我一直在尝试让这个功能可靠地运行一段时间。具体细节如下:
Centos 7 使用 SSSD 身份验证到 Active Directory(功能齐全)这里是 sssd.conf 文件:
[sssd]
domains = example
config_file_version = 2
services = nss, pam
[domain/example]
realmd_tags = manages-system joined-with-samba
enumerate = false
cache_credentials = false
id_provider = ldap
auth_provider = ldap
ldap_schema = ad
ldap_uri = ldaps://example.edu
ldap_search_base = dc=example,dc=edu
ldap_default_bind_dn = CN=useraccount, OU=people, DC=example,Dc=edu
ldap_default_authtok_type = password
ldap_default_authtok =
ldap_user_search_base = ou=People,ou=example,dc=edu
ldap_user_name = sAMAccountName
ldap_user_object_class = person
ldap_user_member_of = memberOf
ldap_user_uid_number = uidnumber
ldap_user_gid_number = gidnumber
ldap_user_fullname = displayName
ldap_group_search_base =dc=example,dc=edu
ldap_group_object_class = group
ldap_group_name = sAMAccountName
tls_reqcert = demand
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
override_homedir = /home/%u
通过它,我可以使用广告凭证登录并从 AD 树中查看 UID/GID。
当我尝试集成 samba 共享时出现了问题,该共享也针对 sssd/pam 进行身份验证,但似乎无法正常工作。
这是基本的 smb.conf 文件:
[global]
workgroup = EXAMPLE
server string = Samba Server Version %v
log file = /var/log/samba/log.%m
log level = 7
max log size = 50
security = ads
encrypt passwords = yes
passdb backend = tdbsam
realm = example.edu
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
load printers = no
cups options = raw
printcap name = /dev/null
[myshare]
comment = My shared folder
path = /var/myshare
public = no
writable = yes
guest ok = no
write list = testuser
read list = @"testgroup"
最终,我感觉我在这里遗漏了一些简单的东西,或者也许这是不可能的。我已将文件夹权限设置为 0770 root:testgroup。最终,如果可能的话,我希望连接的 Windows 用户也能够通过 ntfs 编辑权限。
我之所以使用 sssd 而不是 winbind,是因为我需要从 AD 中提取 UID/GID(用于 nfs 挂载等),但它似乎从来都不是 100% 正确的。
任何帮助都将不胜感激!