我正在尝试使用 sssd 同步我的 Debian 服务器。
当我运行 时getent passwd username@domain
,没有返回用户。日志显示这是因为我在 ldap 查找中缺少 uid。但是,我清楚地知道在设置 时我不需要它ldap_id_mapping = true
。
该事件的完整日志如下:
(Mon Jan 26 17:39:13 2015) [sssd[be[thecompany.dk]]] [sdap_save_user] (0x0020): no uid provided for [nmw] in domain [netdesign.dk].
(Mon Jan 26 17:39:13 2015) [sssd[be[thecompany.dk]]] [sdap_save_user] (0x0040): Failed to save user [somedude]
(Mon Jan 26 17:39:13 2015) [sssd[be[thecompany.dk]]] [sdap_save_users] (0x0040): Failed to store user 0. Ignoring.
(Mon Jan 26 17:39:13 2015) [sssd[be[thecompany.dk]]] [sdap_save_users] (0x0040): Failed to check aliases for user 0. Ignoring.
设置文件是:
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = companyName.dk
[domain/companyName.dk]
#With this as false, a simple "getent passwd" for testing won't work. You must do getent passwd [email protected]
enumerate = false
cache_credentials = true
debug_level = 3
ldap_id_mapping = true
id_provider = ldap
access_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_uri = ldaps://172.23.1.41:636,ldaps://172.23.1.42:636
ldap_search_base = ou=companyname,dc=companyName,dc=dk
#ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
#This parameter requires that the DC present a completely validated certificate chain. If you're testing or don't care, use 'allow' or 'never'.
ldap_tls_reqcert = allow
krb5_realm = COMPANYNAME.DK
dns_discovery_domain = COMPANYNAME.DK
#ldap_schema = rfc2307bis
ldap_schema = ad
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_user_search_base = ou=Users,ou=companyName,dc=companyName,dc=dk
ldap_group_search_base = ou=Roles,ou=Security Groups,ou=companyName,dc=companyName,dc=dk
ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_fullname = displayName
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_name = sAMAccountName
fallback_homedir = /home/%d/%u
shell_fallback = /bin/bash
#Bind credentials
ldap_default_bind_dn = cn=user,ou=Service,ou=Misc accounts,ou=companyName,dc=companyName,dc=dk
ldap_default_authtok = 1nc0gn370
安装的软件包包括
sssd libpam-sss libnss-sss
我在这里到底做错了什么?
编辑/新增:
我尝试将调试级别更改为 7,并将“id_provider”和“access_provider”设置为“ad”
这是结果日志:
(Tue Jan 27 09:44:00 2015) [sssd[be[companyName.dk]]] [sdap_id_conn_data_expire_handler] (0x0080): connection is about to expire, releasing it
(Tue Jan 27 09:44:41 2015) [sssd[be[companyName.dk]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching.
(Tue Jan 27 09:44:41 2015) [sssd[be[companyName.dk]]] [be_client_destructor] (0x0400): Removed PAM client
(Tue Jan 27 09:44:41 2015) [sssd[be[companyName.dk]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching.
(Tue Jan 27 09:44:41 2015) [sssd[be[companyName.dk]]] [be_client_destructor] (0x0400): Removed NSS client
(Tue Jan 27 09:44:41 2015) [sssd[be[companyName.dk]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kdcinfo.companyName.DK], [2][No such file or directory]
(Tue Jan 27 09:44:41 2015) [sssd[be[companyName.dk]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.companyName.DK], [2][No such file or directory]
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [server_setup] (0x0080): CONFDB: /var/lib/sss/db/config.ldb
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [resolv_get_family_order] (0x1000): Lookup order: ipv4_first
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [fo_context_init] (0x0080): Created new fail over context, retry timeout is 30
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [confdb_get_domain_internal] (0x0020): No enumeration for [companyName.dk]!
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [sysdb_domain_init_internal] (0x0200): DB File for companyName.dk: /var/lib/sss/db/cache_companyName.dk.ldb
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [ldb] (0x0400): asq: Unable to register control with rootdse!
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [sbus_init_connection] (0x0200): Adding connection 1911E20
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [monitor_common_send_id] (0x0100): Sending ID: (%BE_companyName.dk,1)
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [create_socket_symlink] (0x1000): Symlinking the dbus path /var/lib/sss/pipes/private/sbus-dp_companyName.dk.3731 to a link /var/lib/sss/pipes/private/sbus-dp_companyName.dk
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [sbus_new_server] (0x0080): D-BUS Server listening on unix:path=/var/lib/sss/pipes/private/sbus-dp_companyName.dk.3731,guid=cb367efaa8d3c54884cd2f9454c74ffb
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [load_backend_module] (0x1000): Loading backend [ad] with path [/usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so].
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [load_backend_module] (0x0010): Unable to load ad module with path (/usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so), error: /usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so: cannot open shared object file: No such file or directory
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [be_process_init] (0x0010): fatal error initializing data providers
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [main] (0x0010): Could not initialize backend [79]
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [server_setup] (0x0080): CONFDB: /var/lib/sss/db/config.ldb
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [resolv_get_family_order] (0x1000): Lookup order: ipv4_first
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [fo_context_init] (0x0080): Created new fail over context, retry timeout is 30
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [confdb_get_domain_internal] (0x0020): No enumeration for [companyName.dk]!
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [sysdb_domain_init_internal] (0x0200): DB File for companyName.dk: /var/lib/sss/db/cache_companyName.dk.ldb
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [ldb] (0x0400): asq: Unable to register control with rootdse!
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [sbus_init_connection] (0x0200): Adding connection 878E20
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [monitor_common_send_id] (0x0100): Sending ID: (%BE_companyName.dk,1)
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [create_socket_symlink] (0x1000): Symlinking the dbus path /var/lib/sss/pipes/private/sbus-dp_companyName.dk.3732 to a link /var/lib/sss/pipes/private/sbus-dp_companyName.dk
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [sbus_new_server] (0x0080): D-BUS Server listening on unix:path=/var/lib/sss/pipes/private/sbus-dp_companyName.dk.3732,guid=76e5c03e58d9e5107828a0fc54c74ffb
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [load_backend_module] (0x1000): Loading backend [ad] with path [/usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so].
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [load_backend_module] (0x0010): Unable to load ad module with path (/usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so), error: /usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so: cannot open shared object file: No such file or directory
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [be_process_init] (0x0010): fatal error initializing data providers
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [main] (0x0010): Could not initialize backend [79]
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [server_setup] (0x0080): CONFDB: /var/lib/sss/db/config.ldb
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [resolv_get_family_order] (0x1000): Lookup order: ipv4_first
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [fo_context_init] (0x0080): Created new fail over context, retry timeout is 30
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [confdb_get_domain_internal] (0x0020): No enumeration for [companyName.dk]!
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [sysdb_domain_init_internal] (0x0200): DB File for companyName.dk: /var/lib/sss/db/cache_companyName.dk.ldb
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [ldb] (0x0400): asq: Unable to register control with rootdse!
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [sbus_init_connection] (0x0200): Adding connection 99CE20
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [monitor_common_send_id] (0x0100): Sending ID: (%BE_companyName.dk,1)
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [create_socket_symlink] (0x1000): Symlinking the dbus path /var/lib/sss/pipes/private/sbus-dp_companyName.dk.3733 to a link /var/lib/sss/pipes/private/sbus-dp_companyName.dk
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [sbus_new_server] (0x0080): D-BUS Server listening on unix:path=/var/lib/sss/pipes/private/sbus-dp_companyName.dk.3733,guid=1e822671b672f1c8f023390554c74ffb
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [load_backend_module] (0x1000): Loading backend [ad] with path [/usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so].
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [load_backend_module] (0x0010): Unable to load ad module with path (/usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so), error: /usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so: cannot open shared object file: No such file or directory
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [be_process_init] (0x0010): fatal error initializing data providers
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [main] (0x0010): Could not initialize backend [79]
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [server_setup] (0x0080): CONFDB: /var/lib/sss/db/config.ldb
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [resolv_get_family_order] (0x1000): Lookup order: ipv4_first
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [fo_context_init] (0x0080): Created new fail over context, retry timeout is 30
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [confdb_get_domain_internal] (0x0020): No enumeration for [companyName.dk]!
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [sysdb_domain_init_internal] (0x0200): DB File for companyName.dk: /var/lib/sss/db/cache_companyName.dk.ldb
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [ldb] (0x0400): asq: Unable to register control with rootdse!
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [sbus_init_connection] (0x0200): Adding connection BC2E20
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [monitor_common_send_id] (0x0100): Sending ID: (%BE_companyName.dk,1)
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [create_socket_symlink] (0x1000): Symlinking the dbus path /var/lib/sss/pipes/private/sbus-dp_companyName.dk.3734 to a link /var/lib/sss/pipes/private/sbus-dp_companyName.dk
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [sbus_new_server] (0x0080): D-BUS Server listening on unix:path=/var/lib/sss/pipes/private/sbus-dp_companyName.dk.3734,guid=58592e3c74d2a142966a571654c74ffb
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [load_backend_module] (0x1000): Loading backend [ad] with path [/usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so].
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [load_backend_module] (0x0010): Unable to load ad module with path (/usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so), error: /usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so: cannot open shared object file: No such file or directory
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [be_process_init] (0x0010): fatal error initializing data providers
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [main] (0x0010): Could not initialize backend [79]
我认为 libsss_ad.so 文件应该在这里,但是它不在。
user@server:/usr/lib/x86_64-linux-gnu/sssd$ ls -l
total 3868
-rw-r--r-- 1 root root 1405048 Mar 4 2013 libsss_ipa.so
-rw-r--r-- 1 root root 585784 Mar 4 2013 libsss_krb5.so
-rw-r--r-- 1 root root 1081880 Mar 4 2013 libsss_ldap.so
-rw-r--r-- 1 root root 479160 Mar 4 2013 libsss_proxy.so
-rw-r--r-- 1 root root 389400 Mar 4 2013 libsss_simple.so
drwxr-xr-x 2 root root 4096 Jan 26 15:05 modules
sssd_ad 模块是否不包含在 Debian 稳定版本中?
答案1
首先,您没有说明您使用的是哪个 SSSD 版本。鉴于您说它是“Debian 稳定版”,我推测是 1.8.x。抱歉,该版本不支持 ID 映射。
更复杂的答案是 SSSD 为 POSIX 用户提供服务,并要求用户有一个 ID 号。ID 号可以是用户条目本身的属性(通常为 uidNumber),也可以从 Windows 的 SID 推断出来。后者就是您尝试使用 ldap_id_mapping=True 执行的操作,但该功能仅在 1.9 及更高版本中实现。
我想您现在甚至可以在 Debian 稳定版上使用 Winbind。