Winbind Centos errado UID / GID

1

Este é o cenário:

Eu tenho duas máquinas:

Ubuntu, executando o ldap para autenticar usuários

CentOs, usa o winbind para autenticar usuários

para montar homedirs eu uso compartilhamentos fstab e nfs.

O problema é este:

no Ubuntu, em getent passwd um usuário se parece com isso:

john:x:3000052:1901:John Doe:/home/john:/bin/bash

mas no CentOs o mesmo usuário usa assim em getent passwd:

john:*:16777228:16777218:John Doe:/home/john:/bin/bash

Como você pode ver, o UID e o GID não estão correspondendo, o que resolve as permissões negadas quando um usuário tenta acessar o homefoler no CentOS. Eu quero que o CentOS tenha exatamente o mesmo UID e GID que o Ubuntu, para os usuários do AD.

Eu consegui descobrir algo sobre o idmap no smb.conf, mas não consegui trabalhar.

[global]
idmap workgroup = MOSEK
idmap config MOSEK:backend  = rid
idmap config MOSEK:base_rid = 0
idmap config MOSEK:range    = 3000040 - 4999999

#--authconfig--start-line--

# Generated by authconfig on 2014/09/30 08:26:52
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

workgroup = MOSEK
...autogenerated stuff
#--authconfig--end-line--

Mas isso não está funcionando.

Espero estar claro no que estou tentando fazer

EDITAR:

ok, então aqui está o que o authconfig gerou para mim. Por causa da sua resposta, acho que isso pode ser relevante.

#--authconfig--start-line--

# Generated by authconfig on 2014/09/30 08:26:52
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

workgroup = MOSEK
password server = nyborg.mosek.zentyal
realm = MOSEK.ZENTYAL
security = ads
idmap config * : range = 1000-999999
template homedir = /home/%U
template shell = /bin/bash
kerberos method = secrets only
winbind use default domain = true
winbind offline logon = false
winbind enum users = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind enum users = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind enum users = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind enum users = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind enum users = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true

#--authconfig--end-line-- 

EDIT2: quando eu tentei dar sssd.conf as permissões corretas, me deu um novo erro:

[root@centosy sssd]# journalctl -xn
-- Logs begin at Mon 2014-10-06 10:14:59 CEST, end at Tue 2014-10-07 10:28:42 CEST. --
Oct 07 10:28:36 centosy.mosek.zentyal sssd[be[5567]: Starting up
Oct 07 10:28:38 centosy.mosek.zentyal sssd[be[5568]: Starting up
Oct 07 10:28:41 centosy.mosek.zentyal sssd[5570]: Starting up
Oct 07 10:28:41 centosy.mosek.zentyal sssd[5569]: Starting up
Oct 07 10:28:41 centosy.mosek.zentyal sssd[5571]: Starting up
Oct 07 10:28:41 centosy.mosek.zentyal sssd[5572]: Starting up
Oct 07 10:28:42 centosy.mosek.zentyal sssd[be[5573]: Starting up
Oct 07 10:28:42 centosy.mosek.zentyal systemd[1]: sssd.service: control process exited,  code=exited status=1
Oct 07 10:28:42 centosy.mosek.zentyal systemd[1]: Failed to start System Security Services    Daemon.
-- Subject: Unit sssd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit sssd.service has failed.
-- 
-- The result is failed.
Oct 07 10:28:42 centosy.mosek.zentyal systemd[1]: Unit sssd.service entered failed state.

EDIT3:

bem, eu segui o seu guia e eis o que fiz do começo ao fim:

[root@centosy sssd]# authconfig --update --disableldap --ldapbasedn="dc=mosek,dc=zentyal" --ldapserver="ldap://172.16.0.5" --enablerfc2307bis --disablekrb5 --enablekrb5kdcdns --krb5realm=mosek.zentyal --enablesssd --enablesssdauth --enablemkhomedir --enablepamaccess --enablelocauthorize --smbrealm=mosek.zentyal --smbservers=nyborg.mosek.zentyal --smbworkgroup=MOSEK --smbsecurity=ads
getsebool:  SELinux is disabled

[root@centosy sssd]# net ads join createupn=host/'hostname -f'@MOSEK.ZENTYAL -U tomas
Ignoring unknown parameter "idmap workgroup"
Ignoring unknown parameter "idmap workgroup"
Enter tomas's password:
Using short domain name -- MOSEK
Joined 'CENTOSY' to dns domain 'mosek.zentyal'

e aqui está meu sssd.conf:

[sssd]
 config_file_version = 2
 domains = mosek.zentyal
 services = nss, pam
 debug_level = 0

[nss]

[pam]

[domain/mosek.zentyal]
 debug_level = 5
 cache_credentials = false
 enumerate = false
 id_provider = ldap
 auth_provider = krb5
 chpass_provider = krb5
 access_provider = ldap

 ldap_sasl_mech = GSSAPI
 ldap_sasl_authid = host/[email protected]
 ldap_sasl_canonicalize = false

 ldap_user_search_base = ou=Users,dc=mosek,dc=zentyal
 ldap_user_object_class = user
 ldap_user_home_directory = unixHomeDirectory
 ldap_user_name = sAMAccountName
 ldap_user_shell = loginShell

 ldap_group_name = msSFU30Name
 ldap_group_object_class = group
 ldap_group_search_base = ou=Groups,dc=mosek,dc=zentyal

 ldap_access_order = expire
 ldap_account_expire_policy = ad
 ldap_force_upper_case_realm = true
 ldap_disable_referrals = true
 ldap_id_mapping = false
 ldap_schema = rfc2307bis

 krb5_realm = MOSEK.ZENTYAL
 krb5_canonicalize = false
 krb5_server = mosek.zentyal

agora eu reinicio sssd:

[root@centosy sssd]# service sssd restart
Redirecting to /bin/systemctl restart  sssd.service

EDIT 4:

este é o meu nsswitch.conf:

passwd:     files sss
shadow:     files sss
group:      files sss

hosts:      files dns


bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss

netgroup:   files sss

publickey:  nisplus

automount:  files sss
aliases:    files nisplus
    
por Tomas 30.09.2014 / 09:48

1 resposta

2

O problema que você tem é usar rid idmap.
Isso usa um algoritmo para gerar um número aleatório para o UID entre os limites definidos no intervalo, que sempre será diferente entre os hosts.

O que você precisa é o ads idmap, no entanto, isso significa que o id precisa existir no AD e no ldap.
Se você está preocupado apenas em acessar os grupos e atributos básicos do UNIX e não em todos os grupos do AD, então o winbind não é necessário.
Configure o kerberos preenchendo /etc/krb5.conf e tenha um smb.conf semelhante ao seguinte:

[global] workgroup = ADIRE client signing = yes client use spnego = yes kerberos method = secrets and keytab log file = /var/log/samba/%m.log password server = adire.XXX.XX.uk realm = ADIRE.XXX.XXX.UK security = ads client ldap sasl wrapping = sign

Para tornar isso mais fácil, você pode deixar o sssd controlar tudo, mas faça isso funcionar primeiro!

Uma boa ideia geral das opções que você tem é AQUI .

Para configurar um host do CentOS para usar autenticação do AD com atributos LDAP, você pode usar o seguinte comando authconfig (substitua os detalhes do domínio):

authconfig  --update --disableldap --ldapbasedn="dc=adire,dc=domain,dc=co,dc=uk" --ldapserver="ldap://ad1.adire.domain.co.uk:ldap://ad2.adire.domain.co.uk" --enablerfc2307bis --disablekrb5 --enablekrb5kdcdns --krb5realm=ADIRE.DOMAIN.CO.UK --enablesssd --enablesssdauth --enablemkhomedir --enablepamaccess --enablelocauthorize --smbrealm=ADIRE.DOMAIN.CO.UK --smbservers="ad1.adire.domain.co.uk ad2.adire.domain.co.uk" --smbworkgroup=ADIRE --smbsecurity=ads

Em seguida, junte o host ao domínio e crie um arquivo kerberos /etc/krb5.keytab :

net ads join createupn=host/'hostname -f'@ADIRE.DOMAIN.CO.UK -U priviledged_user
kinit @ADIRE.DOMAIN.CO.UK
net ads keytab create
net ads keytab add host/'hostname -f'@ADIRE.DOMAIN.CO.UK

Isso ativará sssd , no qual você pode ter todo o mapeamento em ( /etc/sssd/sssd.conf ):

[sssd]
 config_file_version = 2
 domains = adire.domain.co.uk
 services = nss, pam
 debug_level = 0

[nss]

[pam]

[domain/adire.domain.co.uk]
 debug_level = 5
 cache_credentials = false
 enumerate = false
 id_provider = ldap
 auth_provider = krb5
 chpass_provider = krb5
 access_provider = ldap

 ldap_sasl_mech = GSSAPI
 ldap_sasl_authid = host/[email protected]
 ldap_sasl_canonicalize = false

 ldap_user_search_base = OU=User Accounts,DC=adire,DC=domain,DC=co,DC=uk
 ldap_user_object_class = user
 ldap_user_home_directory = unixHomeDirectory
 ldap_user_name = sAMAccountName
 ldap_user_shell = loginShell

 ldap_group_name = msSFU30Name
 ldap_group_object_class = group
 ldap_group_search_base = OU=Groups,DC=adire,DC=domain,DC=co,DC=uk

 ldap_access_order = expire
 ldap_account_expire_policy = ad
 ldap_force_upper_case_realm = true
 ldap_disable_referrals = true
 ldap_id_mapping = false
 ldap_schema = rfc2307bis

 krb5_realm = ADIRE.DOMAIN.CO.UK
 krb5_canonicalize = false
 krb5_server = adire.domain.co.uk

Assegure-se de que o sssd esteja configurado para iniciar na inicialização e seja reiniciado depois de executar o comando authconfig e ingressar no domínio.

    
por 01.10.2014 / 18:38