On 14/04/13 11:58, steve wrote:
On 14/04/13 10:59, Rowland Penny wrote:
On 14/04/13 09:29, steve wrote:
Version 4.0.6-GIT-4bebda4
Hi
I have sssd up and running. It works fine except that getent only
returns domain users if I specify the object e.g.
getent passwd
and
getent group
return only local users
but
getent passwd steve2
steve2:*:3000034:20513:steve2:/home/users/steve2:/bin/bash
and
getent group Domain\ Users
Domain Users:*:20513:
work fine.
This doesn't seem to be a problem.
/etc/nsswitch.conf
passwd: compat sss
group: compat sss
/etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = default
[nss]
[pam]
[domain/default]
access_provider = simple
#simple_allow_users = myuser
enumerate = false
cache_credentials = True
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
krb5_realm = HH3.SITE
krb5_server = hh16.hh3.site
krb5_kpasswd = hh16.hh3.site
ldap_uri = ldap://hh16.hh3.site/
ldap_search_base = dc=hh3,dc=site
ldap_tls_cacertdir = /usr/local/samba/private/tls
ldap_id_use_start_tls = False
ldap_default_bind_dn = cn=lynn2,cn=Users,dc=hh3,dc=site
ldap_default_authtok = xx
ldap_default_authtok_type = password
ldap_user_object_class = person
ldap_user_name = samAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_group_object_class = group
#ldap_user_search_filter =(&(objectCategory=User)(uidNumber=*))
I've tried
enumerate = true
and it works as expected but strangely, only for the first time
after sssd is started. it then returns only local users.
I have never tried it myself, the sssd wiki recommends not setting
'enumerate = true' until everything else is working and then not on a
large domain.
Any ideas?
Cheers,
Steve
Here is my sssd.conf
[sssd]
debug_level = 0x0270
config_file_version = 2
sbus_timeout = 30
domains = domain.tld
services = nss, pam
[nss]
debug_level = 0x0270
[pam]
debug_level = 0x0270
[domain/domain.tld]
debug_level = 0x0270
description = AD domain with Samba 4 server
cache_credentials = true
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
# Uncomment if dns discovery of your AD servers isn't working.
krb5_server = server.domain.tld
krb5_kpasswd = server.domain.tld
krb5_realm = DOMAIN.TLD
ldap_referrals = false
# Comment out if not using SASL/GSSAPI to bind
ldap_sasl_mech = GSSAPI
ldap_schema = rfc2307bis
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_user_search_base = dc=domain,dc=tld
ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_user_principal = userPrincipalName
ldap_group_search_base = dc=domain,dc=tld
ldap_group_object_class = group
ldap_group_name = sAMAccountName
ldap_group_gid_number = gidNumber
Rowland
Hi Rowland
Thanks. I can live with the getent thing. The other worry I have is
that it seems to work without any sort of authentication. If I
comment out all this lot:
#ldap_tls_cacertdir = /usr/local/samba/private/tls
#ldap_id_use_start_tls = true
#ldap_default_bind_dn = cn=steve2,cn=Users,dc=hh3,dc=site
#ldap_default_authtok = s2
#ldap_default_authtok_type = password
#ldap_sasl_mech = GSSAPI
It still works. Users can still log in and getent passwd <user> works
too! There seems to be no security check made. Is there a cache I need
to clear? nscd is not running.
I've tried starting and stopping everything and even rebooted but
still is works without any authentication.
Worrying. . .
Cheers,
Steve
Hi Steve, I seem to remember reading on the sssd mailing list that sssd
uses a kerberos cache but the cache is stored in memory. When a user
logs in they get their own cache in /tmp with the format
'krb5_uidNumber_XXXXXX'
There is another cache in /var/lib/sss/db/
When they get the ad backend to work, you will find that the sssd conf
gets to be even smaller, you do not need any of the ldap lines.
Rowland
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba