Notice: I sent this email to the list using another mail address, which i believe whas not verified properly. If this emali is properly sent to the list you can disregard moderating the message.
Hello
Im setting up a single signon solution for about 1200 servers. The situation as it seems is that we are setting up all users in a windows 2008 r2 active directory, adding proper unix permissions. A user with proper priveliges to read active directory is being used by sssd to read which users is allowed in and not. If the users does not have a home directory they are being created automatically. So whats the issue here? Access to the system does not happen instantanely and i believe its because sssd is polling active directory every 120 seconds. It seems as if it has issues remaining its state and it is just as if it would loose its local database. I would like to be able to have users being logged directly after a user is being added to active directory. Is this possible and how could this be achieved?
Versions being used: Debian 7.4
ii sssd 1.8.4-2 amd64 System Security Services Daemon ii sssd-tools 1.8.4-2 amd64 System Security Services Daemon -- tools
config: --
[sssd] config_file_version = 2 domains = int.home.local services = nss, pam debug_level = 0
[nss] filter_groups = root filter_users = root reconnection_retries = 3
[pam] reconnection_retries = 3
[domain/int.home.local] # Unless you know you need referrals, turn them off ldap_referrals = false # Uncomment if you need offline logins cache_credentials = true enumerate = true
id_provider = ldap auth_provider = krb5 chpass_provider = krb5 access_provider = ldap
# Uncomment if service discovery is not working ldap_uri = ldap://win-04vje0onhci.int.home.local
# Comment out if not using SASL/GSSAPI to bind #ldap_sasl_mech = GSSAPI # Uncomment and adjust if the default principal host/fqdn@REALM is not available #ldap_sasl_authid = nfs/client.ad.example.com@AD.EXAMPLE.COM
# Define these only if anonymous binds are not allowed and no keytab is available # Enabling use_start_tls is very important, otherwise the bind password is transmitted # over the network in the clear #ldap_id_use_start_tls = True ldap_default_bind_dn = CN=test,CN=Users,DC=int,DC=home,DC=local ldap_default_authtok_type = password ldap_default_authtok = secretpassword
ldap_schema = rfc2307bis
ldap_user_search_base = CN=Users,DC=int,DC=home,DC=local ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName
ldap_group_search_base = CN=Builtin,DC=int,DC=home,DC=local #ldap_group_search_base = ou=group,dc=int,dc=home,dc=local ldap_group_object_class = group
ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true
# Uncomment if dns discovery of your AD servers isn't working. krb5_server = win-04vje0onhci.int.home.local krb5_realm = int.home.local
# Probably required with sssd 1.8.x and newer krb5_canonicalize = false
# Perhaps you need to redirect to certain attributes? # ldap_user_object_class = user # ldap_user_name = sAMAccountName # ldap_user_uid_number = msSFU30UidNumber # ldap_user_gid_number = msSFU30GidNumber # ldap_user_gecos = displayName # ldap_user_home_directory = msSFU30HomeDirectory # ldap_user_shell = msSFU30LoginShell # ldap_user_principal = userPrincipalName # ldap_group_object_class = group # ldap_group_name = cn # ldap_group_gid_number = msSFU30GidNumber