[Samba] sssd getent problem with Samba 4.0

[Rowland Penny]

On 14/04/13 09:29, steve wrote:
> Version 4.0.6-GIT-4bebda4
>
> Hi
> I have sssd up and running. It works fine except that getent only 
> returns domain users if I specify the object e.g.
> getent passwd
> and
> getent group
> return only local users
>
> but
> getent passwd steve2
> steve2:*:3000034:20513:steve2:/home/users/steve2:/bin/bash
> and
> getent group Domain\ Users
> Domain Users:*:20513:
> work fine.

This doesn't seem to be a problem.

>
>
> /etc/nsswitch.conf
> passwd: compat sss
> group:  compat sss
>
> /etc/sssd/sssd.conf
> [sssd]
> services = nss, pam
> config_file_version = 2
> domains = default
>
> [nss]
>
> [pam]
>
> [domain/default]
> access_provider = simple
> #simple_allow_users = myuser
> enumerate = false
> cache_credentials = True
> id_provider = ldap
> auth_provider = krb5
> chpass_provider = krb5
> krb5_realm = HH3.SITE
> krb5_server = hh16.hh3.site
> krb5_kpasswd = hh16.hh3.site
> ldap_uri = ldap://hh16.hh3.site/
> ldap_search_base = dc=hh3,dc=site
> ldap_tls_cacertdir = /usr/local/samba/private/tls
> ldap_id_use_start_tls = False
> ldap_default_bind_dn = cn=lynn2,cn=Users,dc=hh3,dc=site
> ldap_default_authtok = xx
> ldap_default_authtok_type = password
> ldap_user_object_class = person
> ldap_user_name = samAccountName
> ldap_user_uid_number = uidNumber
> ldap_user_gid_number = gidNumber
> ldap_user_home_directory = unixHomeDirectory
> ldap_user_shell = loginShell
> ldap_group_object_class = group
> #ldap_user_search_filter =(&(objectCategory=User)(uidNumber=*))
>
> I've tried
> enumerate = true
> and it works as expected but strangely, only for the first time after 
> sssd is started. it then returns only local users.

I have never tried it myself, the sssd wiki recommends not setting 
'enumerate = true' until everything else is working and then not on a 
large domain.

>
> Any ideas?
> Cheers,
> Steve
>

Here is my sssd.conf

[sssd]
debug_level = 0x0270
config_file_version = 2
sbus_timeout = 30
domains = domain.tld
services = nss, pam

[nss]
debug_level = 0x0270

[pam]
debug_level = 0x0270

[domain/domain.tld]
debug_level = 0x0270
description = AD domain with Samba 4 server
cache_credentials = true

id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap

# Uncomment if dns discovery of your AD servers isn't working.
krb5_server = server.domain.tld
krb5_kpasswd = server.domain.tld
krb5_realm = DOMAIN.TLD

ldap_referrals = false
# Comment out if not using SASL/GSSAPI to bind
ldap_sasl_mech = GSSAPI

ldap_schema = rfc2307bis
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true

ldap_user_search_base = dc=domain,dc=tld
ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_user_principal = userPrincipalName

ldap_group_search_base = dc=domain,dc=tld
ldap_group_object_class = group
ldap_group_name = sAMAccountName
ldap_group_gid_number = gidNumber

Rowland


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.