在CentOS中使用/etc/resolv.conf解析AD域

编程问答 2022-06-12

问题描述

我已使用Realm配置了SSSD,并使用AD凭据登录了centOS VM。请参阅设置here

我不得不修改 /etc/resolv.conf 文件,将namserver指向AD域

原始的 /etc/resolv.conf 文件

DELETE FROM table1 a
WHERE NOT EXISTS (
   SELECT FROM table2 b
   WHERE b.table1Id = a.id
)

更新的 /etc/resolv.conf 文件

# Generated by NetworkManager
search ap-south-1.compute.internal
nameserver 172.31.0.2

使用更新的 /etc/resolv.conf 文件用户可以使用AD凭据登录,但无法解析原始域

我想要一种方法来解析两个指向不同名称服务器的域

# Generated by NetworkManager
search test.com
nameserver 172.31.12.38

我也尝试了多种使用不推荐使用的标签来解析域的方法

# Generated by NetworkManager
nameserver 172.31.0.2
nameserver 172.31.12.38
search ap-south-1.compute.internal test.com

我什至尝试过旋转选项

# Generated by NetworkManager
domain ap-south-1.compute.internal
nameserver 172.31.0.2

domain test.com
nameserver 172.31.12.38

是否可以使用 /etc/resolv.conf

来解析指向不同名称服务器的多个域

解决方法

要解析AD林域,我们可以在 sssd.conf 文件中配置ad_server参数

参考链接:man_page_sssd [参考ad_server部分]

/etc/sssd/sssd.conf 文件供参考:

原始文件:

[sssd]
domains = test.com
config_file_version = 2
services = nss,pam,sudo,ssh

[nss]
debug_level = 10

[domain/test.com]
ad_domain = test.com
krb5_realm = TEST.COM
realmd_tags = manages-system joined-with-adcli 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = simple
ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities
ldap_user_ssh_public_key = altSecurityIdentities
ldap_use_tokengroups = True

更新的文件:

[sssd]
domains = test.com
config_file_version = 2
services = nss,ssh

[nss]
debug_level = 10

[domain/test.com]
ad_domain = test.com
ad_server = 172.31.12.38,172.31.12.48
krb5_realm = TEST.COM
realmd_tags = manages-system joined-with-adcli 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = simple
ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities
ldap_user_ssh_public_key = altSecurityIdentities
ldap_use_tokengroups = True

这样,我们可以避免在 /etc/resolv.conf 文件中进行任何输入

centoscentosdnsdnsresolv