Hi Lucas,
Thanks for the quick follow-up.
I could try that, but as my machine is in production, I am hesitating to
upgrade.
For the record: things used to work before using gssapi, but I changed
the password for the sssd_user account, and then things fell apart. And
I can't seem to find the right way to regenerate a fresh keytab that
works with sssd. Therefore the DN/password attempt.
I have sssd with DN/password running but the "id" only lists some
groups, not all. Compare output SSSD vs WINBIND:
SSSD nsswitch.conf
root@filehost:/etc# id user2
uid=1040(user2) gid=513(Domain Users) groups=513(Domain Users)
WINBIND
nsswitch.conf
root@filehost:/etc# id user2
uid=1040(user2) gid=513(domain users) groups=513(domain users),1065(cdtower),1081(admin
forms),.....etc
SSSD nsswitch.conf
root@filehost:/etc/sssd# id user3
uid=1014(user3) gid=513(Domain Users) groups=513(Domain Users),4(adm)
WINBIND
nsswitch.conf
root@filehost:/etc/sssd# id user3
uid=1014(user3) gid=513(domain users) groups=513(domain
users),4(adm),1065(cdtower),17375(institute-l),38802(fp8neno).....etc
Winbinds output is correct. I have configured sssd.conf like in the
gssapi days. Here it is:
[sssd]
services = nss, pam
config_file_version = 2
domains = default
# don't forget this:
debug_level = 9
[nss]
[pam]
[domain/default]
ldap_tls_reqcert = never
auth_provider = ldap
ldap_id_use_start_tls = False
chpass_provider = ldap
krb5_realm =
SAMBA.COMPANY.COM
cache_credentials = True
debug_timestamps = True
ldap_default_authtok_type = password
ldap_search_base = dc=samba,dc=company,dc=com
debug_level = 3
id_provider = ldap
ldap_schema = rfc2307bis
ldap_default_bind_dn = CN=sssd_user,CN=Users,DC=samba,DC=company,DC=com
min_id = 100
ldap_uri =
ldap://dc2.company.com,
ldap://dc3.company.com,
ldap://dc4.company.com
krb5_server =
dc2.company.com
ldap_default_authtok = secret_password
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_id_mapping=false
ldap_user_object_class = user
ldap_user_name = samAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_group_object_class = group
ldap_group_name = cn
ldap_group_member = member
Any ideas..?
Hoping to avoid updating to backports, since it has worked in the past...
On 28-3-2017 17:18, Lukas Slebodnik wrote:
> On (28/03/17 16:53), mourik jan heupink wrote:
>> Hi,
>>
>> I'm trying to get sssd 1.8.4 (comes with debian wheezy) to work with samba4.
>> As this is an older sssd version, I'll have to use the ldap modus, and not
>> the AD config.
>>
> Or you can use sssd-1.11-7 + ad provider from wheezy backports
>
https://packages.debian.org/search?suite=wheezy-backports&searchon=na...
>
> I hope it will work becauase there were some bugfixes in upstream 1.11.8
>
> LS
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>