How to use Synology AD server to make linux work in the nfs system

出自 DDCC TCAD TOOL Manual
前往: 導覽搜尋

In linux, the installation step is 1. Have a synology nas with synology directory server 2. Prepare ldapadmin to login into the server For ubuntu 22.04 LTS, following steps 

rm /etc/resolve.conf

Because now ubuntu namserver is symbolic link, no mater how you change your name server, it alaways change to 127.0.0.53. Hence, remove the symolic link is the fastest way. 

vi /etc/resolve.conf

if your synology nas IP is 192.168.0.2 put nameserver 192.168.0.2 in /etc/resolve.conf and save. 

apt -y install openvswitch-switch-dpdk
apt -y install realmd sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin oddjob oddjob-mkhomedir packagekit

vi /etc/krb5.conf

The content should be 

[libdefaults]
udp_preference_limit = 0
default_realm = YRWULAB.LOCAL
rdns = false

vi nsswitch.conf

The content should be 

passwd:         compat sss ldap
group:          compat sss ldap
shadow:         compat sss ldap
hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files
protocols:      db files
services:       db files sss
ethers:         db files
rpc:            db files
netgroup:       nis sss
automount:      sss

If sss is missing, please add sss. The order of compat sss ldap means the system will check internal account, then sss, then ldap 

realm discover synologydomain.local
realm join synologydomain.local

vi /etc/pam.d/common-session

Put following in the end of the file. 

session optional        pam_mkhomedir.so skel=/etc/skel umask=077

Then check /etc/krb5.conf again ( it might be changed after you join the domain. 

[libdefaults]
udp_preference_limit = 0
default_realm = SYNOLOGYDOMAIN.LOCAL
rdns = false

When this part is done, the you will find that sysnology AD domain have a strange uid_number and gid_number. If you use ldap_id_mapping = True, you will find that the system will give you a very strange user id, which is not match to uid in the synology nas. For example, in your linux 

id testuser@synologydomain.local
uid=1655348009(SYNOLOGY-WK\testuser) gid=165537393(SYNOLOGY-WK\Domain Users) groups=165537393(SYNOLOGY-WK\Domain Users)

But if you mount sysnology nas home folder as the NFS file folder, you will find the user uid is 922748009, gid is 922747393.
Then if you ssh to synology nas server and id testuser@synologydomain.local 

id testuser@synologydomain.local
uid=922748009(SYNOLOGY-WK\testuser) gid=922747393(SYNOLOGY-WK\Domain Users) groups=922747393(SYNOLOGY-WK\Domain Users)

So the linux uid is matched to synology nas UID. ( I don't know why since they are all linux based). This gives a lot of troubles since user cannot use their folder. To solve this, open the ldapadmin.exe (found in the internet). 

login into the synology nas AD server.

Edit the user you added. For example testuser. In editing, you cannot find uidNumber and gidNumber in the directory, so you need to add uidNumber and gidNumber in the sysnology AD. Please add 

1. uidNumber  -> set it to 922748009  (the same as shown in synology nas, each user has different uid. Here is just example)
2. gidNumber  -> set it to 922747393  (the same as shown in synology nas)
3. unixHomeDirectory -> /home/testuser-1179   (synology user home directory is username + a strange id (not the same as uid)
4. loginShell -> /bin/bash

Finally, we want linux to admit the uid defined in AD. So we need to edit /etc/sssd/sssd.conf 

vi /etc/sssd/sssd.conf

The content should be 

[sssd]
domains = yrwulab.local
config_file_version = 2
services = nss, pam

[domain/yrwulab.local]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = False
krb5_realm = SYNOLOGYDOMAIN.LOCAL
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u
ad_domain = synologydomain.local
use_fully_qualified_names = False
ldap_idmap_default_domain = SYNOLOGYDOMAIN.LOCAL
#ldap_id_mapping = True  This part is critical
ldap_id_mapping = False
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_group_gid_number = gidNumber
# this one is important since it make the system to neglect the orginal uid and
# use uidNumber to authrcate the password  This part is critical
access_provider = simple
#simple_allow_groups = @synologydomain.local

rm -f /var/lib/sss/db/*
systemctl restart sssd 

After a few minutes, you can id testuser@synologydomain.local, you should see something like
id testuser@synologydomain.local
uid=922748009(SYNOLOGY-WK\testuser) gid=922747393(SYNOLOGY-WK\Domain Users) groups=922747393(SYNOLOGY-WK\Domain Users)

Finally, you can mount the nfs to your linux by vi /etc/fstab 

192.168.0.2:/volume1/homes/@DH-SYNOLOGY-WK/0 /home  nfs rw 0 0

save the fstab and type 

mount -a

finally you can su testuser to see if it is normal. Then then ssh login with the testuser account to see if it works.

取自 "http://yrwu-wk.ee.ntu.edu.tw/mediawiki/index.php?title=How_to_use_Synology_AD_server_to_make_linux_work_in_the_nfs_system&oldid=2834"