How to use Synology AD server to make linux work in the nfs system

出自 DDCC TCAD TOOL Manual
於 2024年5月26日 (日) 09:35 由 Yrwu (對話 | 貢獻) 所做的修訂

前往: 導覽搜尋

In linux, the installation step is 1. Have a synology nas with synology directory server 2. Prepare ldapadmin to login into the server For ubuntu 22.04 LTS, following steps 

rm /etc/resolve.conf

Because now ubuntu namserver is symbolic link, no mater how you change your name server, it alaways change to 127.0.0.53. Hence, remove the symolic link is the fastest way. 

vi /etc/resolve.conf

if your synology nas IP is 192.168.0.2 put nameserver 192.168.0.2 in /etc/resolve.conf and save. 

apt -y install openvswitch-switch-dpdk
apt -y install realmd sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin oddjob oddjob-mkhomedir packagekit

vi /etc/krb5.conf

The content should be 

[libdefaults]
udp_preference_limit = 0
default_realm = YRWULAB.LOCAL
rdns = false

vi nsswitch.conf

The content should be 

passwd:         compat sss ldap
group:          compat sss ldap
shadow:         compat sss ldap
hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files
protocols:      db files
services:       db files sss
ethers:         db files
rpc:            db files
netgroup:       nis sss
automount:      sss

If sss is missing, please add sss. The order of compat sss ldap means the system will check internal account, then sss, then ldap 

realm discover synologydomain.local
realm join synologydomain.local

vi /etc/pam.d/common-session

Put following in the end of the file. 

session optional        pam_mkhomedir.so skel=/etc/skel umask=077

Then check /etc/krb5.conf again ( it might be changed after you join the domain. 

[libdefaults]
udp_preference_limit = 0
default_realm = YRWULAB.LOCAL
rdns = false

Finally edit /etc/sssd/sssd.conf 

vi /etc/sssd/sssd.conf

The content should be 

[sssd]
domains = yrwulab.local
config_file_version = 2
services = nss, pam

[domain/yrwulab.local]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = False
krb5_realm = SYNOLOGYDOMAIN.LOCAL
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u
ad_domain = synologydomain.local
use_fully_qualified_names = False
ldap_idmap_default_domain = SYNOLOGYDOMAIN.LOCAL
#ldap_id_mapping = True  This part is critical
ldap_id_mapping = False
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_group_gid_number = gidNumber
# this one is important since it make the system to neglect the orginal uid and
# use uidNumber to authrcate the password  This part is critical
access_provider = simple
#simple_allow_groups = @synologydomain.local

rm -f /var/lib/sss/db/*
systemctl restart sssd

This part is done, the you will find that sysnology AD domain does not have uid_number and gid_number. If you use ldap_id_mapping = True, you will find that the system will give you a very strange user id, which is not match to uid in the synology nas.


Now you need to





cp sssd.conf /etc/sssd/ rm -f /var/lib/sss/db/* echo "restart sssd" systemctl restart sssd cat nas5fstabadd.txt >> /etc/fstab mkdir /homenew3 mount -a cat newhost.txt >> /etc/hosts

echo "if this happen: journalctl REALMD_OPERATION=r547900.29111 realm: Couldn't join realm: Insufficient permissions to join the domain" echo " make sure resove.conf to be nameserver and reboot " echo " use new-2-repeat.sh to repeat the installation prcoess" echo " remove /etc/resolv.conf, and add new /etc/resolv.conf" echo " content to be nameserver 192.168.0.9"

取自 "http://yrwu-wk.ee.ntu.edu.tw/mediawiki/index.php?title=How_to_use_Synology_AD_server_to_make_linux_work_in_the_nfs_system&oldid=2833"