Notice: I sent this email to the list using another mail address, which i believe whas not verified properly. If this emali is properly sent to the list you can disregard moderating the message.
Hello
Im setting up a single signon solution for about 1200 servers. The situation as it seems is that we are setting up all users in a windows 2008 r2 active directory, adding proper unix permissions. A user with proper priveliges to read active directory is being used by sssd to read which users is allowed in and not. If the users does not have a home directory they are being created automatically. So whats the issue here? Access to the system does not happen instantanely and i believe its because sssd is polling active directory every 120 seconds. It seems as if it has issues remaining its state and it is just as if it would loose its local database. I would like to be able to have users being logged directly after a user is being added to active directory. Is this possible and how could this be achieved?
Versions being used: Debian 7.4
ii sssd 1.8.4-2 amd64 System Security Services Daemon ii sssd-tools 1.8.4-2 amd64 System Security Services Daemon -- tools
config: --
[sssd] config_file_version = 2 domains = int.home.local services = nss, pam debug_level = 0
[nss] filter_groups = root filter_users = root reconnection_retries = 3
[pam] reconnection_retries = 3
[domain/int.home.local] # Unless you know you need referrals, turn them off ldap_referrals = false # Uncomment if you need offline logins cache_credentials = true enumerate = true
id_provider = ldap auth_provider = krb5 chpass_provider = krb5 access_provider = ldap
# Uncomment if service discovery is not working ldap_uri = ldap://win-04vje0onhci.int.home.local
# Comment out if not using SASL/GSSAPI to bind #ldap_sasl_mech = GSSAPI # Uncomment and adjust if the default principal host/fqdn@REALM is not available #ldap_sasl_authid = nfs/client.ad.example.com@AD.EXAMPLE.COM
# Define these only if anonymous binds are not allowed and no keytab is available # Enabling use_start_tls is very important, otherwise the bind password is transmitted # over the network in the clear #ldap_id_use_start_tls = True ldap_default_bind_dn = CN=test,CN=Users,DC=int,DC=home,DC=local ldap_default_authtok_type = password ldap_default_authtok = secretpassword
ldap_schema = rfc2307bis
ldap_user_search_base = CN=Users,DC=int,DC=home,DC=local ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName
ldap_group_search_base = CN=Builtin,DC=int,DC=home,DC=local #ldap_group_search_base = ou=group,dc=int,dc=home,dc=local ldap_group_object_class = group
ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true
# Uncomment if dns discovery of your AD servers isn't working. krb5_server = win-04vje0onhci.int.home.local krb5_realm = int.home.local
# Probably required with sssd 1.8.x and newer krb5_canonicalize = false
# Perhaps you need to redirect to certain attributes? # ldap_user_object_class = user # ldap_user_name = sAMAccountName # ldap_user_uid_number = msSFU30UidNumber # ldap_user_gid_number = msSFU30GidNumber # ldap_user_gecos = displayName # ldap_user_home_directory = msSFU30HomeDirectory # ldap_user_shell = msSFU30LoginShell # ldap_user_principal = userPrincipalName # ldap_group_object_class = group # ldap_group_name = cn # ldap_group_gid_number = msSFU30GidNumber
On Wed, Apr 23, 2014 at 08:10:47AM +0200, Paul Liljenberg wrote:
Notice: I sent this email to the list using another mail address, which i believe whas not verified properly. If this emali is properly sent to the list you can disregard moderating the message.
Hello
Im setting up a single signon solution for about 1200 servers. The situation as it seems is that we are setting up all users in a windows 2008 r2 active directory, adding proper unix permissions. A user with proper priveliges to read active directory is being used by sssd to read which users is allowed in and not. If the users does not have a home directory they are being created automatically. So whats the issue here? Access to the system does not happen instantanely and i believe its because sssd is polling active directory every 120 seconds. It seems as if it has issues remaining its state and it is just as if it would loose its local database. I would like to be able to have users being logged directly after a user is being added to active directory. Is this possible and how could this be achieved?
I would encourage you to turn enumeration off. Enumeration is a background task that periodically downloads and saves all users from the server, which can be very intensitve especially for large environments.
Also, is there a reason to use a bind user and a password and not a keytab and then leverage GSSAPI?
We have some howtos on enrolling a client with AD for pre-1.9 clients: https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20...
And also for 1.9 and later (recommended): https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server
sssd-users@lists.fedorahosted.org