在开发环境中,使用 RHEL 7.6 上的 SSSD 1.16.2(版本 13.el7_6.5)
SSSD 配置为在 mch.dev 域上请求。受信任的子域 sub.mch.dev 存在(Win2k16)
在 mch.dev 上,我在通用组“G_TEST”和“allowed_ssh”中有一个用户“user1”。这些组也位于 mch.dev 域中。在 sub.mch.dev 上,我只有用户“user2”。“user2”位于“G_TEST”和“allowed_ssh”中。
当从 mch.dev 域获取 id 用户时,id mch\user1
我得到以下结果:uid=83701115(user1) gid=513(sssdgrp) groups=513(sssdgrp),83701107(allowed_ssh),83701117(g_test)', but 'id sub\user2
,在同一组(通用 - 子信任)中,我得到uid=69901104(user2) gid=69901104(user2) groups=69901104(user2)
没有组名的结果
getent 工作正常:getent group 'g_test'
结果:g_test:*:83701117:user2,user1,mch
为什么我没有用户 2 的组名?
sssd.conf:
[sssd]
domains = mch.dev
config_file_version = 2
services = nss, pam
default_domain_suffix = mch.dev
full_name_format = %1$s
[nss]
filter_users = root
reconnection_retries = 3
entry_cache_nowait_percentage = 75
[pam]
pam_pwd_expiration_warning = 21
pam_account_expired_message = Account/password expired, please use selfservice portal to change your password and logon again.
[domain/MCH.DEV]
debug_level = 9
id_provider = ad
access_provider = ad
auth_provider = ad
ad_domain = mch.dev
krb5_realm = MCH.DEV
krb5_store_password_if_offline = True
cache_credentials = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
override_gid = 513
fallback_homedir = /home/%u@%d
default_shell = /bin/bash
dyndns_update = false
ldap_idmap_range_min = 100000
ldap_use_tokengroups = False
可用日志这里 截断日志文件:
(Mon Feb 4 22:06:49 2019) [sssd[be[MCH.DEV]]] [sdap_get_map] (0x0400): Option ldap_user_member_of has value memberOf
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [fo_set_port_status] (0x0100): Marking port 3268 of server 'srvwin2k16pdc02.sub.mch.dev' as 'working'
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [set_server_common_status] (0x0100): Marking server 'srvwin2k16pdc02.sub.mch.dev' as 'working'
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [fo_set_port_status] (0x0400): Marking port 3268 of duplicate server 'srvwin2k16pdc02.sub.mch.dev' as 'working'
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_id_op_connect_done] (0x2000): Old USN: 74754, New USN: 13572
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_id_op_connect_done] (0x4000): notify connected to op #1
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [DC=mch,DC=dev]
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_print_server] (0x2000): Searching 172.31.8.103:3268
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=user2)(objectclass=user)(objectSID=*))][DC=mch,DC=dev].
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_process_result] (0x2000): Trace: sh[0x55e206f85b30], connected[1], ops[0x55e206fc3c10], ldap[0x55e206f9e840]
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY]
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=user2,OU=Users,OU=sub,DC=sub,DC=mch,DC=dev].
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass]
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_parse_range] (0x2000): No sub-attributes for [whenChanged]
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf]
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_parse_range] (0x2000): No sub-attributes for [uSNChanged]
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_parse_range] (0x2000): No sub-attributes for [name]
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectGUID]
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_parse_range] (0x2000): No sub-attributes for [userAccountControl]
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_parse_range] (0x2000): No sub-attributes for [primaryGroupID]
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectSid]
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_parse_range] (0x2000): No sub-attributes for [sAMAccountName]
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_parse_range] (0x2000): No sub-attributes for [userPrincipalName]
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_process_result] (0x2000): Trace: sh[0x55e206f85b30], connected[1], ops[0x55e206fc3c10], ldap[0x55e206f9e840]
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_op_destructor] (0x2000): Operation 5 finished
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_get_initgr_user] (0x4000): Storing the user
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_save_user] (0x0400): Save user
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sss_domain_get_state] (0x1000): Domain MCH.DEV is Active
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sss_domain_get_state] (0x1000): Domain sub.mch.dev is Active
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_get_primary_name] (0x0400): Processing object user2
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_save_user] (0x0400): Processing user [email protected]
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_save_user] (0x1000): Mapping user [[email protected]] objectSID [S-1-5-21-3702155841-230100394-2213857338-1104] to unix ID
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_save_user] (0x2000): Adding originalDN [CN=user2,OU=Users,OU=sub,DC=sub,DC=mch,DC=dev] to attributes of [[email protected]].
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_save_user] (0x0400): Adding original memberOf attributes to [[email protected]].
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20190204145524.0Z] to attributes of [[email protected]].
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_save_user] (0x0400): Adding user principal [[email protected]] to attributes of [[email protected]].
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sysdb_attrs_get_aliases] (0x2000): Domain is case-insensitive; will add lowercased aliases
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_save_user] (0x0400): Storing info for user [email protected]
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [ldb] (0x4000): start ldb transaction (nesting: 1)
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sysdb_ldb_msg_difference] (0x2000): Replaced/extended attr [originalMemberOf] of entry [[email protected],cn=users,cn=sub.mch.dev,cn=sysdb]
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [ldb] (0x4000): commit ldb transaction (nesting: 0)
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sysdb_set_entry_attr] (0x0200): Entry [[email protected],cn=users,cn=sub.mch.dev,cn=sysdb] has set [cache, ts_cache] attrs.
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [ldb] (0x4000): start ldb transaction (nesting: 2)
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sysdb_remove_attrs] (0x2000): Removing attribute [userPassword] from [[email protected]]
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [ldb] (0x4000): start ldb transaction (nesting: 3)
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sysdb_search_by_name] (0x0400): No such entry
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [find_user_entry] (0x4000): No user found with filter [[email protected]].
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [check_if_pac_is_available] (0x0040): find_user_entry failed.
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [DC=mch,DC=dev]
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_print_server] (0x2000): Searching 172.31.8.93:389
(Mon Feb 4 22:06:50 2019) [sssd[be[MCH.DEV]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=user2)(objectclass=user)(objectSID=*))][DC=mch,DC=dev].
提前致谢
答案1
删除use_fully_qualified_names = True
,ldap_use_tokengroups = False
,default_domain_suffix = mch.dev
问题
full_name_format = %1$s
解决。