我有以下用于 ssh 管理的 sssd + 广告设置。
AD Domain - ad.example.net
AD DC 1 hostname - dc1.example.net
AD DC 2 hostname - dc2.example.net
Linux (Centos) Server hostnames - server.int.example.com -> this I can not change as per Org policy
我不想将 AD dns 添加到我的 /etc/resolv.conf 中,我们想使用云提供的 dns 解析器来解析我们的域控制器主机名 *.example.net
当我将它们添加为
ad_server = dc1.example.net,dc2.example.net
sssd 失败 -
[dp_req_reply_gen_error] (0x0080): DP Request [Initgroups #1066]: Finished. Backend is currently offline.
这是我的 sssd.conf 和 krb.conf
sssd.conf -
[sssd]
domains = ad.example.net
reconnection_retries = 3
config_file_version = 2
services = nss, pam, ssh
override_space = _
sbus_timeout = 30
[nss]
reconnection_retries = 3
entry_negative_timeout = 30
entry_cache_nowait_percentage = 7
debug_level = 9
[pam]
reconnection_retries = 3
[domain/default]
cache_credentials = True
entry_cache_timeout = 3600
[domain/ad.example.net]
id_provider = ad
access_provider = ad
ldap_id_mapping = True
auto_private_groups = True
default_shell = /bin/bash
fallback_homedir = /home/%u
use_fully_qualified_names = False
krb5_store_password_if_offline = True
realmd_tags = manages-system joined-with-adcli
ad_domain = ad.example.net
ad_server = dc1.example.net,dc2.example.net
ad_hostname = dev1210utl1.ad.example.net
krb5_realm = AD.example.NET
ldap_user_ssh_public_key = altSecurityIdentities
ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities
debug_level = 9
dns_resolver_timeout = 20
krb5_lifetime = 24h
krb5_renewable_lifetime = 7d
krb5_renew_interval = 60s
dyndns_update = false
krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = AD.EXAMPLE.NET
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
default_ccache_name = KEYRING:persistent:%{uid}
ignore_acceptor_hostname = true
[realms]
AD.EXAMPLE.NET = {
kdc = dc1.example.net
admin_server = dc1.example.net
kdc = dc2.example.net
admin_server = dc2.example.net
}
[domain_realm]
.ad.example.net = AD.EXAMPLE.NET
ad.example.net = AD.EXAMPLE.NET
我知道,我的设置中有不同的 DNS fqdn,但无法避免它们。
如果我设置 sssd 有效 -
ad_server = dc1.ad.example.net,dc2.ad.example.net
但是我必须添加 AD DNS 作为我的解析器,或者让它们 /etc/hosts 我想避免。
任何与有用相关的帮助。