CentOS 7 LDAP SSH 错误“找不到组 ID 的名称”

tag-icon tag-icon active-directory ldap centos7 pam-ldap
CentOS 7 LDAP SSH 错误“找不到组 ID 的名称”

我正在运行 CentOS 7 VirtualBox 实例。我已通过公司 Active Directory 服务器设置了 LDAP 身份验证。

注意:AD 服务器没有安装 Unix 扩展。

我看到的是:当我通过 SSH 登录时出现错误:

$ ssh [email protected]@linuxboxip
[email protected]@linuxboxip's password:
/usr/bin/id: cannot find name for group ID 1316

我可以登录,并且错误似乎不会引起问题,但很烦人

组 ID 1316 指的是分配给我的 AD 用户的数字 ID:

$ getent passwd [email protected]
[email protected]:*:1316:1316:First Last:/home/[email protected]:/bin/bash

然而:

$ getent group 1316

不返回任何内容

如果手动添加,错误就会消失:

sudo groupadd -g 1316 1316
sudo usermod -a -G 1316 1316

一定有一个我遗漏的设置或流程来映射生成的组 ID 或创建新的组,但我没有找到它。

有什么想法吗?

设置:

我正在CentOS 7-1611(64bit)逃离osboxes.org

我已经安装了 nss-pam-ldapd,nslcd 和 nscd 服务设置为在启动时运行

/etc/nsswitch.conf 已被编辑以添加 ldap:

passwd:     files ldap sss
shadow:     files ldap sss
group:      files ldap sss
hosts:      files ldap dns myhostname
bootparams: nisplus [NOTFOUND=return] files ldap
ethers:     files ldap
netmasks:   files ldap
networks:   files ldap
protocols:  files ldap
rpc:        files ldap
services:   files ldap sss
netgroup:   files ldap sss
automount:  files ldap sss
aliases:    files ldap nisplus

/etc/pam.d/password-auth 编辑如下:

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        sufficient    pam_ldap.so minimum_uid=1000 use_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_ldap.so minimum_uid=1000
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so minimum_uid=1000 try_first_pass
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so minimum_uid=1000
session     required      pam_mkhomedir.so skel=/etc/skel umask=0022

/etc/pam.d/system-auth 编辑如下:

auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth      sufficient  pam_ldap.so minimum_uid=1000 use_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account   sufficient  pam_ldap.so minimum_uid=1000
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password  sufficient  pam_ldap.so minimum_uid=1000 try_first_pass
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session   optional    pam_ldap.so minimum_uid=1000

/etc/nslcd.conf 已编辑:

uid nslcd
gid nslcd

uri ldap://myserver.com/

base dc=myserver,dc=com

binddn CN=My Name,OU=Users,OU=DV,DC=myserver,DC=com

bindpw PASSWORDHERE

# Alternative mappings for Active Directory
pagesize 1000
referrals off
idle_timelimit 800
filter passwd (&(objectClass=user)(!(objectClass=computer)))
map    passwd uid           userPrincipalName
map    passwd uidNumber     objectSid:CorrectSID
map    passwd gidNumber     objectSid:CorrectSID
map    passwd homeDirectory "/home/$userPrincipalName"
map    passwd gecos         displayName
map    passwd loginShell    "/bin/bash"
filter group (objectClass=group)
map    group gidNumber      objectSid:CorrectSID
ssl no

/etc/openldap/ldap.conf 编辑以添加:

URI ldap://myserver.com/
BASE dc=myserver,dc=com

答案1

确保 sssd.conf 中的 ldap_search_base 值包含您的组 DN。

答案2

尝试这些映射:

/etc/nslcd.conf

# Active Directory Mapping  

pagesize 1000  
referrals off  

filter  passwd  (&(objectClass=user)(objectClass=person)(!(objectClass=computer)))  
map     passwd  uidNumber       objectSid:<your DomainSID>  
map     passwd  gidNumber       primaryGroupID  
map     passwd  uid     sAMAccountName  
map     passwd  homeDirectory   "/home/$sAMAccountName"  
map     passwd  gecos   displayName  

filter  shadow  (&(objectClass=user)(objectClass=person)(!(objectClass=computer)))  
map     shadow  uid     sAMAccountName  
map     shadow  shadowLastChange        pwdLastSet  

filter  group   (objectClass=group)  
map     group   gidNumber       objectSid:<your DomainSID>

相关内容