[Samba] sssd with ad backend and "ldap_id_mapping = false" refuse to start

Rowland Penny rowlandpenny at googlemail.com
Thu Aug 28 01:58:42 MDT 2014 

On 28/08/14 08:35, Stefan Schäfer wrote:
> Nobody an idea?
>
> Stefan
>
> Am 27.08.2014 10:34, schrieb Stefan Schäfer:
>> Hello,
>>
>> we are using sssd version 1.12 on openSUSE 13.1 with Sernet-Samba 
>> Packages 4.1.11. Samba runs as a single AD DC
>>
>> We have removed the complete openSUSE samba stuff before testing. 
>> sssd runs on the same machine as samba.
>>
>> Our sssd config:
>>
>> -------------------------------------------------------------------------------- 
>>
>>
>> [sssd]
>> services = nss, pam
>> config_file_version = 2
>> domains = invis-ad.loc
>> debug_level = 0x0370
>>
>> # globale Cache Steuerung
>> # alle Angaben in Sekunden
>> # default = 120
>> enum_cache_timeout = 10
>>
>> # default = 15
>> entry_negative_timeout = 5
>>
>> [nss]
>>
>> [pam]
>>
>> [domain/invis-ad.loc]
>> # Domain bezogene Cache Steuerung
>> # Alle Angaben in Sekunden
>> # Default = entry_cache_timeout = 5400
>> entry_cache_user_timeout = 10
>> entry_cache_group_timeout = 10
>>
>> # Using id_provider=ad sets the best defaults on its own
>> id_provider = ad
>> # In sssd, the default access provider is always 'permit'. The AD access
>> # provider by default checks for account expiration
>> access_provider = ad
>>
>> # Uncomment to use POSIX attributes on the server
>> ldap_id_mapping = true
>>
>> # Uncomment if the client machine hostname doesn't match the computer 
>> object on the DC.
>> #ad_hostname = invisad.invis-ad.loc
>>
>> # Uncomment if DNS SRV resolution is not working
>> #ad_server = invisad.invis-ad.loc
>>
>> # Uncomment if the domain section is named differently than your 
>> Samba domain
>> #ad_domain = invis-ad.loc
>>
>> # Enumeration is discouraged for performance reasons.
>> enumerate = true
>>
>> -----------------------------------------------------
>>
>> With "ldap_id_mapping = true" everything works, getent passwd / group 
>> gets the user and group entries from our AD.
>>
>> But we want to use the sfu attributes from the AD, therefore I tried  
>> to switch to "ldap_id_mapping = true". After this sssd refuses to 
>> start. The logfile says:
>>
>> (Wed Aug 27 10:18:11 2014) [sssd[be[invis-ad.loc]]] 
>> [load_backend_module] (0x0010): Error (5) in module (ad) 
>> initialization (sssm_ad_id_init)!
>> (Wed Aug 27 10:18:11 2014) [sssd[be[invis-ad.loc]]] [be_process_init] 
>> (0x0010): fatal error initializing data providers
>> (Wed Aug 27 10:18:11 2014) [sssd[be[invis-ad.loc]]] [main] (0x0010): 
>> Could not initialize backend [5]
>>
>> Our smb.conf:
>>
>> --------------------------------------------------------
>>
>> [global]
>>         workgroup = INVIS-AD
>>         realm = invis-ad.loc
>>         netbios name = INVISAD
>>         server role = active directory domain controller
>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
>> drepl, winbind, ntp_signd, kcc, dnsupdate
>>         idmap_ldb:use rfc2307 = yes
>>
>>         .....
>>
>> ------------------------------------------------------------
>>
>> Any Ideas why sssd crashes?
>>
>>
>> Stefan
>>
>>
>
>
You might get more response if you posted on the correct mailing list, 
sssd has nothing to do with samba.

Rowland

More information about the samba mailing list