我是尝试 sssd在 Ubuntu 18.04 主机上使用 krb5 进行身份验证,但无法弄清楚如何显示实际用户组(groups显示某种 Windows SID 而不是人类可读的名称)。主要组看起来没问题(域用户...),但其余(补充)都是 Sxxx 号码。这是 AD 设置还是我的 sssd 配置的问题?
$ groups
Domain [email protected] [email protected] [email protected]...
sssd.conf
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[sssd]
domains = ad.mycorp.com
config_file_version = 2
services = nss, pam
reconnection_retries = 3
sbus_timeout = 30
[domain/ad.mycorp.com]
ad_domain = ad.mycorp.com
krb5_realm = ad.mycorp.com
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
default_shell = /bin/bash
fallback_homedir = /home/%d/%u
krb5_store_password_if_offline = True
use_fully_qualified_names = True
ldap_sasl_authid = UBU-TEST1$
ldap_id_mapping = True
access_provider = ldap
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_uri = ldaps://ad.mycorp.com
ldap_search_base = ou=mycorp,dc=mycorp,dc=com
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
ldap_tls_reqcert = allow
dns_discovery_domain = ad.mycorp.com
ldap_user_search_base = ou=userid,ou=mycorp,dc=mycorp,dc=com
ldap_group_search_base = ou=mycorp,dc=mycorp,dc=com
ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_fullname = displayName
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_name = sAMAccountName
ldap_schema = rfc2307bis
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
答案1
这有点老了,但我想我会分享对我有用的解决方案。
我通过在 sssd.conf 文件的 [domain/example.local] 部分添加一行来解决这个问题:
ad_server = <domain controller name>.example.local
并保持
ldap_id_mapping = True
答案2
ldap_id_mapping = false
这将从您的 AD 中获取 POSIX 属性。
如果将此选项设置为 True,则 sssd 将从 SID 生成 UID、GID。
答案3
您是否清除了 sssd 缓存?#systemctl stop sssd; rm -r /var/lib/sss/db/* ; systemctl start sssd
确保在 AD 中设置了 POSIX 属性。也可以通过 ldapsearch 进行验证。