几天来,我一直在尝试在 CentOS 6 上实现 LDAP 身份验证和 NFS 导出主目录。现在,我可以使用 LDAP 中的用户名和密码登录到客户端计算机。在客户端上,/home 和 /opt 通过 NFS 安装在 fstab 中。但是,/opt 和 /home 中的每个文件都归nobody:nobody客户端上的 (uid: 99, gid: 99) 所有。
但是我的 uid 和 gid 似乎设置正确:
-bash-4.1$ id
uid=3000(myusername) gid=3000(employees) groups=3000(employees)
我还能检查什么?以下是我客户端上的一些配置文件:
/etc/nsswitch.conf
passwd: files sss
shadow: files sss
group: files sss
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files sss
publickey: nisplus
automount: files ldap
aliases: files nisplus
/etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam
domains = default
[nss]
[pam]
[domain/default]
auth_provider = ldap
ldap_id_use_start_tls = True
chpass_provider = ldap
cache_credentials = True
krb5_realm = EXAMPLE.COM
ldap_search_base = dc=mycompany,dc=com
id_provider = ldap
ldap_uri = ldaps://server.subdomain.mycompany.com
krb5_kdcip = kerberos.example.com
ldap_tls_cacertdir = /etc/openldap/cacerts
# Configure client certificate auth.
ldap_tls_cert = /etc/openldap/cacerts/client.pem
ldap_tls_key = /etc/openldap/cacerts/client.pem
ldap_tls_reqcert = demand
/etc/fstab
/dev/mapper/vg_main-lv_root / ext4 defaults 1 1
UUID=4e43a15d-4dc0-4836-8fa6-c3445fde756c /boot ext4 defaults 1 2
/dev/mapper/vg_main-lv_swap swap swap defaults 0 0
tmpfs /dev/shm tmpfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
sysfs /sys sysfs defaults 0 0
proc /proc proc defaults 0 0
storage1:/nas/home /home nfs soft,intr,rsize=8192,wsize=8192
storage1:/nas/opt /opt nfs soft,intr,rsize=8192,wsize=8192
authconfig 输出:
[root@test1 ~]# authconfig --test
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
hesiod LHS = ""
hesiod RHS = ""
nss_ldap is enabled
LDAP+TLS is enabled
LDAP server = "ldaps://server.subdomain.mycompany.com"
LDAP base DN = "dc=mycompany,dc=com"
nss_nis is disabled
NIS server = ""
NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
SMB workgroup = ""
SMB servers = ""
SMB security = "user"
SMB realm = ""
Winbind template shell = "/bin/false"
SMB idmap uid = "16777216-33554431"
SMB idmap gid = "16777216-33554431"
nss_sss is disabled by default
nss_wins is disabled
nss_mdns4_minimal is disabled
DNS preference over NSS or WINS is disabled
pam_unix is always enabled
shadow passwords are enabled
password hashing algorithm is sha512
pam_krb5 is disabled
krb5 realm = "EXAMPLE.COM"
krb5 realm via dns is disabled
krb5 kdc = "kerberos.example.com"
krb5 kdc via dns is disabled
krb5 admin server = "kerberos.example.com"
pam_ldap is enabled
LDAP+TLS is enabled
LDAP server = "ldaps://server.subdomain.mycompany.com"
LDAP base DN = "dc=mycompany,dc=com"
LDAP schema = "rfc2307"
pam_pkcs11 is disabled
use only smartcard for login is disabled
smartcard module = ""
smartcard removal action = ""
pam_fprintd is enabled
pam_winbind is disabled
SMB workgroup = ""
SMB servers = ""
SMB security = "user"
SMB realm = ""
pam_sss is disabled by default
credential caching in SSSD is enabled
SSSD use instead of legacy services if possible is enabled
pam_cracklib is enabled (try_first_pass retry=3 type=)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_mkhomedir or pam_oddjob_mkhomedir is enabled ()
Always authorize local users is enabled ()
Authenticate system accounts against network services is disabled
答案1
需要为 Google 搜索者添加一条注释 - 我们遇到了同样的问题,无论我们做什么,nfs 挂载都无法正确映射用户 ID。
问题在于 idmapd 从错误配置中缓存了错误的 id,并且无法修复配置来解决这个问题。
centos 上修复此问题的命令是 nfsidmap -c(清除缓存)。
希望这可以帮助一些绝望的搜索者。
答案2
解决了!
/var/log/messages当我尝试挂载来自远程客户端的导出时,我偶然注意到 NFS 服务器上的这一行:
Feb 28 15:54:02 storage1 rpc.idmapd[1651]: nss_getpwnam: name 'nobody' does not map into domain 'localdomain'
这让我看了前几行/etc/idmapd.conf:
[General]
#Verbosity = 0
# The following should be set to the local NFSv4 domain name
# The default is the host's DNS domain name.
#Domain = local.domain.edu
然后我Domain=subdomain.mycompany.com在注释掉的“域”行下添加了内容。保存,退出,然后/etc/init.d/rpcidmapd restart运行/etc/init.d/nfs restart。
答案3
您的 NFS 服务器是否运行 Centos/RHEL 5?
如果是,则它正在导出 NFSv3。NFSv4 现在是 Centos6(以及最近的 Ubuntu 变体)的默认设置。
快速解决方法是在 /etc/fstab 中的挂载选项中添加“vers=3”。
例如
//10.0.0.1:/home /home nfs 默认值,vers=3,rw,noatime 0 0
答案4
所有映射到“nobody”的东西听起来都像是打开了 all_squash。
看一眼:
http://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-nfs-server-config-exports.html
并验证 NFS 服务器的 /etc/exports 文件不会无意中压缩 UID。“no_all_squash” 应该是默认值,但您可以尝试明确设置它并查看会发生什么。