[Samba] Samba4 Using AD/UNIX attributes for home directory and shell not possible?
steve
steve at steve-ss.com
Mon Aug 12 03:08:01 MDT 2013
On 12/08/13 10:04, Markus Gillmeister wrote:
> Hi,
>
> while googling around I already suspected that using winbind and samba4 is
> not a perfect solution.
>
> I tried to setup sssd on my debian wheezy machine but I'm not able to get a
> running setup:
>
> When starting up sssd the following error appear:
>
> (Mon Aug 12 09:57:43 2013) [sssd[be[shadow.local]]] [setup_child] (0x0010):
> Could not verify keytab
> (Mon Aug 12 09:57:43 2013) [sssd[be[shadow.local]]] [load_backend_module]
> (0x0010): Error (2) in module (ldap) initialization (sssm_ldap_id_init)!
> (Mon Aug 12 09:57:43 2013) [sssd[be[shadow.local]]] [be_process_init]
> (0x0010): fatal error initializing data providers
> (Mon Aug 12 09:57:43 2013) [sssd[be[shadow.local]]] [main] (0x0010): Could
> not initialize backend [2]
>
>
> My /etc/sssd/sssd.conf looks like:
>
> [sssd]
> config_file_version = 2
> domains = shadow.local
> services = nss, pam
> debug_level = 7
>
> [nss]
>
> [pam]
>
> [domain/shadow.local]
> cache_credentials = true
> id_provider = ldap
> auth_provider = krb5
> chpass_provider = krb5
> access_provider = ldap
>
> krb5_realm = SHADOW.LOCAL
>
> ldap_referrals = false
> ldap_sasl_mech = GSSAPI
> ldap_schema = rfc2307bis
> ldap_access_order = expire
> ldap_account_expire_policy = ad
> ldap_force_upper_case_realm = true
> ldap_user_object_class = user
> ldap_user_name = sAMAccountName
> ldap_user_home_directory = unixHomeDirectory
> ldap_user_principal = userPrincipalName
> ldap_group_object_class = group
> ldap_group_name = sAMAccountName
>
>
> sssd version on debian wheezy is 1.8.4. Any ideas whats wrong?
>
> Best Regards
> Markus
>
>
Hi
mmm, 1.8.4. For AD out of the box you need version 1.10.1 but you could
try this.
You haven't specified the DC or any of the gssapi stuff:
remove:
access_provider =
and add :
krb5_realm =
krb5_server =
krb5_kpasswd =
ldap_sasl_authid =
ldap_krb5_keytab = /etc/krb5.keytab
ldap_krb5_init_creds = true
krb5_validate = False
for server and kpasswd use names not IP's
for ldap_sasl_authid use the machine key from the keytab it prodv¡ded
when you joined the domain, something like MACHINE$
There are example configs for both rfc2307bis and AD schemas here:
http://linuxcostablanca.blogspot.com.es/2013/04/sssd-in-samba-40.html
More information about the samba
mailing list