完成winbind连接,但没有sssd,我今天被要求使用adcli和sssdjoin到一个Windows AD服务的EL7框。
该软件,更新最小el7安装adcli,sssd和一些krb5的东西补充说:
adcli-0.8.1-3.el7.x86_64 authconfig-6.2.8-30.el7.x86_64 krb5-libs-1.15.1-8.el7.x86_64 krb5-workstation-1.15.1-8.el7.x86_64 oddjob-0.31.5-4.el7.x86_64 oddjob-mkhomedir-0.31.5-4.el7.x86_64 python-sssdconfig-1.15.2-50.el7_4.2.noarch samba-client-libs-4.6.2-10.el7_4.x86_64 samba-common-4.6.2-10.el7_4.noarch samba-common-libs-4.6.2-10.el7_4.x86_64 samba-common-tools-4.6.2-10.el7_4.x86_64 samba-libs-4.6.2-10.el7_4.x86_64 sssd-1.15.2-50.el7_4.2.x86_64 sssd-ad-1.15.2-50.el7_4.2.x86_64 sssd-client-1.15.2-50.el7_4.2.x86_64 sssd-common-1.15.2-50.el7_4.2.x86_64 sssd-common-pac-1.15.2-50.el7_4.2.x86_64 sssd-dbus-1.15.2-50.el7_4.2.x86_64 sssd-ipa-1.15.2-50.el7_4.2.x86_64 sssd-krb5-1.15.2-50.el7_4.2.x86_64 sssd-krb5-common-1.15.2-50.el7_4.2.x86_64 sssd-ldap-1.15.2-50.el7_4.2.x86_64 sssd-proxy-1.15.2-50.el7_4.2.x86_64 sssd-tools-1.15.2-50.el7_4.2.x86_64 sssd.conf,以防万一:
[sssd] config_file_version = 2 services = nss, pam, ssh, sudo domains = test.domain.com [nss] filter_users = root,named,avahi,haldaemon,dbus,radiusd,news,nscd,centos,ubuntu [pam] [ssh] [sudo] [domain/test.domain.com] enumerate = true id_provider = ad access_provider = ad ad_domain = test.domain.com krb5_realm = TEST.DOMAIN.COM cache_credentials = True krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True fallback_homedir = /home/%u ldap_user_ssh_public_key = sshPublicKey
连接本身是通过adcli处理的:
adcli join --host-fqdn tstel7-01.test.domain.com \ --computer-name tstel7-01 \ -U adjoinacct \ test.domain.com
密钥表? 丰富:
Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 3 restrictedkrbhost/[email protected] 3 restrictedkrbhost/[email protected] 3 restrictedkrbhost/[email protected] 3 restrictedkrbhost/[email protected] 3 restrictedkrbhost/[email protected] 3 restrictedkrbhost/[email protected] 3 restrictedkrbhost/[email protected] 3 restrictedkrbhost/[email protected] 3 restrictedkrbhost/[email protected] 3 restrictedkrbhost/[email protected] 3 host/[email protected] 3 host/[email protected] 3 host/[email protected] 3 host/[email protected] 3 host/[email protected] 3 host/[email protected] 3 host/[email protected] 3 host/[email protected] 3 host/[email protected] 3 host/[email protected] 3 [email protected] 3 [email protected] 3 [email protected] 3 [email protected] 3 [email protected]
但是,没有骰子:
# id adjoinacct id: adjoinacct: no such user
它甚至找不到用于join的帐户(没有,真的)。
tshark(-plni不是端口22)表明,在id运行期间,没有连接出去。
我错过了什么? 有任何想法吗? 线索? 我可以提供任何信息吗? 这是莫名其妙的,虽然我想救助桑巴赢得比赛,但对于执行计划来说,这还不够光明,而且sssd的解决scheme如此之好,以至于很快就被抛弃了。
(我也可以在EL6上testing,同样的坏结果:-()
(随意创build并添加'adcli'标签;我不能)
如果你尝试会发生什么
id [email protected]
?
如果这在以前的命令没有的地方起作用,那么问题可能与use_fully_qualified_names设置有关。 如果你想使用短名称,并且没有多个域名担心,你可以试试
use_fully_qualified_names = False
在sssd.conf的[domain / test.domain.com]部分下,然后重新启动sssd服务。 是的,man sssd.conf说默认是FALSE,但是我必须明确地设置这个以避免类似的问题。