OK, try this sssd.conf:
[sssd] domains = DEVDOM services = nss, pam config_file_version = 2
[nss]
[pam]
[domain/DEVDOM] debug_level = 9 description = LDAP domain with AD server cache_credentials = True enumerate = TRUE id_provider = ldap auth_provider = krb5 chpass_provider = krb5 access_provider = ldap
krb5_server = hirst.devdom.orange.local krb5_kpasswd = hirst.devdom.orange.local krb5_realm = DEVDOM.ORANGE.LOCAL
ldap_referrals = false ldap_sasl_mech = GSSAPI ldap_schema = rfc2307bis ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true
ldap_user_object_class = user ldap_user_name = sAMAccountName ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName
ldap_group_object_class = group ldap_group_name = sAMAccountName
This is based on my working conf file, but you need to have in the clients smb.conf, this:
[global] workgroup = DEVDOM client signing = yes client use spnego = yes kerberos method = secrets and keytab log file = /var/log/samba/%m.log password server = HIRST.DEVDOM.ORANGE.LOCAL realm = DEVDOM.ORANGE.LOCAL security = ads
Also the computer needs to be joined to the domain.
Rowland
On 31 July 2013 00:58, Chris Hayes chris.hayes@proporta.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi everyone,
My aim is to have consistent Active Directory Users/Groups to Unix UID/GID designations across several Linux machines joined to that domain. Ideally without explicitly setting these in the directory.
After failing to get Winbind with a RID backend to work as desired, a Samba user suggested that I try using SSSD instead.
For the last few hours I've been trying to get this to work; but without much luck.
Right now I'm hitting a problem whereby SSSD's unable to find valid users because none of my directory users have the attribute "dataExpireTimestamp" and this is part of the search filter.
(Wed Jul 31 00:21:58 2013) [sssd[be[DEVDOM]]] [sysdb_search_users] (0x0400): Search users with filter: (&(objectclass=user)(&(!(dataExpireTimestamp=0))(dataE xpireTimestamp<=1375226518)(!(lastLogin=*)))) (Wed Jul 31 00:21:58 2013) [sssd[be[DEVDOM]]] [ldb] (0x4000): tevent: Added timed event "ltdb_callback": 0x186bbc0 (Wed Jul 31 00:21:58 2013) [sssd[be[DEVDOM]]] [ldb] (0x4000): tevent: Added timed event "ltdb_timeout": 0x186bce0 (Wed Jul 31 00:21:58 2013) [sssd[be[DEVDOM]]] [ldb] (0x4000): tevent: Destroying timer event 0x186bce0 "ltdb_timeout" (Wed Jul 31 00:21:58 2013) [sssd[be[DEVDOM]]] [ldb] (0x4000): tevent: Ending timer event 0x186bbc0 "ltdb_callback" (Wed Jul 31 00:21:58 2013) [sssd[be[DEVDOM]]] [sysdb_search_users] (0x0400): No such entry
I've tried explicitly setting this without any luck. IT seems to be ignoring the following line.
ldap_user_search_base = CN=Users,DC=devdom,DC=orange,DC=local?subtree?(objectCategory=User)
And here's what I mean about that attribute affecting the search. First using the filter that SSSD is using, second time using one that doesn't reference the "dataExpireTimestamp" attribute.
/usr/local/samba/bin/ldbsearch -H ldaps://192.168.1.33
'(&(objectclass=user)(&(!(dataExpireTimestamp=0))(dataExpireTimestamp<=1375224572))))'
- -UAdministrator%XXX -b CN=Users,DC=devdom,DC=orange,DC=local
# returned 0 records # 0 entries # 0 referrals
/usr/local/samba/bin/ldbsearch -s sub -H ldaps://192.168.1.33 '(&(objectclass=user)(!(lastLogin=*)))' -UAdministrator%XXX -b CN=Users,DC=devdom,DC=orange,DC=local [...] # returned 5 records # 5 entries # 0 referrals
I'm running SSSD version 1.8.4, and Samba4 version 4.0.6 as my Domain Controller.
This is my current SSSD configuration (/etc/sssd/sssd.conf):
[sssd] domains = DEVDOM services = nss, pam config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30
[nss] filter_groups = root filter_users = root reconnection_retries = 3
[pam] offline_credentials_expiration = 0 reconnection_retries = 3
[domain/DEVDOM] debug_level = 9
description = LDAP domain with AD server id_provider = ldap auth_provider = krb5 ;auth_provider = ldap ldap_default_bind_dn = cn=Administrator,cn=Users,DC=devdom,DC=orange,DC=local ldap_default_authtok_type = password ldap_default_authtok = XXX ;ldap_user_object_class = person ;ldap_user_name = msSFU30Name ;ldap_user_uid_number = msSFU30UidNumber ;ldap_user_gid_number = msSFU30GidNumber ;ldap_user_home_directory = msSFU30HomeDirectory ;ldap_user_shell = msSFU30LoginShell ;ldap_user_principal = userPrincipalName ;ldap_group_object_class = group ;ldap_group_name = msSFU30Name ;ldap_group_gid_number = msSFU30GidNumber
enumerate = TRUE ;cache_credentials = TRUE
chpass_provider = krb5
;tls_reqcert = demand ;ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
ldap_id_mapping = True ldap_idmap_default_domain_sid = S-1-5-21-2003857637-2616505931-2053645484 ldap_idmap_range_min = 70000 ldap_idmap_range_max = 7000000 ldap_schema = ad
;; kerberos config ;; auth_provider = krb5 krb5_server = hirst.devdom.orange.local krb5_realm = DEVDOM.ORANGE.LOCAL krb5_changepw_principle = kadmin/changepw krb5_ccachedir = /tmp krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX krb5_auth_timeout = 15 ;cache_credentials = True
;; https://lists.fedorahosted.org/pipermail/sssd-devel/2012-May/009677.html ;; ldap_referrals = False ;ldap_search_base = CN=users,DC=devdom,DC=orange,DC=local ldap_user_search_base = CN=Users,DC=devdom,DC=orange,DC=local?subtree?(objectCategory=User) ;ldap_group_search_base = CN=Users,DC=devdom,DC=orange,DC=local??(objectCategory=User)
Any ideas as to what could help would be really appreciated.
Thanks for your time,
Chris Hayes -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJR+FM5AAoJELgO0A8EguAKbF0IAKIjfYwO2zFpuhmk97TgsV21 T/nFBTpMPbkv7qsELkI5E+s+E4xo66nowrVG2GYuO9DBQ1MxCjNamR8Py/8Qa9de 0CIcWzCKe1/SYLNmQ30AOcNxc1S0n3Z7rMTtXDUU/O7gj/v/qbb174lFnn+7+l9R B8MJ1YFmZUrgcJrs33X+antsIqcIfbQptXt1Z6CUH/qSFEmJ58fhE5fXeQJIw07n 9UxokKmE3HN19bIBwQQ1QHBskcg0oGqrRO/oHE9Jqb3y1CKZlvjsLFJlsi/9aUr2 lppZB9OECXSJyovQNj4R0QboU+AKkO6QNefrUyekUxws/OZNeU7PWCCQ8/HtdlY= =LP+G -----END PGP SIGNATURE----- _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users