How to use Synology AD server to make linux work in the nfs system
In linux, the installation step is 1. Have a synology nas with synology directory server 2. Prepare ldapadmin to login into the server For ubuntu 22.04 LTS, following steps
rm /etc/resolve.conf
Because now ubuntu namserver is symbolic link, no mater how you change your name server, it alaways change to 127.0.0.53. Hence, remove the symolic link is the fastest way.
vi /etc/resolve.conf
if your synology nas IP is 192.168.0.2 put nameserver 192.168.0.2 in /etc/resolve.conf and save.
apt -y install openvswitch-switch-dpdk apt -y install realmd sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin oddjob oddjob-mkhomedir packagekit
vi /etc/krb5.conf
The content should be
[libdefaults] udp_preference_limit = 0 default_realm = YRWULAB.LOCAL rdns = false
vi nsswitch.conf
The content should be
passwd: compat sss ldap group: compat sss ldap shadow: compat sss ldap hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files protocols: db files services: db files sss ethers: db files rpc: db files netgroup: nis sss automount: sss
If sss is missing, please add sss. The order of compat sss ldap means the system will check internal account, then sss, then ldap
realm discover synologydomain.local realm join synologydomain.local vi /etc/pam.d/common-session
Put following in the end of the file.
session optional pam_mkhomedir.so skel=/etc/skel umask=077
Then check /etc/krb5.conf again ( it might be changed after you join the domain.
[libdefaults] udp_preference_limit = 0 default_realm = YRWULAB.LOCAL rdns = false
Finally edit /etc/sssd/sssd.conf
vi /etc/sssd/sssd.conf
The content should be
[sssd] domains = yrwulab.local config_file_version = 2 services = nss, pam
[domain/yrwulab.local] default_shell = /bin/bash krb5_store_password_if_offline = True cache_credentials = False krb5_realm = SYNOLOGYDOMAIN.LOCAL realmd_tags = manages-system joined-with-adcli id_provider = ad fallback_homedir = /home/%u ad_domain = synologydomain.local use_fully_qualified_names = False ldap_idmap_default_domain = SYNOLOGYDOMAIN.LOCAL #ldap_id_mapping = True This part is critical ldap_id_mapping = False ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_group_gid_number = gidNumber # this one is important since it make the system to neglect the orginal uid and # use uidNumber to authrcate the password This part is critical access_provider = simple #simple_allow_groups = @synologydomain.local
rm -f /var/lib/sss/db/* systemctl restart sssd
This part is done, the you will find that sysnology AD domain does not have uid_number and gid_number. If you use ldap_id_mapping = True, you will find that the system will give you a very strange user id, which is not match to uid in the synology nas.
Now you need to
cp sssd.conf /etc/sssd/
rm -f /var/lib/sss/db/*
echo "restart sssd"
systemctl restart sssd
cat nas5fstabadd.txt >> /etc/fstab
mkdir /homenew3
mount -a
cat newhost.txt >> /etc/hosts
echo "if this happen: journalctl REALMD_OPERATION=r547900.29111 realm: Couldn't join realm: Insufficient permissions to join the domain" echo " make sure resove.conf to be nameserver and reboot " echo " use new-2-repeat.sh to repeat the installation prcoess" echo " remove /etc/resolv.conf, and add new /etc/resolv.conf" echo " content to be nameserver 192.168.0.9"