%20%E8%BA%AB%E4%BB%BD%E8%BF%90%E8%A1%8C%20Docker%20%E5%AE%B9%E5%99%A8%EF%BC%9F%EF%BC%88%E2%80%9C%E6%97%A0%E6%B3%95%E6%89%BE%E5%88%B0%E7%94%A8%E6%88%B7%E2%80%9D%EF%BC%89.png)
我在加入 AD 域(带有 SMB 4 的 Zentyal)的专用 Debian 9.6 机器上运行多个 Samba 共享。
我正在使用一个相当简单的 SSSD 安装,到目前为止,它完全满足了我们的需求。
我想设置安巴尔以便各个域用户可以搜索上述 Samba 共享上的文档。但是,我只希望 Ambar 抓取“公共”文档,而不抓取私人/“管理”文件夹中的任何内容。
我修改了 docker-compose.yml 文件,以便 Docker 能够以用户身份生成所需的容器爬虫,但是当我运行时docker-compose up -d出现以下错误:
ERROR: for Shared-folder Cannot start service Shared-folder: linux spec user: unable to find user crawler: no matching entries in passwd file
手动编辑/etc/passwd文件在这里没有帮助。我仍然收到相同的错误。
相关的 docker-compose.yml 配置如下:
Shared-folder:
depends_on:
serviceapi:
condition: service_healthy
image: ambar/ambar-local-crawler
restart: always
networks:
- internal_network
expose:
- "8082"
environment:
- name=Shared-folder
- ignoreExtensions=.{exe,dll,rar,s,so}
- apiUrl=http://serviceapi:8081
user: crawler
volumes:
- /shared/Shared-folder:/usr/data
请注意,如果我删除该行user: crawler,一切都会按预期工作(并root抓取我的所有文档)。
这是我的/etc/sssd/sssd.conf文件:
[sssd]
services = nss, pam
config_file_version = 2
domains = MY.COMPANY.COM
[domain/MY.COMPANY.COM]
id_provider = ad
access_provider = ad
ad_gpo_map_interactive = +cron
dyndns_update_ptr=false
# Use this if users are being logged in at /.
# This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so
override_homedir = /home/%u
ldap_idmap_autorid_compat = True
这是我的/etc/pam.d/common-session:
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0066
session optional pam_winbind.so
session optional pam_sss.so
session optional pam_systemd.so
# end of pam-auth-update config
如果任何配置有用,请告诉我!我猜这smb.conf在这种情况下并不那么重要,并且可能有某种方法可以告诉 Docker 只信任 PAM?
答案1
中的域配置sssd.conf没有use_fully_qualified_names = False。如果没有这个,您可能需要使用完全限定名称(例如[email protected])。这对于解决您的问题并不是绝对必要的,但如果机器仅引用一个域,我发现它很有用。或者:
docker-compose.yaml您可以尝试在(即)中为用户指定完全限定名称。我还没有尝试过,所以我无法确认它是否按预期工作。user: [email protected]您可以使用用户的 uid 而不是名称。这是我使用的方法,因此我可以确认它工作正常。您可以通过运行来检索 uid
id <username>(确保您使用与您的设置相对应的格式use_fully_qualified_names)。
无论如何,如果您无法通过运行检索用户的 uid,id <username>那么您的问题可能出在 SSSD 配置上,而不是 docker 配置上。