Hi
* CentOS Linux release 7.3.1611 (Core) * sssd-1.14.0-43.el7_3.4
sssd.conf:
[sssd] debug_level = 7 domains = my.domain.local config_file_version = 2 services = nss, pam, ifp
[domain/my.domain.local] id_provider = ad auth_provider = ad ldap_id_mapping = False access_provider = ad chpass_provider = ad cache_credentials = true ldap_schema = rfc2307bis
samba testparm output:
[global] realm = MY.DOMAIN.LOCAL workgroup = MY disable spoolss = Yes load printers = No printcap name = /dev/null kerberos method = system keytab security = ADS idmap config * : backend = tdb printing = bsd acl allow execute always = Yes strict allocate = Yes use sendfile = Yes
The libwbclient lib is pointing to SSSD's implementation (through /etc/alternatives/):
# ldd /usr/sbin/smbd | grep libwb libwbclient.so.0 => /lib64/libwbclient.so.0 (0x00007f919213c000) # readlink -f /lib64/libwbclient.so.0 /usr/lib64/sssd/modules/libwbclient.so.0.12.0
Win2012R2 domain controllers with a a single domain in the AD forest, I have populated the rfc2307 attributes in AD. I have run "authconfig --enablesssd --updateall". "id username" works and resolves the correct user id and groups.
However, on the security tab in Windows Explorer all domain users are shown as "Unix User\username" instead of "MY\username".
The only pointer I have found is http://unix.stackexchange.com/questions/306492/samba-does-not-perform-revers... but it still does not work for me. Is this possible or will I have to use winbind?
Best Regards, Ådne Hovda
On (16/01/17 13:11), Ådne Hovda wrote:
Hi
- CentOS Linux release 7.3.1611 (Core)
- sssd-1.14.0-43.el7_3.4
sssd.conf:
[sssd] debug_level = 7 domains = my.domain.local config_file_version = 2 services = nss, pam, ifp
[domain/my.domain.local] id_provider = ad auth_provider = ad ldap_id_mapping = False access_provider = ad chpass_provider = ad cache_credentials = true ldap_schema = rfc2307bis
You will not get SID from AD with this schema. And it might cause an issue (You should remove it; or use default ad)
And If you do not want to use sssd id mappaing feature then you can disable it and POSIX attributes will be used. (man sssd-ldap -> ldap_id_mapping)
And Does it work if you remove this line and use ad schema?
BTW for testing you might use wbinfo $ /usr/bin/wbinfo -n 'AD18\Administrator' S-1-5-21-3090815309-2627318493-3395719201-500 SID_USER (1)
$ /usr/bin/wbinfo -S S-1-5-21-3090815309-2627318493-3395719201-500 1670800500
samba testparm output:
[global] realm = MY.DOMAIN.LOCAL workgroup = MY disable spoolss = Yes load printers = No printcap name = /dev/null kerberos method = system keytab security = ADS idmap config * : backend = tdb printing = bsd acl allow execute always = Yes strict allocate = Yes use sendfile = Yes
The libwbclient lib is pointing to SSSD's implementation (through /etc/alternatives/):
# ldd /usr/sbin/smbd | grep libwb libwbclient.so.0 => /lib64/libwbclient.so.0 (0x00007f919213c000) # readlink -f /lib64/libwbclient.so.0 /usr/lib64/sssd/modules/libwbclient.so.0.12.0
Could you also show the alternative for cifs-idmap-plugin?
alternatives --display cifs-idmap-plugin
Win2012R2 domain controllers with a a single domain in the AD forest, I have populated the rfc2307 attributes in AD. I have run "authconfig --enablesssd --updateall". "id username" works and resolves the correct user id and groups.
However, on the security tab in Windows Explorer all domain users are shown as "Unix User\username" instead of "MY\username".
The only pointer I have found is http://unix.stackexchange.com/questions/306492/samba-does-not-perform-revers... but it still does not work for me. Is this possible or will I have to use winbind?
Here is a related RHEL documemtation. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm...
LS
On Mon, Jan 16, 2017 at 01:11:22PM +0100, Ådne Hovda wrote:
Hi
- CentOS Linux release 7.3.1611 (Core)
- sssd-1.14.0-43.el7_3.4
sssd.conf:
[sssd] debug_level = 7 domains = my.domain.local config_file_version = 2 services = nss, pam, ifp
[domain/my.domain.local] id_provider = ad auth_provider = ad ldap_id_mapping = False access_provider = ad chpass_provider = ad cache_credentials = true ldap_schema = rfc2307bis
Please try to add 'use_fully_qualified_names = true' as it is on the stackexchange page you linked below. Fully qualified names are currently a requirement to make SSSD's libwbclient work correctly.
HTH
bye, Sumit
samba testparm output:
[global] realm = MY.DOMAIN.LOCAL workgroup = MY disable spoolss = Yes load printers = No printcap name = /dev/null kerberos method = system keytab security = ADS idmap config * : backend = tdb printing = bsd acl allow execute always = Yes strict allocate = Yes use sendfile = Yes
The libwbclient lib is pointing to SSSD's implementation (through /etc/alternatives/):
# ldd /usr/sbin/smbd | grep libwb libwbclient.so.0 => /lib64/libwbclient.so.0 (0x00007f919213c000) # readlink -f /lib64/libwbclient.so.0 /usr/lib64/sssd/modules/libwbclient.so.0.12.0
Win2012R2 domain controllers with a a single domain in the AD forest, I have populated the rfc2307 attributes in AD. I have run "authconfig --enablesssd --updateall". "id username" works and resolves the correct user id and groups.
However, on the security tab in Windows Explorer all domain users are shown as "Unix User\username" instead of "MY\username".
The only pointer I have found is http://unix.stackexchange.com/questions/306492/samba-does-not-perform-revers... but it still does not work for me. Is this possible or will I have to use winbind?
Best Regards, Ådne Hovda _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
On 1/16/2017 5:08 PM, Sumit Bose wrote:
Please try to add 'use_fully_qualified_names = true' as it is on the stackexchange page you linked below. Fully qualified names are currently a requirement to make SSSD's libwbclient work correctly.
I tried with stripped down conf:
[domain/my.domain.local] id_provider = ad auth_provider = ad ldap_id_mapping = False access_provider = ad chpass_provider = ad use_fully_qualified_names = true
And that actually works through Samba, I'm getting translation back to domain users, albeit as "my.domain.local\username" instead of the short form "MY\username", but this makes SSSD usable with Samba. Thanks a lot! :-)
Is there a way to make it possible to still logon to the machine using non qualified names? We're moving away from NIS, and everyone is already used to logging in with their username only.
Best regards, Ådne Hovda
On Tue, Jan 17, 2017 at 02:00:06AM +0100, Ådne Hovda wrote:
On 1/16/2017 5:08 PM, Sumit Bose wrote:
Please try to add 'use_fully_qualified_names = true' as it is on the stackexchange page you linked below. Fully qualified names are currently a requirement to make SSSD's libwbclient work correctly.
I tried with stripped down conf:
[domain/my.domain.local] id_provider = ad auth_provider = ad ldap_id_mapping = False access_provider = ad chpass_provider = ad use_fully_qualified_names = true
And that actually works through Samba, I'm getting translation back to domain users, albeit as "my.domain.local\username" instead of the short form "MY\username", but this makes SSSD usable with Samba. Thanks a lot! :-)
You can set
full_name_format = %1$s@%3$s
in the [sssd] section of sssd.conf to use the short (NetBIOS) domain name.
Is there a way to make it possible to still logon to the machine using non qualified names? We're moving away from NIS, and everyone is already used to logging in with their username only.
If all user come form the same domain you can set
default_domain_suffix = my.domain.local
in the [sssd] section of sssd.conf, then SSSD will always add 'my.domain.local' to the user name if the domain part is missing.
HTH
bye, Sumit
Best regards, Ådne Hovda _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org
-
Lukas Slebodnik -
Sumit Bose -
Ådne Hovda