Hi,
I'm trying to get sssd 1.8.4 (comes with debian wheezy) to work with samba4. As this is an older sssd version, I'll have to use the ldap modus, and not the AD config.
As I'm having trouble using the GSSAPI keytab (sssd logs "failed to connect, going offline") I would like to attempt simpler DN/password authentication.
Your docs talk about it, so I guess the option exists:
https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20...
My question: would anyone be willing to share an sssd.conf that works with samba4/rfc2307bis AD DCs, but using password authentication?
(Or can anyone point me to a doc where this is explained?)
Best regards, MJ
On (28/03/17 16:53), mourik jan heupink wrote:
Hi,
I'm trying to get sssd 1.8.4 (comes with debian wheezy) to work with samba4. As this is an older sssd version, I'll have to use the ldap modus, and not the AD config.
Or you can use sssd-1.11-7 + ad provider from wheezy backports https://packages.debian.org/search?suite=wheezy-backports&searchon=names...
I hope it will work becauase there were some bugfixes in upstream 1.11.8
LS
Hi Lucas,
Thanks for the quick follow-up.
I could try that, but as my machine is in production, I am hesitating to upgrade.
For the record: things used to work before using gssapi, but I changed the password for the sssd_user account, and then things fell apart. And I can't seem to find the right way to regenerate a fresh keytab that works with sssd. Therefore the DN/password attempt.
I have sssd with DN/password running but the "id" only lists some groups, not all. Compare output SSSD vs WINBIND: SSSD nsswitch.conf
root@filehost:/etc# id user2 uid=1040(user2) gid=513(Domain Users) groups=513(Domain Users)
WINBIND nsswitch.conf
root@filehost:/etc# id user2 uid=1040(user2) gid=513(domain users) groups=513(domain users),1065(cdtower),1081(admin forms),.....etc
SSSD nsswitch.conf
root@filehost:/etc/sssd# id user3 uid=1014(user3) gid=513(Domain Users) groups=513(Domain Users),4(adm)
WINBIND nsswitch.conf
root@filehost:/etc/sssd# id user3 uid=1014(user3) gid=513(domain users) groups=513(domain users),4(adm),1065(cdtower),17375(institute-l),38802(fp8neno).....etc
Winbinds output is correct. I have configured sssd.conf like in the gssapi days. Here it is:
[sssd] services = nss, pam config_file_version = 2 domains = default
# don't forget this: debug_level = 9
[nss]
[pam]
[domain/default] ldap_tls_reqcert = never auth_provider = ldap ldap_id_use_start_tls = False chpass_provider = ldap krb5_realm = SAMBA.COMPANY.COM cache_credentials = True debug_timestamps = True ldap_default_authtok_type = password ldap_search_base = dc=samba,dc=company,dc=com debug_level = 3 id_provider = ldap ldap_schema = rfc2307bis ldap_default_bind_dn = CN=sssd_user,CN=Users,DC=samba,DC=company,DC=com min_id = 100 ldap_uri = ldap://dc2.company.com, ldap://dc3.company.com, ldap://dc4.company.com krb5_server = dc2.company.com ldap_default_authtok = secret_password ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_id_mapping=false
ldap_user_object_class = user ldap_user_name = samAccountName ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell
ldap_group_object_class = group ldap_group_name = cn ldap_group_member = member
Any ideas..?
Hoping to avoid updating to backports, since it has worked in the past...
On 28-3-2017 17:18, Lukas Slebodnik wrote:
On (28/03/17 16:53), mourik jan heupink wrote:
Hi,
I'm trying to get sssd 1.8.4 (comes with debian wheezy) to work with samba4. As this is an older sssd version, I'll have to use the ldap modus, and not the AD config.
Or you can use sssd-1.11-7 + ad provider from wheezy backports https://packages.debian.org/search?suite=wheezy-backports&searchon=names...
I hope it will work becauase there were some bugfixes in upstream 1.11.8
LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
On (28/03/17 17:42), mourik jan heupink wrote:
Hi Lucas,
Thanks for the quick follow-up.
I could try that, but as my machine is in production, I am hesitating to upgrade.
So for production I would not recommend sssd 1.8.4. (even with ldap provider) If you do not want to use wheeze backports then it would be better to use debian stable (jessie); which has sssd-1.11.7
FYI the oldest upstream supported version is 1.13.4 (LTM version) But 1.11.7 is not so different an in much better state then 1.8.4
LS
sssd-users@lists.fedorahosted.org
-
Lukas Slebodnik -
mourik jan heupink