我正在准备从CentOS 6到CentOS 7的最终升级.现在,在版本6中,我们只使用LDAP映射到AD进行身份验证.然后,它使用Unix的Active Directory扩展中的UID和GID.
在我对CentOS 7的实验中,我通过文档(我认为它来自Red Hat)解释了如何加入域.这个过程大多是直截了当的,而且大多数都很有效.但是,它不仅仅使用AD Unix属性中的UID和GID.它将这些ID映射到完全不同的ID.在AD中,用户在10000范围内. CentOS7为每个用户提供625000000范围内的UID.
到目前为止,在我的小规模测试(3个盒子)中,UID似乎在所有这些中都是一致的,这很好.但是,当我开始在生产中推出7个时,它将逐步升级.我不会同时升级每个盒子.我担心用户在不同的盒子上有不同的UID.有没有办法让CentOS 7在AD Unix属性中使用UID和GID?
这是我的smb.conf:
[global] workgroup = COMPANY client signing = yes client use spnego = yes kerberos method = secrets and keytab log file = /var/log/samba/%m.log password server = ad_domaincontroller.company.net realm = COMPANY.NET security = ads server string = Samba Server Version %v max log size = 50
这是我的sssd.conf
[sssd] config_file_version = 2 domains = company.net services = nss,pam,pac [nss] filter_groups = root filter_users = root [domain/company.net] id_provider = ad ad_server = ad_domiancontroller.company.net ad_hostname = centos7-22.company.net auth_provider = ad chpass_provider = ad access_provider = ad ldap_schema = ad use_fully_qualified_names = False cache_credentials = true ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true
编辑:我已经尝试将ldap_id_mapping = False添加到sssd.conf,但是包含该行,sssd.service将无法启动.这是输出:
Sep 29 12:59:55 centos7-22 sssd[32827]: Starting up Sep 29 12:59:55 centos7-22 sssd[32828]: Starting up Sep 29 12:59:55 centos7-22 sssd[32831]: Starting up Sep 29 12:59:55 centos7-22 sssd[32830]: Starting up Sep 29 12:59:55 centos7-22 sssd[32829]: Starting up Sep 29 12:59:55 centos7-22 sssd[32832]: Starting up Sep 29 12:59:56 centos7-22 sssd[be[32833]: Starting up Sep 29 12:59:56 centos7-22 systemd[1]: sssd.service: control process exited,code=exited status=1 Sep 29 12:59:56 centos7-22 systemd[1]: Failed to start System Security Services Daemon. -- Subject: Unit sssd.service has Failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit sssd.service has Failed. -- -- The result is Failed. Sep 29 12:59:56 centos7-22 systemd[1]: Unit sssd.service entered Failed state.
来自sssd-ad的手册页:
默认情况下,AD提供程序将映射Active Directory中objectSID参数的UID和GID值.有关详细信息,请参阅下面的“ID映射”部分.如果要禁用ID映射,而是依赖于Active Directory中定义的POSIX属性,则应进行设置ldap_id_mapping = False