Я пытаюсь синхронизировать свой сервер Debian с помощью sssd.
Когда я запускаю getent passwd username@domain, пользователь не возвращается. В журнале написано, что это из-за того, что мне не хватает uid при поиске ldap. Однако у меня было четкое впечатление, что это мне не нужно при настройке ldap_id_mapping = true.
Полный журнал событий:
(Mon Jan 26 17:39:13 2015) [sssd[be[thecompany.dk]]] [sdap_save_user] (0x0020): no uid provided for [nmw] in domain [netdesign.dk].
(Mon Jan 26 17:39:13 2015) [sssd[be[thecompany.dk]]] [sdap_save_user] (0x0040): Failed to save user [somedude]
(Mon Jan 26 17:39:13 2015) [sssd[be[thecompany.dk]]] [sdap_save_users] (0x0040): Failed to store user 0. Ignoring.
(Mon Jan 26 17:39:13 2015) [sssd[be[thecompany.dk]]] [sdap_save_users] (0x0040): Failed to check aliases for user 0. Ignoring.
Файл настроек:
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = companyName.dk
[domain/companyName.dk]
#With this as false, a simple "getent passwd" for testing won't work. You must do getent passwd user@domain.com
enumerate = false
cache_credentials = true
debug_level = 3
ldap_id_mapping = true
id_provider = ldap
access_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_uri = ldaps://172.23.1.41:636,ldaps://172.23.1.42:636
ldap_search_base = ou=companyname,dc=companyName,dc=dk
#ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
#This parameter requires that the DC present a completely validated certificate chain. If you're testing or don't care, use 'allow' or 'never'.
ldap_tls_reqcert = allow
krb5_realm = COMPANYNAME.DK
dns_discovery_domain = COMPANYNAME.DK
#ldap_schema = rfc2307bis
ldap_schema = ad
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_user_search_base = ou=Users,ou=companyName,dc=companyName,dc=dk
ldap_group_search_base = ou=Roles,ou=Security Groups,ou=companyName,dc=companyName,dc=dk
ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_fullname = displayName
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_name = sAMAccountName
fallback_homedir = /home/%d/%u
shell_fallback = /bin/bash
#Bind credentials
ldap_default_bind_dn = cn=user,ou=Service,ou=Misc accounts,ou=companyName,dc=companyName,dc=dk
ldap_default_authtok = 1nc0gn370
Установленные пакеты
sssd libpam-sss libnss-sss
Что именно я здесь делаю не так?
РЕДАКТИРОВАТЬ / НОВОЕ:
Я попытался изменить уровень отладки на 7 и установить id_provider и access_provider на ad
Это итоговый журнал:
(Tue Jan 27 09:44:00 2015) [sssd[be[companyName.dk]]] [sdap_id_conn_data_expire_handler] (0x0080): connection is about to expire, releasing it
(Tue Jan 27 09:44:41 2015) [sssd[be[companyName.dk]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching.
(Tue Jan 27 09:44:41 2015) [sssd[be[companyName.dk]]] [be_client_destructor] (0x0400): Removed PAM client
(Tue Jan 27 09:44:41 2015) [sssd[be[companyName.dk]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching.
(Tue Jan 27 09:44:41 2015) [sssd[be[companyName.dk]]] [be_client_destructor] (0x0400): Removed NSS client
(Tue Jan 27 09:44:41 2015) [sssd[be[companyName.dk]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kdcinfo.companyName.DK], [2][No such file or directory]
(Tue Jan 27 09:44:41 2015) [sssd[be[companyName.dk]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.companyName.DK], [2][No such file or directory]
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [server_setup] (0x0080): CONFDB: /var/lib/sss/db/config.ldb
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [resolv_get_family_order] (0x1000): Lookup order: ipv4_first
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [fo_context_init] (0x0080): Created new fail over context, retry timeout is 30
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [confdb_get_domain_internal] (0x0020): No enumeration for [companyName.dk]!
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [sysdb_domain_init_internal] (0x0200): DB File for companyName.dk: /var/lib/sss/db/cache_companyName.dk.ldb
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [ldb] (0x0400): asq: Unable to register control with rootdse!
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [sbus_init_connection] (0x0200): Adding connection 1911E20
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [monitor_common_send_id] (0x0100): Sending ID: (%BE_companyName.dk,1)
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [create_socket_symlink] (0x1000): Symlinking the dbus path /var/lib/sss/pipes/private/sbus-dp_companyName.dk.3731 to a link /var/lib/sss/pipes/private/sbus-dp_companyName.dk
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [sbus_new_server] (0x0080): D-BUS Server listening on unix:path=/var/lib/sss/pipes/private/sbus-dp_companyName.dk.3731,guid=cb367efaa8d3c54884cd2f9454c74ffb
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [load_backend_module] (0x1000): Loading backend [ad] with path [/usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so].
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [load_backend_module] (0x0010): Unable to load ad module with path (/usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so), error: /usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so: cannot open shared object file: No such file or directory
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [be_process_init] (0x0010): fatal error initializing data providers
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [main] (0x0010): Could not initialize backend [79]
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [server_setup] (0x0080): CONFDB: /var/lib/sss/db/config.ldb
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [resolv_get_family_order] (0x1000): Lookup order: ipv4_first
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [fo_context_init] (0x0080): Created new fail over context, retry timeout is 30
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [confdb_get_domain_internal] (0x0020): No enumeration for [companyName.dk]!
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [sysdb_domain_init_internal] (0x0200): DB File for companyName.dk: /var/lib/sss/db/cache_companyName.dk.ldb
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [ldb] (0x0400): asq: Unable to register control with rootdse!
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [sbus_init_connection] (0x0200): Adding connection 878E20
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [monitor_common_send_id] (0x0100): Sending ID: (%BE_companyName.dk,1)
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [create_socket_symlink] (0x1000): Symlinking the dbus path /var/lib/sss/pipes/private/sbus-dp_companyName.dk.3732 to a link /var/lib/sss/pipes/private/sbus-dp_companyName.dk
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [sbus_new_server] (0x0080): D-BUS Server listening on unix:path=/var/lib/sss/pipes/private/sbus-dp_companyName.dk.3732,guid=76e5c03e58d9e5107828a0fc54c74ffb
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [load_backend_module] (0x1000): Loading backend [ad] with path [/usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so].
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [load_backend_module] (0x0010): Unable to load ad module with path (/usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so), error: /usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so: cannot open shared object file: No such file or directory
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [be_process_init] (0x0010): fatal error initializing data providers
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [main] (0x0010): Could not initialize backend [79]
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [server_setup] (0x0080): CONFDB: /var/lib/sss/db/config.ldb
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [resolv_get_family_order] (0x1000): Lookup order: ipv4_first
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [fo_context_init] (0x0080): Created new fail over context, retry timeout is 30
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [confdb_get_domain_internal] (0x0020): No enumeration for [companyName.dk]!
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [sysdb_domain_init_internal] (0x0200): DB File for companyName.dk: /var/lib/sss/db/cache_companyName.dk.ldb
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [ldb] (0x0400): asq: Unable to register control with rootdse!
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [sbus_init_connection] (0x0200): Adding connection 99CE20
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [monitor_common_send_id] (0x0100): Sending ID: (%BE_companyName.dk,1)
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [create_socket_symlink] (0x1000): Symlinking the dbus path /var/lib/sss/pipes/private/sbus-dp_companyName.dk.3733 to a link /var/lib/sss/pipes/private/sbus-dp_companyName.dk
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [sbus_new_server] (0x0080): D-BUS Server listening on unix:path=/var/lib/sss/pipes/private/sbus-dp_companyName.dk.3733,guid=1e822671b672f1c8f023390554c74ffb
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [load_backend_module] (0x1000): Loading backend [ad] with path [/usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so].
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [load_backend_module] (0x0010): Unable to load ad module with path (/usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so), error: /usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so: cannot open shared object file: No such file or directory
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [be_process_init] (0x0010): fatal error initializing data providers
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [main] (0x0010): Could not initialize backend [79]
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [server_setup] (0x0080): CONFDB: /var/lib/sss/db/config.ldb
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [resolv_get_family_order] (0x1000): Lookup order: ipv4_first
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [fo_context_init] (0x0080): Created new fail over context, retry timeout is 30
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [confdb_get_domain_internal] (0x0020): No enumeration for [companyName.dk]!
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [sysdb_domain_init_internal] (0x0200): DB File for companyName.dk: /var/lib/sss/db/cache_companyName.dk.ldb
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [ldb] (0x0400): asq: Unable to register control with rootdse!
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [sbus_init_connection] (0x0200): Adding connection BC2E20
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [monitor_common_send_id] (0x0100): Sending ID: (%BE_companyName.dk,1)
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [create_socket_symlink] (0x1000): Symlinking the dbus path /var/lib/sss/pipes/private/sbus-dp_companyName.dk.3734 to a link /var/lib/sss/pipes/private/sbus-dp_companyName.dk
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [sbus_new_server] (0x0080): D-BUS Server listening on unix:path=/var/lib/sss/pipes/private/sbus-dp_companyName.dk.3734,guid=58592e3c74d2a142966a571654c74ffb
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [load_backend_module] (0x1000): Loading backend [ad] with path [/usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so].
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [load_backend_module] (0x0010): Unable to load ad module with path (/usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so), error: /usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so: cannot open shared object file: No such file or directory
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [be_process_init] (0x0010): fatal error initializing data providers
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [main] (0x0010): Could not initialize backend [79]
Я предполагаю, что файл libsss_ad.so должен быть здесь, но это не так.
user@server:/usr/lib/x86_64-linux-gnu/sssd$ ls -l
total 3868
-rw-r--r-- 1 root root 1405048 Mar 4 2013 libsss_ipa.so
-rw-r--r-- 1 root root 585784 Mar 4 2013 libsss_krb5.so
-rw-r--r-- 1 root root 1081880 Mar 4 2013 libsss_ldap.so
-rw-r--r-- 1 root root 479160 Mar 4 2013 libsss_proxy.so
-rw-r--r-- 1 root root 389400 Mar 4 2013 libsss_simple.so
drwxr-xr-x 2 root root 4096 Jan 26 15:05 modules
Модуль sssd_ad не включен в стабильный дистрибутив Debian?
Во-первых, вы не сказали, какую версию SSSD используете. Учитывая, что вы говорите, что это «стабильный Debian», я предполагаю, что 1.8.x. Эта версия не поддерживает сопоставление идентификаторов, извините.
Более сложный ответ заключается в том, что SSSD обслуживает пользователей POSIX и требует, чтобы у пользователей был идентификационный номер. Номер ID может быть атрибутом самой записи пользователя (обычно uidNumber) или может быть выведен из SID Window. Последнее - это то, что вы пытались сделать с ldap_id_mapping = True, но эта функциональность была реализована только в 1.9 и более поздних версиях.
Думаю, сейчас вы можете использовать Winbind даже в стабильной версии Debian.