-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi everyone,
My aim is to have consistent Active Directory Users/Groups to Unix UID/GID designations across several Linux machines joined to that domain. Ideally without explicitly setting these in the directory.
After failing to get Winbind with a RID backend to work as desired, a Samba user suggested that I try using SSSD instead.
For the last few hours I've been trying to get this to work; but without much luck.
Right now I'm hitting a problem whereby SSSD's unable to find valid users because none of my directory users have the attribute "dataExpireTimestamp" and this is part of the search filter.
(Wed Jul 31 00:21:58 2013) [sssd[be[DEVDOM]]] [sysdb_search_users] (0x0400): Search users with filter: (&(objectclass=user)(&(!(dataExpireTimestamp=0))(dataE xpireTimestamp<=1375226518)(!(lastLogin=*)))) (Wed Jul 31 00:21:58 2013) [sssd[be[DEVDOM]]] [ldb] (0x4000): tevent: Added timed event "ltdb_callback": 0x186bbc0 (Wed Jul 31 00:21:58 2013) [sssd[be[DEVDOM]]] [ldb] (0x4000): tevent: Added timed event "ltdb_timeout": 0x186bce0 (Wed Jul 31 00:21:58 2013) [sssd[be[DEVDOM]]] [ldb] (0x4000): tevent: Destroying timer event 0x186bce0 "ltdb_timeout" (Wed Jul 31 00:21:58 2013) [sssd[be[DEVDOM]]] [ldb] (0x4000): tevent: Ending timer event 0x186bbc0 "ltdb_callback" (Wed Jul 31 00:21:58 2013) [sssd[be[DEVDOM]]] [sysdb_search_users] (0x0400): No such entry
I've tried explicitly setting this without any luck. IT seems to be ignoring the following line.
ldap_user_search_base = CN=Users,DC=devdom,DC=orange,DC=local?subtree?(objectCategory=User)
And here's what I mean about that attribute affecting the search. First using the filter that SSSD is using, second time using one that doesn't reference the "dataExpireTimestamp" attribute.
/usr/local/samba/bin/ldbsearch -H ldaps://192.168.1.33 '(&(objectclass=user)(&(!(dataExpireTimestamp=0))(dataExpireTimestamp<=1375224572))))' - -UAdministrator%XXX -b CN=Users,DC=devdom,DC=orange,DC=local # returned 0 records # 0 entries # 0 referrals
/usr/local/samba/bin/ldbsearch -s sub -H ldaps://192.168.1.33 '(&(objectclass=user)(!(lastLogin=*)))' -UAdministrator%XXX -b CN=Users,DC=devdom,DC=orange,DC=local [...] # returned 5 records # 5 entries # 0 referrals
I'm running SSSD version 1.8.4, and Samba4 version 4.0.6 as my Domain Controller.
This is my current SSSD configuration (/etc/sssd/sssd.conf):
[sssd] domains = DEVDOM services = nss, pam config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30
[nss] filter_groups = root filter_users = root reconnection_retries = 3
[pam] offline_credentials_expiration = 0 reconnection_retries = 3
[domain/DEVDOM] debug_level = 9
description = LDAP domain with AD server id_provider = ldap auth_provider = krb5 ;auth_provider = ldap ldap_default_bind_dn = cn=Administrator,cn=Users,DC=devdom,DC=orange,DC=local ldap_default_authtok_type = password ldap_default_authtok = XXX ;ldap_user_object_class = person ;ldap_user_name = msSFU30Name ;ldap_user_uid_number = msSFU30UidNumber ;ldap_user_gid_number = msSFU30GidNumber ;ldap_user_home_directory = msSFU30HomeDirectory ;ldap_user_shell = msSFU30LoginShell ;ldap_user_principal = userPrincipalName ;ldap_group_object_class = group ;ldap_group_name = msSFU30Name ;ldap_group_gid_number = msSFU30GidNumber
enumerate = TRUE ;cache_credentials = TRUE
chpass_provider = krb5
;tls_reqcert = demand ;ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
ldap_id_mapping = True ldap_idmap_default_domain_sid = S-1-5-21-2003857637-2616505931-2053645484 ldap_idmap_range_min = 70000 ldap_idmap_range_max = 7000000 ldap_schema = ad
;; kerberos config ;; auth_provider = krb5 krb5_server = hirst.devdom.orange.local krb5_realm = DEVDOM.ORANGE.LOCAL krb5_changepw_principle = kadmin/changepw krb5_ccachedir = /tmp krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX krb5_auth_timeout = 15 ;cache_credentials = True
;; https://lists.fedorahosted.org/pipermail/sssd-devel/2012-May/009677.html ;; ldap_referrals = False ;ldap_search_base = CN=users,DC=devdom,DC=orange,DC=local ldap_user_search_base = CN=Users,DC=devdom,DC=orange,DC=local?subtree?(objectCategory=User) ;ldap_group_search_base = CN=Users,DC=devdom,DC=orange,DC=local??(objectCategory=User)
Any ideas as to what could help would be really appreciated.
Thanks for your time, - -- Chris Hayes