SSSD 中的 LDAP 用户无法解析自己的 uid/gid 名称和其他名称

tag-icon tag-icon ldap sssd uid
SSSD 中的 LDAP 用户无法解析自己的 uid/gid 名称和其他名称

我有一台机器设置为使用 sssd+nss+pam 通过 LDAP 目录对用户进行身份验证。

在当前状态下,目录中的任何用户都可以通过 ssh 登录,或者使用su用户帐户之间进行登录,但似乎他们无法检索自己的帐户uid,也gid无法检索其他用户的帐户。

只有 root 能够毫无问题地解决所有问题,我猜这可能是由于 sssd.conf 配置错误造成的,但我找不到导致这种情况的原因。

以 root 身份观察到的行为:

[root@frontend ~]# ll /home/
total 0
drwx------. 2 chao    staff   83 Oct 25 22:57 chao
drwx------. 2 wshake  staff   99 Oct 26 12:45 wshake
[root@frontend ~]# id wshake
uid=10101(wshake) gid=10001(staff) groups=10001(staff)
[root@frontend ~]# id chao
uid=10103(chao) gid=10001(staff) groups=10001(staff)
[root@frontend ~]# getent passwd wshake
wshake:*:10101:10001:wshake:/home/wshake:/bin/bash

我可以使用sshsu以任何用户身份登录,但他们自己看不到他们的 uid/gid 名称getent passwd myuid

[root@frontend ~]# su - wshake
Last login: Fri Oct 26 14:08:23 CEST 2018 on pts/1
/usr/bin/id: cannot find name for user ID 10101
/usr/bin/id: cannot find name for group ID 10001
/usr/bin/id: cannot find name for user ID 10101
[I have no name!@frontend ~]$ id
uid=10101 gid=10001 groups=10001 context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[I have no name!@frontend ~]$ id wshake
id: wshake: no such user
[I have no name!@frontend ~]$ getent passwd wshake
[I have no name!@frontend ~]$ su chao
Password:
/usr/bin/id: cannot find name for group ID 10001
/usr/bin/id: cannot find name for user ID 10103
[I have no name!@frontend wshake]$ id
uid=10103 gid=10001 groups=10001 context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[I have no name!@frontend wshake]$ getent passwd chao
[I have no name!@frontend wshake]$

我正在使用的 /etc/sssd/sssd.config:

[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP

[domain/LDAP]
debug_level = 7
enumerate = True
cache_credentials = false
ldap_schema = rfc2307
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap

ldap_uri = ldaps://frontend
ldap_tls_reqcert = never
ldap_search_base = dc=test,dc=cluster
ldap_default_bind_dn = cn=Manager,dc=test,dc=cluster
ldap_default_authtok_type = password
ldap_default_authtok = testpass
ldap_tls_reqcert = never
ldap_tls_cacert = /etc/openldap/certs/cert.crt

ldap_access_filter = (&(objectclass=posixAccount))
ldap_chpass_uri = ldaps://frontend

ldap_user_object_class = posixAccount
ldap_user_name = uid
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_group_name = cn
ldap_group_object_class = posixGroup
ldap_group_gid_number = gidNumber

[nss]
debug_level = 7
override_homedir = /home/%u
override_shell = /bin/bash

有人知道该看什么吗?

相关内容