我是嘗試SSD在 Ubuntu 18.04 主機上使用 krb5 進行身份驗證,但無法弄清楚如何顯示實際的使用者群組(groups顯示某種 Windows SID 而不是人類可讀的名稱)。主要群組看起來不錯(網域用戶...),但其餘(補充)都是 Sxxx 號碼。這是 AD 設定還是我的 sssd 配置的某些內容?
$ groups
Domain [email protected] [email protected] [email protected]...
SSD設定檔
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[sssd]
domains = ad.mycorp.com
config_file_version = 2
services = nss, pam
reconnection_retries = 3
sbus_timeout = 30
[domain/ad.mycorp.com]
ad_domain = ad.mycorp.com
krb5_realm = ad.mycorp.com
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
default_shell = /bin/bash
fallback_homedir = /home/%d/%u
krb5_store_password_if_offline = True
use_fully_qualified_names = True
ldap_sasl_authid = UBU-TEST1$
ldap_id_mapping = True
access_provider = ldap
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_uri = ldaps://ad.mycorp.com
ldap_search_base = ou=mycorp,dc=mycorp,dc=com
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
ldap_tls_reqcert = allow
dns_discovery_domain = ad.mycorp.com
ldap_user_search_base = ou=userid,ou=mycorp,dc=mycorp,dc=com
ldap_group_search_base = ou=mycorp,dc=mycorp,dc=com
ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_fullname = displayName
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_name = sAMAccountName
ldap_schema = rfc2307bis
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
答案1
這有點舊了,但我想我會分享對我有用的解決方案。
我透過在 sssd.conf 檔案的 [domain/example.local] 部分添加一行來解決這個問題:
ad_server = <domain controller name>.example.local
並保留
ldap_id_mapping = True
答案2
ldap_id_mapping = false
這將從您的 AD 取得 POSIX 屬性。
如果將此選項設為 True,那麼 sssd 將從 SID 產生 UID、GID。
答案3
你清除sssd快取了嗎? #systemctl 停止 sssd; rm -r /var/lib/sss/db/* ; systemctl啟動SSD
確保您在 AD 中設定了 POSIX 屬性。也可以透過 ldapsearch 進行驗證。