Solaris 客户端 ldap 和 Samba4 AD ldap 服务器:一些奇怪的事情

tag-icon tag-icon solaris ldap
Solaris 客户端 ldap 和 Samba4 AD ldap 服务器:一些奇怪的事情

我已将 Solaris 配置为使用 ldap 用户。 ldap服务器是Samba4 DC,客户端是Solaris 11.4。

我已经用这个命令“加入”服务器

ldapclient manual \
 -a credentialLevel=proxy \
 -a authenticationMethod=sasl/gssapi \
 -a proxyDN=cn=proxyldap,cn=Users,dc=mydom,dc=priv \
 -a proxyPassword=******* \
 -a defaultSearchBase=dc=mydom,dc=priv \
 -a debugLevel=6 \
 -a domainName=mydom.priv \
 -a "defaultServerList=10.3.0.4" \
 -a attributeMap=group:userpassword=unixUserPassword\
 -a attributeMap=group:gidnumber=gidNumber \
 -a attributeMap=passwd:cn=cn \
 -a attributeMap=passwd:gidnumber=gidNumber \
 -a attributeMap=passwd:uidnumber=uidNumber \
 -a attributeMap=passwd:homedirectory=homeDirectory \
 -a attributeMap=passwd:loginshell=loginShell \
 -a attributeMap=shadow:userpassword=unixUserPassword \
 -a objectClassMap=group:posixGroup=group \
 -a objectClassMap=passwd:posixAccount=user \
 -a serviceSearchDescriptor=passwd:dc=mydom,dc=priv?sub \
 -a serviceSearchDescriptor=group:dc=mydom,dc=priv?sub

配置返回OK

Finger 工作,在 Solaris 上搜索用户“pino”

finger pino
Login name: pino                        In real life: pino
Directory: /home/pino                   Shell: /bin/bash
Never logged in.
No unread mail
No Plan.

ldaplist返回错误!

ldaplist passwd
ldaplist: libsldap.so.1 internal error

ldaplist -a sasl/GSSAPI passwd
ldaplist: (standalone auth error)
Configuration syntax error: Unable to set parameter from a client in __ns_ldap_setParam()

getent passwd 可以工作,但只有 50%

getent passwd |grep pino
pino:x:3000014:100:pino:/home/pino:/bin/bash

getent passwd pino

id 不起作用

id pino
id: invalid user name: "pino"

我想念什么?

/etc/nsswitch.conf 没问题

cp /etc/nsswitch.ldap /etc/nsswitch.conf

答案1

已找到解决方案/解决方法,但仅完成 50%

通过此配置(并且 Samba 接受非加密 gssapi 强身份验证),所有命令都可以正常工作(ldaplist ok、id ok、su ok)。

   ldapclient -v manual \
     -a credentialLevel=proxy \
     -a authenticationMethod=simple \
     -a proxyDN=cn=proxyldap,cn=Users,dc=mydom,dc=priv \
     -a proxyPassword=******* \
     -a defaultSearchBase=dc=mydom,dc=priv \
     -a debugLevel=6 \
     -a domainName=mydom.priv \
     -a "defaultServerList=10.3.0.4" \
     -a attributeMap=group:userpassword=unixUserPassword\
     -a attributeMap=group:gidnumber=gidNumber \
     -a attributeMap=passwd:cn=cn \
     -a attributeMap=passwd:gidnumber=gidNumber \
     -a attributeMap=passwd:uidnumber=uidNumber \
     -a attributeMap=passwd:homedirectory=HomeDirectory \
     -a attributeMap=passwd:unixhomedirectory=unixHomeDirectory \
     -a attributeMap=passwd:loginshell=loginShell \
     -a attributeMap=passwd:gecos=gecos \
     -a attributeMap=shadow:userpassword=unixUserPassword \
     -a objectClassMap=group:posixGroup=group \
     -a objectClassMap=passwd:posixAccount=user \
     -a objectClassMap=shadow:shadowAccount=user \
     -a serviceSearchDescriptor=passwd:dc=mydom,dc=priv?sub \
     -a serviceSearchDescriptor=group:dc=mydom,dc=priv?sub

但如果我想在 Samba 上启用强身份验证并在 Solaris 上启用 gssapi 身份验证..

   ldapclient -v manual \
     -a credentialLevel=proxy \
     -a authenticationMethod=sasl/gssapi \
     -a proxyDN=cn=proxyldap,cn=Users,dc=mydom,dc=priv \
     -a proxyPassword=******* \
     -a defaultSearchBase=dc=mydom,dc=priv \
     -a debugLevel=6 \
     -a domainName=mydom.priv \
     -a "defaultServerList=10.3.0.4" \
     -a attributeMap=group:userpassword=unixUserPassword\
     -a attributeMap=group:gidnumber=gidNumber \
     -a attributeMap=passwd:cn=cn \
     -a attributeMap=passwd:gidnumber=gidNumber \
     -a attributeMap=passwd:uidnumber=uidNumber \
     -a attributeMap=passwd:homedirectory=HomeDirectory \
     -a attributeMap=passwd:unixhomedirectory=unixHomeDirectory \
     -a attributeMap=passwd:loginshell=loginShell \
     -a attributeMap=passwd:gecos=gecos \
     -a attributeMap=shadow:userpassword=unixUserPassword \
     -a objectClassMap=group:posixGroup=group \
     -a objectClassMap=passwd:posixAccount=user \
     -a objectClassMap=shadow:shadowAccount=user \
     -a serviceSearchDescriptor=passwd:dc=mydom,dc=priv?sub \
     -a serviceSearchDescriptor=group:dc=mydom,dc=priv?sub

全部返回错误。一个好的解决方案是使用 starttls,但我想使用 sasl。我已经在 samba 服务器上为 proxyldap 用户创建了主体

#!/bin/sh
NAME=proxyldap
SERV=ldap
HOST=solaris11
DOMAIN=mydom.priv
samba-tool user delete $NAME
samba-tool user create $NAME 22unix33AA@@@@
net ads enctypes set $NAME 24
samba-tool spn add $SERV/$DOMAIN $NAME
samba-tool spn add $SERV/$HOST.$DOMAIN $NAME
samba-tool domain exportkeytab $HOST.keytab --principal=$SERV/$DOMAIN
samba-tool domain exportkeytab $HOST.keytab --principal=$SERV/$HOST.$DOMAIN

复制了 solaris 上 krb5.keytab 上的选项卡

(echo rkt solaris1.keytab; echo wkt /etc/krb5/krb5.keytab )|ktutil
  644  (echo rkt solaris2.keytab; echo wkt /etc/krb5/krb5.keytab )|ktutil

但没有任何作用。清楚还是什么都没有,我想念什么? ATM 我接受这个悲伤的解决方案,如果有人知道更好的工作解决方案,请提出,我会接受答案作为最终解决方案。

相关内容