我一直在努力使CentOS 6上的LDAPauthentication和NFS导出主目录工作几天。 我已经到了可以使用LDAP中的用户名和密码login到客户机的时候了。 在客户端上,/ home和/ opt通过NFS挂载在fstab上。 但是,/ opt和/ home中的每个文件都由客户端上的nobody:nobody (uid:99,gid:99)所有。
然而我的uid和gid似乎是正确设置的:
-bash-4.1$ id uid=3000(myusername) gid=3000(employees) groups=3000(employees)
我还能检查什么? 这里是我的客户端上的一些configuration文件:
/etc/nsswitch.conf中
passwd: files sss shadow: files sss group: files sss hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files sss publickey: nisplus automount: files ldap aliases: files nisplus
/etc/sssd/sssd.conf
[sssd] config_file_version = 2 services = nss, pam domains = default [nss] [pam] [domain/default] auth_provider = ldap ldap_id_use_start_tls = True chpass_provider = ldap cache_credentials = True krb5_realm = EXAMPLE.COM ldap_search_base = dc=mycompany,dc=com id_provider = ldap ldap_uri = ldaps://server.subdomain.mycompany.com krb5_kdcip = kerberos.example.com ldap_tls_cacertdir = /etc/openldap/cacerts # Configure client certificate auth. ldap_tls_cert = /etc/openldap/cacerts/client.pem ldap_tls_key = /etc/openldap/cacerts/client.pem ldap_tls_reqcert = demand
/ etc / fstab文件
/dev/mapper/vg_main-lv_root / ext4 defaults 1 1 UUID=4e43a15d-4dc0-4836-8fa6-c3445fde756c /boot ext4 defaults 1 2 /dev/mapper/vg_main-lv_swap swap swap defaults 0 0 tmpfs /dev/shm tmpfs defaults 0 0 devpts /dev/pts devpts gid=5,mode=620 0 0 sysfs /sys sysfs defaults 0 0 proc /proc proc defaults 0 0 storage1:/nas/home /home nfs soft,intr,rsize=8192,wsize=8192 storage1:/nas/opt /opt nfs soft,intr,rsize=8192,wsize=8192
authconfig输出:
[root@test1 ~]# authconfig --test caching is disabled nss_files is always enabled nss_compat is disabled nss_db is disabled nss_hesiod is disabled hesiod LHS = "" hesiod RHS = "" nss_ldap is enabled LDAP+TLS is enabled LDAP server = "ldaps://server.subdomain.mycompany.com" LDAP base DN = "dc=mycompany,dc=com" nss_nis is disabled NIS server = "" NIS domain = "" nss_nisplus is disabled nss_winbind is disabled SMB workgroup = "" SMB servers = "" SMB security = "user" SMB realm = "" Winbind template shell = "/bin/false" SMB idmap uid = "16777216-33554431" SMB idmap gid = "16777216-33554431" nss_sss is disabled by default nss_wins is disabled nss_mdns4_minimal is disabled DNS preference over NSS or WINS is disabled pam_unix is always enabled shadow passwords are enabled password hashing algorithm is sha512 pam_krb5 is disabled krb5 realm = "EXAMPLE.COM" krb5 realm via dns is disabled krb5 kdc = "kerberos.example.com" krb5 kdc via dns is disabled krb5 admin server = "kerberos.example.com" pam_ldap is enabled LDAP+TLS is enabled LDAP server = "ldaps://server.subdomain.mycompany.com" LDAP base DN = "dc=mycompany,dc=com" LDAP schema = "rfc2307" pam_pkcs11 is disabled use only smartcard for login is disabled smartcard module = "" smartcard removal action = "" pam_fprintd is enabled pam_winbind is disabled SMB workgroup = "" SMB servers = "" SMB security = "user" SMB realm = "" pam_sss is disabled by default credential caching in SSSD is enabled SSSD use instead of legacy services if possible is enabled pam_cracklib is enabled (try_first_pass retry=3 type=) pam_passwdqc is disabled () pam_access is disabled () pam_mkhomedir or pam_oddjob_mkhomedir is enabled () Always authorize local users is enabled () Authenticate system accounts against network services is disabled
为谷歌search添加一个注释 – 我们有同样的问题,无论我们做了什么,NFS挂载不会映射用户ID正确。
问题是idmapd从错误的configuration中caching了不正确的ID,并且没有修改configuration将它sorting。
解决这个问题的centos命令是nfsidmap -c(清除caching)。
希望这有助于一些绝望的search者..
解决了!
我碰巧在我的NFS服务器上的/var/log/messages注意到这一行,当我试图从远程客户端挂载一个导出时:
Feb 28 15:54:02 storage1 rpc.idmapd[1651]: nss_getpwnam: name 'nobody' does not map into domain 'localdomain'
这使我看到了/etc/idmapd.conf的前几行:
[General] #Verbosity = 0 # The following should be set to the local NFSv4 domain name # The default is the host's DNS domain name. #Domain = local.domain.edu
然后在注释掉的“域”行下添加Domain=subdomain.mycompany.com 。 保存,退出然后运行/etc/init.d/rpcidmapd restart和/etc/init.d/nfs restart 。
我发现了一个可能解决您的问题的博客post: http://whacked.net/2006/07/26/nfsv4nfs-mapid-nobody-domain/ ,我从以下论坛发帖: https://www.centos。组织/模块/ newbb / viewtopic.php?topic_id = 32977
您的NFS服务器是否正在运行Centos / RHEL 5?
如果是,则导出NFSv3。 NFSv4现在是Centos6(和最近的Ubuntu变体)的默认设置。
快速修复是在/ etc / fstab的安装选项中添加“vers = 3”。
例如
//10.0.0.1:/home / home nfs defaults,vers = 3,rw,noatime 0 0
所有被映射到“nobody”的东西听起来都像是打开了all_squash。
看一眼:
http://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-nfs-server-config-exports.html
并确认NFS服务器的/ etc / exports文件不会无意中压缩UID。 “no_all_squash”应该是默认的,但你可以尝试明确地设置它,看看会发生什么。
我的修补程序是确保本地机器的DNSlogging存在。 也有帮助,如果反向查找logging也存在。 结果,没有用户和组被root取代。 这很简单吗?!? PS记得在创buildDNSlogging后重新启动本地机器。