[Samba] sssd with ad backend and "ldap_id_mapping = false" refuse to start

Stefan Schäfer ml at fsproductions.de
Thu Aug 28 02:04:11 MDT 2014


Am 28.08.2014 09:58, schrieb Rowland Penny:
> On 28/08/14 08:35, Stefan Schäfer wrote:
>> Nobody an idea?
>>
>> Stefan
>>
>> Am 27.08.2014 10:34, schrieb Stefan Schäfer:
>>> Hello,
>>>
>>> we are using sssd version 1.12 on openSUSE 13.1 with Sernet-Samba 
>>> Packages 4.1.11. Samba runs as a single AD DC
>>>
>>> We have removed the complete openSUSE samba stuff before testing. 
>>> sssd runs on the same machine as samba.
>>>
>>> Our sssd config:
>>>
>>> -------------------------------------------------------------------------------- 
>>>
>>>
>>> [sssd]
>>> services = nss, pam
>>> config_file_version = 2
>>> domains = invis-ad.loc
>>> debug_level = 0x0370
>>>
>>> # globale Cache Steuerung
>>> # alle Angaben in Sekunden
>>> # default = 120
>>> enum_cache_timeout = 10
>>>
>>> # default = 15
>>> entry_negative_timeout = 5
>>>
>>> [nss]
>>>
>>> [pam]
>>>
>>> [domain/invis-ad.loc]
>>> # Domain bezogene Cache Steuerung
>>> # Alle Angaben in Sekunden
>>> # Default = entry_cache_timeout = 5400
>>> entry_cache_user_timeout = 10
>>> entry_cache_group_timeout = 10
>>>
>>> # Using id_provider=ad sets the best defaults on its own
>>> id_provider = ad
>>> # In sssd, the default access provider is always 'permit'. The AD 
>>> access
>>> # provider by default checks for account expiration
>>> access_provider = ad
>>>
>>> # Uncomment to use POSIX attributes on the server
>>> ldap_id_mapping = true
>>>
>>> # Uncomment if the client machine hostname doesn't match the 
>>> computer object on the DC.
>>> #ad_hostname = invisad.invis-ad.loc
>>>
>>> # Uncomment if DNS SRV resolution is not working
>>> #ad_server = invisad.invis-ad.loc
>>>
>>> # Uncomment if the domain section is named differently than your 
>>> Samba domain
>>> #ad_domain = invis-ad.loc
>>>
>>> # Enumeration is discouraged for performance reasons.
>>> enumerate = true
>>>
>>> -----------------------------------------------------
>>>
>>> With "ldap_id_mapping = true" everything works, getent passwd / 
>>> group gets the user and group entries from our AD.
>>>
>>> But we want to use the sfu attributes from the AD, therefore I 
>>> tried  to switch to "ldap_id_mapping = true". After this sssd 
>>> refuses to start. The logfile says:
>>>
>>> (Wed Aug 27 10:18:11 2014) [sssd[be[invis-ad.loc]]] 
>>> [load_backend_module] (0x0010): Error (5) in module (ad) 
>>> initialization (sssm_ad_id_init)!
>>> (Wed Aug 27 10:18:11 2014) [sssd[be[invis-ad.loc]]] 
>>> [be_process_init] (0x0010): fatal error initializing data providers
>>> (Wed Aug 27 10:18:11 2014) [sssd[be[invis-ad.loc]]] [main] (0x0010): 
>>> Could not initialize backend [5]
>>>
>>> Our smb.conf:
>>>
>>> --------------------------------------------------------
>>>
>>> [global]
>>>         workgroup = INVIS-AD
>>>         realm = invis-ad.loc
>>>         netbios name = INVISAD
>>>         server role = active directory domain controller
>>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
>>> drepl, winbind, ntp_signd, kcc, dnsupdate
>>>         idmap_ldb:use rfc2307 = yes
>>>
>>>         .....
>>>
>>> ------------------------------------------------------------
>>>
>>> Any Ideas why sssd crashes?
>>>
>>>
>>> Stefan
>>>
>>>
>>
>>
> You might get more response if you posted on the correct mailing list, 
> sssd has nothing to do with samba.
>
> Rowland
>
OK, thanks for your answers. I took the whole configuration from the 
Samba-Wiki, that's why I posted it here.

Stefan

-- 
www.invis-server.org

Stefan Schäfer
Ludwigstr. 1-3
63679 Schotten



More information about the samba mailing list