我有一台机器设置为使用 sssd+nss+pam 通过 LDAP 目录对用户进行身份验证。
在当前状态下,目录中的任何用户都可以通过 ssh 登录,或者使用su
用户帐户之间进行登录,但似乎他们无法检索自己的帐户uid
,也gid
无法检索其他用户的帐户。
只有 root 能够毫无问题地解决所有问题,我猜这可能是由于 sssd.conf 配置错误造成的,但我找不到导致这种情况的原因。
以 root 身份观察到的行为:
[root@frontend ~]# ll /home/
total 0
drwx------. 2 chao staff 83 Oct 25 22:57 chao
drwx------. 2 wshake staff 99 Oct 26 12:45 wshake
[root@frontend ~]# id wshake
uid=10101(wshake) gid=10001(staff) groups=10001(staff)
[root@frontend ~]# id chao
uid=10103(chao) gid=10001(staff) groups=10001(staff)
[root@frontend ~]# getent passwd wshake
wshake:*:10101:10001:wshake:/home/wshake:/bin/bash
我可以使用ssh
或su
以任何用户身份登录,但他们自己看不到他们的 uid/gid 名称getent passwd myuid
:
[root@frontend ~]# su - wshake
Last login: Fri Oct 26 14:08:23 CEST 2018 on pts/1
/usr/bin/id: cannot find name for user ID 10101
/usr/bin/id: cannot find name for group ID 10001
/usr/bin/id: cannot find name for user ID 10101
[I have no name!@frontend ~]$ id
uid=10101 gid=10001 groups=10001 context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[I have no name!@frontend ~]$ id wshake
id: wshake: no such user
[I have no name!@frontend ~]$ getent passwd wshake
[I have no name!@frontend ~]$ su chao
Password:
/usr/bin/id: cannot find name for group ID 10001
/usr/bin/id: cannot find name for user ID 10103
[I have no name!@frontend wshake]$ id
uid=10103 gid=10001 groups=10001 context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[I have no name!@frontend wshake]$ getent passwd chao
[I have no name!@frontend wshake]$
我正在使用的 /etc/sssd/sssd.config:
[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP
[domain/LDAP]
debug_level = 7
enumerate = True
cache_credentials = false
ldap_schema = rfc2307
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
ldap_uri = ldaps://frontend
ldap_tls_reqcert = never
ldap_search_base = dc=test,dc=cluster
ldap_default_bind_dn = cn=Manager,dc=test,dc=cluster
ldap_default_authtok_type = password
ldap_default_authtok = testpass
ldap_tls_reqcert = never
ldap_tls_cacert = /etc/openldap/certs/cert.crt
ldap_access_filter = (&(objectclass=posixAccount))
ldap_chpass_uri = ldaps://frontend
ldap_user_object_class = posixAccount
ldap_user_name = uid
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_group_name = cn
ldap_group_object_class = posixGroup
ldap_group_gid_number = gidNumber
[nss]
debug_level = 7
override_homedir = /home/%u
override_shell = /bin/bash
有人知道该看什么吗?