目标是能够添加
+ : @DL-MyCompany-MyTeam : ALL
到 /etc/security/access.conf 并使其按预期工作。这是我的 sssd.conf:
[domain/default]
cache_credentials = True
[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP
[nss]
filter_users = backup, bin, daemon, games, gnats, irc, landscape, libuuid, list, lp, mail, man, messagebus, news, ntp, proxy, root, smmsp, smmta, sshd, sync, sys, syslog, uucp, whoopsie, www-data
allowed_shells = /bin/bash, /bin/tcsh
vetoed_shells = /bin/sh
shell_fallback = /bin/bash
[pam]
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
cache_credentials = TRUE
ldap_referrals = false
ldap_uri = ldaps://10.244.128.118, ldaps://ldap.corp.example.com
ldap_search_base = dc=corp,dc=example,dc=com
ldap_schema = rfc2307bis
ldap_default_bind_dn = CN=_example,OU=ServiceAccounts,OU=Accounts_User,DC=corp,DC=example,DC=com
ldap_default_authtok_type = password
ldap_default_authtok = secret-key
ldap_tls_reqcert = never
ldap_id_use_start_tls = true
ldap_tls_cacert = /etc/ssl/certs/CORP-root.cer
ldap_user_search_base = ou=Accounts_User,dc=corp,dc=example,dc=com
ldap_group_search_base = ou=Accounts_Group,dc=corp,dc=example,dc=com?sub?gidNumber=*
ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
override_gid = 65534
更新:我添加了@Andy 的建议,然后将调试调到 10。这是在日志中:
(Thu Apr 2 12:41:33 2015) [sssd[be[LDAP]]] [be_get_account_info] (0x0100): Got request for [4098][1][name=DL-MyCompany-MyTeam]
(Thu Apr 2 12:41:33 2015) [sssd[be[LDAP]]] [be_req_set_domain] (0x0400): Changing request domain from [LDAP] to [LDAP]
(Thu Apr 2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection
(Thu Apr 2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [ou=Accounts_Group,dc=corp,dc=example,dc=com]
(Thu Apr 2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(&(cn=DL-MyCompany-MyTeam)(objectclass=group)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))(gidNumber=*))][ou=Accounts_Group,dc=corp,dc=example,dc=com].
(Thu Apr 2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Thu Apr 2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Thu Apr 2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
(Thu Apr 2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Thu Apr 2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member]
(Thu Apr 2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId]
(Thu Apr 2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Thu Apr 2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged]
(Thu Apr 2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 10
(Thu Apr 2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x998d80], connected[1], ops[0x9dc280], ldap[0x991dc0]
(Thu Apr 2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Thu Apr 2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set
(Thu Apr 2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results.
(Thu Apr 2 12:41:33 2015) [sssd[be[LDAP]]] [sdap_id_op_done] (0x4000): releasing operation connection
我还必须指出,我们在 Linux 端没有使用 Kerberos,这些主机也没有加入 AD 领域。
答案1
首先我要向你致敬,因为你虽然困难重重,却还是成功地完成了 sssd-ad。
针对您的设置,最简单的修复方法是将 AD 组视为“ldap”组,而不是网络组 - 从组名开头删除 @
+ : DL-MyCompany-MyTeam : ALL
我不确定嵌套组是否能按预期工作。
此外,确保 /etc/pam.d 中正在使用 pam_access