On (23/04/14 15:33), Jacob Taylor wrote:
Hi guys,
I'm in a pickle: I'm trying to configure a domain in SSSD to both perform all the usual AD authentication wizardry, and at the same time perform LDAP Sudo lookup in the directory too. The AD schema has been extended.
It seems it doesn't like both LDAP and AD directives in the same domain, but doesn't Sudo require LDAP and not AD? I know that's how it works for IPA.
Has anyone gotten this working? I'm scratching my head. It works without the sudo bit.
SSSD.conf:
[sssd] domains = ad.example.com services = nss,pam,sudo config_file_version = 2 debug_level = 3
[nss] filter_groups = root filter_users = root
[sudo]
[pam] reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5
[domain/ad.example.com] # This is for testing enumerate = true
id_provider = ad auth_provider = ad access_provider = ad chpass_provider = ad
# These values should auto-detect, but to be sure... ad_server = server.ad.example.com ad_hostname = client.ad.example.com ad_domain = ad.example.com
# Provide default values for the Unix specifics fallback_homedir = /home/%u default_shell = /bin/bash
# LDAP SUDO must be done the old fashioned way sudo_provider = ldap
# Provide LDAP params ldap_uri = ldap://server.ad.example.com/ ldap_sudo_search_base = OU=SUDOers,DC=ad,DC=example,DC=com ldap_sudo_full_refresh_interval=86400 ldap_sudo_smart_refresh_interval=300
# Configure Machine Authentication krb5_server = server.ad.example.com ldap_sasl_realm = AD.EXMAPLE.COM ldap_sasl_mech = GSSAPI ldap_sasl_authid = client$ #Yes, I tried host/client ldap_krb5_keytab = /etc/krb5.keytab ldap_krb5_init_creds = true ldap_krb5_ticket_lifetime = 86400
Cheers, Jacob Neil Taylor
Which version of sssd do you use? (which distribution)
LS