]: GSSAPI client step 1
Feb 25 14:10:29 myserver.co.local sssd_be[11678]: GSSAPI client step 1
Feb 25 14:10:29 myserver.co.local sssd_be[11678]: GSSAPI client step 1
Feb 25 14:10:29 myserver.co.local sssd_be[11678]: GSSAPI client step 2
Feb 25 14:25:28 myserver.co.local sssd_be[11678]: GSSAPI client step 1
Feb 25 14:25:28 myserver.co.local sssd_be[11678]: GSSAPI client step 1
Feb 25 14:25:28 myserver.co.local sssd_be[11678]: GSSAPI client step 1
Feb 25 14:25:28 myserver.co.local sssd_be[11678]: GSSAPI client step 2
看看日志/var/logs/sssd,我能找到的最实质性的东西是......
[root@hwdatalake ~]# cat /var/log/sssd/sssd_nss.log-20200224
(Sun Feb 16 04:17:11 2020) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
(Sun Feb 16 05:57:15 2020) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error
...
...
...
(Tue Feb 18 09:38:59 2020) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
(Tue Feb 18 11:19:03 2020) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
(Tue Feb 18 12:59:06 2020) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
(Tue Feb 18 13:16:14 2020) [sssd[nss]] [orderly_shutdown] (0x0010): SIGTERM: killing children
(Tue Feb 18 19:41:24 2020) [sssd[nss]] [orderly_shutdown] (0x0010): SIGTERM: killing children
(Tue Feb 18 19:56:09 2020) [sssd[nss]] [orderly_shutdown] (0x0010): SIGTERM: killing children
(Wed Feb 19 12:27:30 2020) [sssd[nss]] [orderly_shutdown] (0x0010): SIGTERM: killing children
任何对 sssd 有更多经验的人都知道这里会发生什么?有任何调试技巧(没有 sssd 经验,也不是最初在服务器上设置它的人)?