[Samba] Should I forget sssd ?
steve
steve at steve-ss.com
Mon Sep 30 23:44:25 MDT 2013
On Tue, 2013-10-01 at 15:48 +1100, me at electronico.nc wrote:
> Hi again,
>
> Thanks again, Denis, Steve and Rowland for your previous answers about
> RFC2307 and winbind.
>
> Maybe I'm an dreamer but here is that I wanted to achieve :
> Ubuntu server 12.04.3, samba4 as PDC, several NICS : 1 LAN and 2/3 WANS
> Use a windows VM (on this server) to control AD through WRAT
> AD offers me the 'wishdom' of software deployment and GPO, users are
> can't install anything
> All standard Linux services (apache, postfix, dovecot, pptp, mysql,
> webmail, ...) can query AD
>
> What is done :
> I have setup 'folder redirection' in WRAT, so users 'documents' and
> 'desktop' are avalaible offline and mapped to home/%U on server
> AD Administrator has a roaming profile
> Searched a lot and succeed to deploy Office, Acrobat reader, Skype,
> 7-zip, Firefox to users (windows is another world...)
> Shares are mounted (depending on AD 'ou' rights) on user's pc
> Administrator can login via UltraVNC to all workstation
>
> What needs to be done:
> Linux services to auth to AD
>
> From what I've read, sssd is the more secure solution to achieve this,
> but ...
> Using sssd 1.11.1 : files configuration:
> 1)
> > sudo cat /etc/sssd/sssd.conf
> > [sssd]
> > services = nss, pam
> > config_file_version = 2
> > domains = radiodjiido.nc
> > [nss]
> > [pam]
> > [domain/radiodjiido.nc]
> > dyndns_update = false
> > ad_hostname = serveur.radiodjiido.nc
> > ad_server = serveur.radiodjiido.nc
> > ad_domain = radiodjiido.nc
> > ldap_schema = ad
> > id_provider = ad
> > access_provider = simple
> > enumerate = true
> > cache_credentials = true
> > auth_provider = krb5
> > chpass_provider = krb5
> > krb5_realm = RADIODJIIDO.NC
> > krb5_server = serveur.radiodjiido.nc
> > krb5_kpasswd = serveur.radiodjiido.nc
> > #next line only lists users with uidNumber/gidNumber entered via ldbedit
> > ldap_id_mapping = false
> > ldap_referrals = false
> > ldap_uri = ldap://serveur.radiodjiido.nc
> > ldap_search_base = dc=radiodjiido,dc=nc
> > ldap_user_object_class = user
> > ldap_user_name = samAccountName
> > ldap_user_uid_number = uidNumber
> > ldap_user_gid_number = gidNumber
> > ldap_user_home_directory = unixHomeDirectory
> > ldap_user_shell = loginShell
> > ldap_group_object_class = group
> > ldap_group_search_base = dc=radiodjiido,dc=nc
> > ldap_group_name = cn
> > ldap_group_member = member
> > ldap_sasl_mech = gssapi
> > #ldap_sasl_authid = serveur$
> > ldap_sasl_authid = serveur$@RADIODJIIDO.NC
> > krb5_keytab = /etc/krb5.sssd.keytab
> > ldap_krb5_init_creds = true
Hi
It looks as though the ad backend is broken in 1.11.1. At least I can't
get it going with a similar sssd.conf:
https://lists.fedorahosted.org/pipermail/sssd-devel/2013-September/016892.html
I rolled back to 1.10.0 and it's fine.
Re: your question.
If you can get away without having Linux clients in the domain, then
yes, you can forget sssd entirely.
HTH and good luck,
Steve
More information about the samba
mailing list