[Samba] User home directory UID:GID incorrect on VM Samba 4 AD client
Paul R. Ganci
ganci at nurdog.com
Tue Nov 5 21:14:21 MST 2013
On 11/05/2013 01:11 AM, steve wrote:
> On Mon, 2013-11-04 at 22:18 -0700, Paul R. Ganci wrote:
>> I did want to get sssd working but while I can authenticate the
>> version of sssd does not seem to want to pull out the gid, uid, home
>> directory ... etc.
> Pls post sssd.conf
Boy some real bulldogs on this list ... I don't think I have been on any
list with so many helpful people! :)
I want to emphasize a couple of things. First my running a Samba 4 AD is
purely for educational and scientific reasons. While it would be great
to get sssd working it is not a priority for me. Why? Because second, I
have winbind working just fine on the clients. Therefore I am happy as I
am using the Samba 4 AD to authenticate, extract GIDs/UIDs and find my
home directory on my linux boxes. My wife is happy because she has
roaming profiles and a home directory on her Windows 7 Professional
laptop. Third, I think the CentOS 6.4 codebase is just old. For example
I am positive the cifs_utils-4.8.1-18 package is hopelessly archaic. I
want to run CentOS 6.4 for other reasons and so when I upgraded from 5.x
I decided to ditch NIS/Samba3 and a Samba 4 AD seemed to make sense.
Perhaps I jumped the gun with CentOS 6.4 and would have been better
waiting for CentOS 7. While I really appreciate the help, I hope people
understand that this is not a high priority item. I really don't want
you busy folks to waste your precious time.
Now having said all that, if you still want to try and help I will post
the sssd.conf that have used. I have tried two different versions. The
first version came from this reference (Steve I assume this is yours),
removed any comments and added some comments of my own:
http://linuxcostablanca.blogspot.com/2013/04/sssd-in-samba-40.html
[sssd]
config_file_version = 2
domains = default
services = nss, pam
[nss]
[pam]
[domain/default]
ldap_schema = rfc2307bis
access_provider = simple
#
# on large directories, you may want to disable enumeration
# http://linuxcostablanca.blogspot.com/2013/04/sssd-in-samba-40.html
# sets false.
enumerate = true
#
# http://linuxcostablanca.blogspot.com/2013/04/sssd-in-samba-40.html
# sets true but if AD server is down not much we can do. Also for debug
# having cached credentials seemed to get in the way
cache_credentials = false
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
krb5_realm = MYHOME.NURDOG.COM
krb5_server = nikita.myhome.nurdog.com
# Per linuxcostablana.blogspot.com same
krb5_kpasswd = nikita.myhome.nurdog.com
ldap_referrals = false
ldap_uri = ldap://nikita.myhome.nurdog.com/
ldap_search_base = dc=myhome,dc=nurdog,dc=com
ldap_user_object_class = user
ldap_user_name = samAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_group_object_class = group
ldap_group_search_base = dc=myhome,dc=nurdog,dc=com
ldap_group_name = cn
ldap_group_member = member
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = MCDUFF$
krb5_keytab = /etc/krb5.keytab
ldap_krb5_init_creds = true
I tried another version based upon these references (mostly the first one):
https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server
http://heartofthesystem.blogspot.com/2012/10/sssd-kerberos-and-rhel-6.html
[sssd]
config_file_version = 2
domains = myhome.nurdog.com
services = nss, pam
debug_level = 2
[nss]
[pam]
[domain/myhome.nurdog.com]
ldap_referrals = false
#cache_credentials = true
# on large directories, you may want to disable enumeration for
performance reasons
enumerate = true
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
ldap_uri = ldap://nikita.myhome.nurdog.com/
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = nfs/mcduff.myhome.nurdog.com at MYHOME.NURDOG.COM
ldap_schema = rfc2307bis
ldap_search_base = dc=myhome,dc=nurdog,dc=com
ldap_user_object_class = user
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_name = sAMAccountName
ldap_user_shell = loginShell
ldap_group_object_class = group
ldap_group_name = cn
ldap_group_member = member
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
krb5_realm = MYHOME.NURDOG.COM
krb5_server = nikita.myhome.nurdog.com
krb5_kpasswd = nikita.myhome.nurdog.com
ldap_krb5_init_creds = true
krb5_canonicalize = false
In order to use this version I rejoined the domain using:
net ads join createupn="nfs/client.ad.example.com at MYHOME.NURDOG.COM " -U
Administrator
to create the upn. It also has some use for "kerberosizing" nfs
(necessary for the versions of software in CentOS 6.4) but that is a
separate thing. I started with the first version to create the second
version so there may be some mixing and matching.
It did not matter which version I used. I could login to the client, it
could find my home directory but the GID=99, UID=99 (nobody:nobody)
ownership made it not very useful. I guess the question I have is what
do I have to do on the AD side? I wasn't running sssd on the AD ... is
there something I have to do there?
--
Paul (ganci at nurdog.com)
More information about the samba
mailing list