我已将 Solaris 配置为使用 ldap 用户。 ldap服务器是Samba4 DC,客户端是Solaris 11.4。
我已经用这个命令“加入”服务器
ldapclient manual \
-a credentialLevel=proxy \
-a authenticationMethod=sasl/gssapi \
-a proxyDN=cn=proxyldap,cn=Users,dc=mydom,dc=priv \
-a proxyPassword=******* \
-a defaultSearchBase=dc=mydom,dc=priv \
-a debugLevel=6 \
-a domainName=mydom.priv \
-a "defaultServerList=10.3.0.4" \
-a attributeMap=group:userpassword=unixUserPassword\
-a attributeMap=group:gidnumber=gidNumber \
-a attributeMap=passwd:cn=cn \
-a attributeMap=passwd:gidnumber=gidNumber \
-a attributeMap=passwd:uidnumber=uidNumber \
-a attributeMap=passwd:homedirectory=homeDirectory \
-a attributeMap=passwd:loginshell=loginShell \
-a attributeMap=shadow:userpassword=unixUserPassword \
-a objectClassMap=group:posixGroup=group \
-a objectClassMap=passwd:posixAccount=user \
-a serviceSearchDescriptor=passwd:dc=mydom,dc=priv?sub \
-a serviceSearchDescriptor=group:dc=mydom,dc=priv?sub
配置返回OK
Finger 工作,在 Solaris 上搜索用户“pino”
finger pino
Login name: pino In real life: pino
Directory: /home/pino Shell: /bin/bash
Never logged in.
No unread mail
No Plan.
ldaplist返回错误!
ldaplist passwd
ldaplist: libsldap.so.1 internal error
ldaplist -a sasl/GSSAPI passwd
ldaplist: (standalone auth error)
Configuration syntax error: Unable to set parameter from a client in __ns_ldap_setParam()
getent passwd 可以工作,但只有 50%
getent passwd |grep pino
pino:x:3000014:100:pino:/home/pino:/bin/bash
getent passwd pino
id 不起作用
id pino
id: invalid user name: "pino"
我想念什么?
/etc/nsswitch.conf 没问题
cp /etc/nsswitch.ldap /etc/nsswitch.conf
答案1
已找到解决方案/解决方法,但仅完成 50%
通过此配置(并且 Samba 接受非加密 gssapi 强身份验证),所有命令都可以正常工作(ldaplist ok、id ok、su ok)。
ldapclient -v manual \
-a credentialLevel=proxy \
-a authenticationMethod=simple \
-a proxyDN=cn=proxyldap,cn=Users,dc=mydom,dc=priv \
-a proxyPassword=******* \
-a defaultSearchBase=dc=mydom,dc=priv \
-a debugLevel=6 \
-a domainName=mydom.priv \
-a "defaultServerList=10.3.0.4" \
-a attributeMap=group:userpassword=unixUserPassword\
-a attributeMap=group:gidnumber=gidNumber \
-a attributeMap=passwd:cn=cn \
-a attributeMap=passwd:gidnumber=gidNumber \
-a attributeMap=passwd:uidnumber=uidNumber \
-a attributeMap=passwd:homedirectory=HomeDirectory \
-a attributeMap=passwd:unixhomedirectory=unixHomeDirectory \
-a attributeMap=passwd:loginshell=loginShell \
-a attributeMap=passwd:gecos=gecos \
-a attributeMap=shadow:userpassword=unixUserPassword \
-a objectClassMap=group:posixGroup=group \
-a objectClassMap=passwd:posixAccount=user \
-a objectClassMap=shadow:shadowAccount=user \
-a serviceSearchDescriptor=passwd:dc=mydom,dc=priv?sub \
-a serviceSearchDescriptor=group:dc=mydom,dc=priv?sub
但如果我想在 Samba 上启用强身份验证并在 Solaris 上启用 gssapi 身份验证..
ldapclient -v manual \
-a credentialLevel=proxy \
-a authenticationMethod=sasl/gssapi \
-a proxyDN=cn=proxyldap,cn=Users,dc=mydom,dc=priv \
-a proxyPassword=******* \
-a defaultSearchBase=dc=mydom,dc=priv \
-a debugLevel=6 \
-a domainName=mydom.priv \
-a "defaultServerList=10.3.0.4" \
-a attributeMap=group:userpassword=unixUserPassword\
-a attributeMap=group:gidnumber=gidNumber \
-a attributeMap=passwd:cn=cn \
-a attributeMap=passwd:gidnumber=gidNumber \
-a attributeMap=passwd:uidnumber=uidNumber \
-a attributeMap=passwd:homedirectory=HomeDirectory \
-a attributeMap=passwd:unixhomedirectory=unixHomeDirectory \
-a attributeMap=passwd:loginshell=loginShell \
-a attributeMap=passwd:gecos=gecos \
-a attributeMap=shadow:userpassword=unixUserPassword \
-a objectClassMap=group:posixGroup=group \
-a objectClassMap=passwd:posixAccount=user \
-a objectClassMap=shadow:shadowAccount=user \
-a serviceSearchDescriptor=passwd:dc=mydom,dc=priv?sub \
-a serviceSearchDescriptor=group:dc=mydom,dc=priv?sub
全部返回错误。一个好的解决方案是使用 starttls,但我想使用 sasl。我已经在 samba 服务器上为 proxyldap 用户创建了主体
#!/bin/sh
NAME=proxyldap
SERV=ldap
HOST=solaris11
DOMAIN=mydom.priv
samba-tool user delete $NAME
samba-tool user create $NAME 22unix33AA@@@@
net ads enctypes set $NAME 24
samba-tool spn add $SERV/$DOMAIN $NAME
samba-tool spn add $SERV/$HOST.$DOMAIN $NAME
samba-tool domain exportkeytab $HOST.keytab --principal=$SERV/$DOMAIN
samba-tool domain exportkeytab $HOST.keytab --principal=$SERV/$HOST.$DOMAIN
复制了 solaris 上 krb5.keytab 上的选项卡
(echo rkt solaris1.keytab; echo wkt /etc/krb5/krb5.keytab )|ktutil
644 (echo rkt solaris2.keytab; echo wkt /etc/krb5/krb5.keytab )|ktutil
但没有任何作用。清楚还是什么都没有,我想念什么? ATM 我接受这个悲伤的解决方案,如果有人知道更好的工作解决方案,请提出,我会接受答案作为最终解决方案。