On Sun, Mar 31, 2013 at 02:52:58PM +0100, Rowland Penny wrote:
On 29/03/13 11:21, Jakub Hrozek wrote:
>On Thu, Mar 28, 2013 at 09:22:32PM +0000, Rowland Penny wrote:
>>Hello, I am trying to use sssd instead of winbind against a samba 4
>>AD server. After looking around the internet, I have got to the
>>point where I can get a domain users info with 'getent passwd
>><domainuser>' and 'id <domainuser>'. I can also create a
directory
>>and chmod it <domainuser>:users, what I cannot do is login into the
>>computer through ssh or the login GUI on the computer. This is on
>>Linux Mint 14 using sssd 1.9.1.
>>
>>Does anybody have any idea why sssd seems to work but fails in a
>>very important way.
>Can you paste or attach tail of /var/log/secure, your (sanitized)
>sssd.conf and the relevant portion of /var/log/sssd/sssd_$domain.log
>after raising debug_level to 6 or higher in the domain section?
>_______________________________________________
>sssd-users mailing list
>sssd-users(a)lists.fedorahosted.org
>https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>
OK, I thought that as sssd seemed to have started on Fedora, I would
try it on that distro.
On Fedora 18, I can login as a domain user, but found that I have
the same problem as with winbind, the user on the client has a
different uidnumber to the server.
This is most probably caused by using different algorithm for ID mapping
on the server side and the client side. Can you check the winbind
configuration what are they using ? I would check for "idmap backend"
parameter in smb.conf
Alternatively, if the Samba server also has the POSIX attributes, you
could just be using those.
i.e
on the client:
getent passwd testuser
testuser:*:1201401105:1201400513:testuser:/home/DOMAIN/testuser:/bin/bash
on the server:
getent passwd testuser
HOME\testuser:*:3000016:100::/home/DOMAIN/testuser:/bin/bash
my sssd.conf
[sssd]
debug_level = 3
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
domains = DOMAIN
services = nss, pam
[nss]
# The following prevents SSSD from searching for the root user/group in
# all domains (you can add here a comma-separated list of system
accounts that
# are always going to be /etc/passwd users, or that you want to filter out).
filter_groups = root,gdm
filter_users = root,gdm
reconnection_retries = 3
[pam]
[domain/DOMAIN]
description = LDAP domain with AD server
debug_level = 6
cache_credentials = true
enumerate = False
id_provider = ad
Ah, I see you are using the new AD provider. In SSSD 1.9 the AD provider
has three advantages over using the LDAP/Kerberos providers:
1) Simplified configuration. You shouldn't be needing the attribute
mappings you used below
2) Does not require POSIX attributes to be present on the server side.
IDs can be mapped based on SIDs
3) Better performance during login (only when ID-mapping is in use)
auth_provider = ad
access_provider = ad
chpass_provider = ad
ad_server = adserver.domain.lan
ad_hostname = client.domain.lan
ad_domain = domain.lan
# Uncomment if service discovery is not working
#ldap_uri = ldap://adserver.domain.lan/
# Define these only if anonymous binds are not allowed and no keytab
is available
ldap_default_bind_dn = CN=Administrator,CN=Users,DC=domain,DC=lan
ldap_default_authtok_type = password
ldap_default_authtok = Pa$$w0rd*
With the AD provider you shouldn't be needing any of the options below.
The AD provider should just default to them.
Is there a reason you are using password binds and not GSSAPI?
ldap_schema = rfc2307bis
ldap_search_base = dc=domain,dc=lan
# It looks like the ?sub?search notation is also accepted:
http://sgallagh.wordpress.com/2011/12/22/sssd-tips-and-tricks-vol-2-ldap/
#ldap_user_search_base = cn=Users,dc=domain,dc=lan?sub?uid=*
ldap_user_search_base = dc=domain,dc=lan
ldap_user_object_class = person
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_user_name = sAMAccountName
ldap_user_gecos = displayName
ldap_user_uuid = objectGUID
ldap_user_modify_timestamp = whenChanged
ldap_group_search_base = dc=domain,dc=lan
ldap_group_object_class = group
ldap_group_name = sAMAccountName
ldap_group_uuid = objectGUID
ldap_group_modify_timestamp = whenChanged
ldap_group_nesting_level = 2
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = True
ldap_pwd_policy = none
krb5_server = adserver.domain.lan
krb5_realm = DOMAIN.LAN
dns_discovery_domain = domain.lan
# Probably required with sssd 1.8.x and newer
krb5_canonicalize = false
# Uncomment if using SASL/GSSAPI to bind and a valid /etc/krb5.keytab exists
#ldap_sasl_mech = GSSAPI
# Uncomment and adjust if the default principal host/fqdn@REALM is
not available
#ldap_sasl_authid=CLIENT$(a)DOMAIN.LAN
Is there anyway to get the clients to have the same uidNumber &
gidNumber as on the server?
Rowland
I think there are two options:
1) keep using the ID mapping and tailor the configuration of the ID
mapper in the SSSD so that it generates the same output as the winbind
mapper. We've done this before, it's not the nicest looking
configuration, but it works.
2) Switch to using POSIX IDs instead of mapping them from SIDs with both
winbind and SSSD. All that should be needed on the SSSD side is set:
ldap_id_mapping = False
to sssd.conf and restart the SSSD (you might need to rm the cache as
SSSD doesn't really handle UID/GID changes very well yet).
On the winbind side, I'm a little fuzzy on the details, but I believe
this could be done with "winbind nss info" configuration option.
From where I am 1) sounds like easier to implement since all you'd
be
changing is sssd.conf