[Samba] samba4 DC, internal winbind_server: external idmap problem

Andy Igoshin ai at vsu.ru
Wed Dec 11 09:26:04 MST 2013

В Tue, 10 Dec 2013 19:09:04 +0100
steve <steve at steve-ss.com> пишет:
> On Tue, 2013-12-10 at 20:46 +0400, Andy Igoshin wrote:
> > 
> > even in sssd 1.11.2 there are problems with ad/ldap backends.
> > so will see how it goes further in sssd and windbind.
> > 
> Hi
> Really? That's worrying. Could you share/give details? I've no problem
> to reproduce and take to the devs. . .

i found that there are problems in getting information about an account
with objectSid attribute.

if this attribute exists then sssd tries to find suitable domain for
it. but sssd does not request domain sid from ldap so it can't find
the proper domain. corresponding errors appear in the log.
As a result 'getent passwd user' for the user with objectSid attribute
set returns nothing.
my bug report https://fedorahosted.org/sssd/ticket/2175 was marked as
duplicated. i do not fully agree with such status but will see...

from sources and sssd's behaviour it follows that sssd does not request
domain sid for the domain, only for its subdomains. it makes the
construction unworkable. also it is impossible to specify domain sid in

if to talk about ad backend - there is a similar bug in bug tracker.
i just can't find it right now. 

Andy Igoshin <ai at vsu.ru>                 Voronezh State University
sip:          ai at vsu.ru                  Network Operation Center
phone: +7 473 2281160, ext. 2020         Voronezh, Russia

More information about the samba mailing list