服务器 Gind.cn
  1. 服务器 Gind.cn
  3. Winbind Centos错误的UID / GID
Intereting Posts
互联网连接丢失后更改 如何修复/恢复'sudo chmod / 777'后的ubuntu 10.04 防止tmpwatch将“刚刚”解压缩到/ tmp的压缩档案中 本地主机服务可以从远程地址访问 如何安全地join不受信任的networking中的Active Directory域中的计算机? 需要Natconfiguration的基本帮助 故障排除errdisabled的原因 单个后端,HAProxy中的多个输出端口 思科双重静态默认路由到广域网 计划任务不时运行两次 Webmin不能正常工作在逆向代理之后 Sql Server Express是否支持MSDTC 是否可以在Apache中为单个VirtualHost(贵宾犬)设置SSLProtocol? IIS7.5 PHP不会在子目录中logging错误 如何在Mac OS X 10.6 Server DNS GUI中创build通配符DNS条目?

Winbind Centos错误的UID / GID

这是一个场景:

我有两台机器:

Ubuntu,运行ldap来validation用户

CentOs使用winbind来authentication用户

安装家庭我使用fstab和nfs股票。

问题是这样的:

在Ubuntu上,在getent passwd用户看起来像这样: 

john:x:3000052:1901:John Doe:/home/john:/bin/bash

但在CentOs上,同样的用户在getent passwd中使用如下所示: 

 john:*:16777228:16777218:John Doe:/home/john:/bin/bash

正如你所看到的UID和GID不匹配,当用户尝试在CentOS上访问homefoler时,拒绝parsing权限。 对于AD用户,我希望CentOS具有与Ubuntu相同的UID和GID。

我在smb.conf中find了关于idmap的一些东西,但是我没有工作。 

 [global] idmap workgroup = MOSEK idmap config MOSEK:backend = rid idmap config MOSEK:base_rid = 0 idmap config MOSEK:range = 3000040 - 4999999 #--authconfig--start-line-- # Generated by authconfig on 2014/09/30 08:26:52 # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--) # Any modification may be deleted or altered by authconfig in future workgroup = MOSEK ...autogenerated stuff #--authconfig--end-line--

但是这不起作用。

我希望我清楚自己在做什么

编辑:

好吧,所以这里是authconfig为我生成的。 因为你的回答,我认为这可能是相关的。 

 #--authconfig--start-line-- # Generated by authconfig on 2014/09/30 08:26:52 # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--) # Any modification may be deleted or altered by authconfig in future workgroup = MOSEK password server = nyborg.mosek.zentyal realm = MOSEK.ZENTYAL security = ads idmap config * : range = 1000-999999 template homedir = /home/%U template shell = /bin/bash kerberos method = secrets only winbind use default domain = true winbind offline logon = false winbind enum users = true winbind enum groups = true winbind cache time = 5 winbind nested groups = true winbind enum users = true winbind enum groups = true winbind cache time = 5 winbind nested groups = true winbind enum groups = true winbind cache time = 5 winbind nested groups = true winbind cache time = 5 winbind nested groups = true winbind nested groups = true winbind enum users = true winbind enum groups = true winbind cache time = 5 winbind nested groups = true winbind enum groups = true winbind cache time = 5 winbind nested groups = true winbind cache time = 5 winbind nested groups = true winbind nested groups = true winbind enum groups = true winbind cache time = 5 winbind nested groups = true winbind cache time = 5 winbind nested groups = true winbind nested groups = true winbind cache time = 5 winbind nested groups = true winbind nested groups = true winbind nested groups = true winbind enum users = true winbind enum groups = true winbind cache time = 5 winbind nested groups = true winbind enum groups = true winbind cache time = 5 winbind nested groups = true winbind cache time = 5 winbind nested groups = true winbind nested groups = true winbind enum groups = true winbind cache time = 5 winbind nested groups = true winbind cache time = 5 winbind nested groups = true winbind nested groups = true winbind cache time = 5 winbind nested groups = true winbind nested groups = true winbind nested groups = true winbind enum groups = true winbind cache time = 5 winbind nested groups = true winbind cache time = 5 winbind nested groups = true winbind nested groups = true winbind cache time = 5 winbind nested groups = true winbind nested groups = true winbind nested groups = true winbind cache time = 5 winbind nested groups = true winbind nested groups = true winbind nested groups = true winbind nested groups = true winbind enum users = true winbind enum groups = true winbind cache time = 5 winbind nested groups = true winbind enum groups = true winbind cache time = 5 winbind nested groups = true winbind cache time = 5 winbind nested groups = true winbind nested groups = true winbind enum groups = true winbind cache time = 5 winbind nested groups = true winbind cache time = 5 winbind nested groups = true winbind nested groups = true winbind cache time = 5 winbind nested groups = true winbind nested groups = true winbind nested groups = true winbind enum groups = true winbind cache time = 5 winbind nested groups = true winbind cache time = 5 winbind nested groups = true winbind nested groups = true winbind cache time = 5 winbind nested groups = true winbind nested groups = true winbind nested groups = true winbind cache time = 5 winbind nested groups = true winbind nested groups = true winbind nested groups = true winbind nested groups = true winbind enum groups = true winbind cache time = 5 winbind nested groups = true winbind cache time = 5 winbind nested groups = true winbind nested groups = true winbind cache time = 5 winbind nested groups = true winbind nested groups = true winbind nested groups = true winbind cache time = 5 winbind nested groups = true winbind nested groups = true winbind nested groups = true winbind nested groups = true winbind cache time = 5 winbind nested groups = true winbind nested groups = true winbind nested groups = true winbind nested groups = true winbind nested groups = true #--authconfig--end-line--

编辑2:当我试图给sssd.conf正确的权限,它给我一个新的错误: 

 [root@centosy sssd]# journalctl -xn -- Logs begin at Mon 2014-10-06 10:14:59 CEST, end at Tue 2014-10-07 10:28:42 CEST. -- Oct 07 10:28:36 centosy.mosek.zentyal sssd[be[5567]: Starting up Oct 07 10:28:38 centosy.mosek.zentyal sssd[be[5568]: Starting up Oct 07 10:28:41 centosy.mosek.zentyal sssd[5570]: Starting up Oct 07 10:28:41 centosy.mosek.zentyal sssd[5569]: Starting up Oct 07 10:28:41 centosy.mosek.zentyal sssd[5571]: Starting up Oct 07 10:28:41 centosy.mosek.zentyal sssd[5572]: Starting up Oct 07 10:28:42 centosy.mosek.zentyal sssd[be[5573]: Starting up Oct 07 10:28:42 centosy.mosek.zentyal systemd[1]: sssd.service: control process exited, code=exited status=1 Oct 07 10:28:42 centosy.mosek.zentyal systemd[1]: Failed to start System Security Services Daemon. -- Subject: Unit sssd.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit sssd.service has failed. -- -- The result is failed. Oct 07 10:28:42 centosy.mosek.zentyal systemd[1]: Unit sssd.service entered failed state.

EDIT3:

好吧,我跟着你的向导,这是我从开始到结束: 

 [root@centosy sssd]# authconfig --update --disableldap --ldapbasedn="dc=mosek,dc=zentyal" --ldapserver="ldap://172.16.0.5" --enablerfc2307bis --disablekrb5 --enablekrb5kdcdns --krb5realm=mosek.zentyal --enablesssd --enablesssdauth --enablemkhomedir --enablepamaccess --enablelocauthorize --smbrealm=mosek.zentyal --smbservers=nyborg.mosek.zentyal --smbworkgroup=MOSEK --smbsecurity=ads getsebool: SELinux is disabled [root@centosy sssd]# net ads join createupn=host/`hostname -f`@MOSEK.ZENTYAL -U tomas Ignoring unknown parameter "idmap workgroup" Ignoring unknown parameter "idmap workgroup" Enter tomas's password: Using short domain name -- MOSEK Joined 'CENTOSY' to dns domain 'mosek.zentyal'

这是我的sssd.conf: 

 [sssd] config_file_version = 2 domains = mosek.zentyal services = nss, pam debug_level = 0 [nss] [pam] [domain/mosek.zentyal] debug_level = 5 cache_credentials = false enumerate = false id_provider = ldap auth_provider = krb5 chpass_provider = krb5 access_provider = ldap ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/[email protected] ldap_sasl_canonicalize = false ldap_user_search_base = ou=Users,dc=mosek,dc=zentyal ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_name = sAMAccountName ldap_user_shell = loginShell ldap_group_name = msSFU30Name ldap_group_object_class = group ldap_group_search_base = ou=Groups,dc=mosek,dc=zentyal ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ldap_disable_referrals = true ldap_id_mapping = false ldap_schema = rfc2307bis krb5_realm = MOSEK.ZENTYAL krb5_canonicalize = false krb5_server = mosek.zentyal

所以现在我重新启动sssd: 

 [root@centosy sssd]# service sssd restart Redirecting to /bin/systemctl restart sssd.service

编辑4:

这是我的nsswitch.conf: 

 passwd: files sss shadow: files sss group: files sss hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: files sss publickey: nisplus automount: files sss aliases: files nisplus

你有问题是使用rid idmap。
这使用一种algorithm来生成一个在范围内设置的限制之间的UID的随机数,这在主机之间将始终是不同的。

您需要的是ads idmap,但是,这意味着id需要存在于AD和ldap中。
如果您只关心访问UNIX组和基本属性,而不是所有AD组,则winbind不是必需的。
configurationkerberos填充/etc/krb5.conf并有一个类似于以下的smb.conf

[global] workgroup = ADIRE client signing = yes client use spnego = yes kerberos method = secrets and keytab log file = /var/log/samba/%m.log password server = adire.XXX.XX.uk realm = ADIRE.XXX.XXX.UK security = ads client ldap sasl wrapping = sign

为了使这更容易,你可以让sssd控制这一切,但首先得到这个工作!

这里有一个很好的一般的想法,你有什么select。

要将CentOS主机configuration为使用具有LDAP属性的AD身份validation,可以使用以下authconfig命令(replace域详细信息): 

 authconfig --update --disableldap --ldapbasedn="dc=adire,dc=domain,dc=co,dc=uk" --ldapserver="ldap://ad1.adire.domain.co.uk:ldap://ad2.adire.domain.co.uk" --enablerfc2307bis --disablekrb5 --enablekrb5kdcdns --krb5realm=ADIRE.DOMAIN.CO.UK --enablesssd --enablesssdauth --enablemkhomedir --enablepamaccess --enablelocauthorize --smbrealm=ADIRE.DOMAIN.CO.UK --smbservers="ad1.adire.domain.co.uk ad2.adire.domain.co.uk" --smbworkgroup=ADIRE --smbsecurity=ads

然后将主机join域,并创build一个kerberos /etc/krb5.keytab文件: 

 net ads join createupn=host/`hostname -f`@ADIRE.DOMAIN.CO.UK -U priviledged_user kinit @ADIRE.DOMAIN.CO.UK net ads keytab create net ads keytab add host/`hostname -f`@ADIRE.DOMAIN.CO.UK

这将启用sssd ,您可以在( /etc/sssd/sssd.conf )中拥有所有的映射: 

 [sssd] config_file_version = 2 domains = adire.domain.co.uk services = nss, pam debug_level = 0 [nss] [pam] [domain/adire.domain.co.uk] debug_level = 5 cache_credentials = false enumerate = false id_provider = ldap auth_provider = krb5 chpass_provider = krb5 access_provider = ldap ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/[email protected] ldap_sasl_canonicalize = false ldap_user_search_base = OU=User Accounts,DC=adire,DC=domain,DC=co,DC=uk ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_name = sAMAccountName ldap_user_shell = loginShell ldap_group_name = msSFU30Name ldap_group_object_class = group ldap_group_search_base = OU=Groups,DC=adire,DC=domain,DC=co,DC=uk ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ldap_disable_referrals = true ldap_id_mapping = false ldap_schema = rfc2307bis krb5_realm = ADIRE.DOMAIN.CO.UK krb5_canonicalize = false krb5_server = adire.domain.co.uk

确保sssd设置为在启动时启动,并在运行authconfig命令并join域后重新启动。