[Samba] sssd with ad backend and "ldap_id_mapping = false" refuse to start
Rowland Penny
rowlandpenny at googlemail.com
Thu Aug 28 02:11:28 MDT 2014
On 28/08/14 09:04, Stefan Schäfer wrote:
> Am 28.08.2014 09:58, schrieb Rowland Penny:
>> On 28/08/14 08:35, Stefan Schäfer wrote:
>>> Nobody an idea?
>>>
>>> Stefan
>>>
>>> Am 27.08.2014 10:34, schrieb Stefan Schäfer:
>>>> Hello,
>>>>
>>>> we are using sssd version 1.12 on openSUSE 13.1 with Sernet-Samba
>>>> Packages 4.1.11. Samba runs as a single AD DC
>>>>
>>>> We have removed the complete openSUSE samba stuff before testing.
>>>> sssd runs on the same machine as samba.
>>>>
>>>> Our sssd config:
>>>>
>>>> --------------------------------------------------------------------------------
>>>>
>>>>
>>>> [sssd]
>>>> services = nss, pam
>>>> config_file_version = 2
>>>> domains = invis-ad.loc
>>>> debug_level = 0x0370
>>>>
>>>> # globale Cache Steuerung
>>>> # alle Angaben in Sekunden
>>>> # default = 120
>>>> enum_cache_timeout = 10
>>>>
>>>> # default = 15
>>>> entry_negative_timeout = 5
>>>>
>>>> [nss]
>>>>
>>>> [pam]
>>>>
>>>> [domain/invis-ad.loc]
>>>> # Domain bezogene Cache Steuerung
>>>> # Alle Angaben in Sekunden
>>>> # Default = entry_cache_timeout = 5400
>>>> entry_cache_user_timeout = 10
>>>> entry_cache_group_timeout = 10
>>>>
>>>> # Using id_provider=ad sets the best defaults on its own
>>>> id_provider = ad
>>>> # In sssd, the default access provider is always 'permit'. The AD
>>>> access
>>>> # provider by default checks for account expiration
>>>> access_provider = ad
>>>>
>>>> # Uncomment to use POSIX attributes on the server
>>>> ldap_id_mapping = true
>>>>
>>>> # Uncomment if the client machine hostname doesn't match the
>>>> computer object on the DC.
>>>> #ad_hostname = invisad.invis-ad.loc
>>>>
>>>> # Uncomment if DNS SRV resolution is not working
>>>> #ad_server = invisad.invis-ad.loc
>>>>
>>>> # Uncomment if the domain section is named differently than your
>>>> Samba domain
>>>> #ad_domain = invis-ad.loc
>>>>
>>>> # Enumeration is discouraged for performance reasons.
>>>> enumerate = true
>>>>
>>>> -----------------------------------------------------
>>>>
>>>> With "ldap_id_mapping = true" everything works, getent passwd /
>>>> group gets the user and group entries from our AD.
>>>>
>>>> But we want to use the sfu attributes from the AD, therefore I
>>>> tried to switch to "ldap_id_mapping = true". After this sssd
>>>> refuses to start. The logfile says:
>>>>
>>>> (Wed Aug 27 10:18:11 2014) [sssd[be[invis-ad.loc]]]
>>>> [load_backend_module] (0x0010): Error (5) in module (ad)
>>>> initialization (sssm_ad_id_init)!
>>>> (Wed Aug 27 10:18:11 2014) [sssd[be[invis-ad.loc]]]
>>>> [be_process_init] (0x0010): fatal error initializing data providers
>>>> (Wed Aug 27 10:18:11 2014) [sssd[be[invis-ad.loc]]] [main]
>>>> (0x0010): Could not initialize backend [5]
>>>>
>>>> Our smb.conf:
>>>>
>>>> --------------------------------------------------------
>>>>
>>>> [global]
>>>> workgroup = INVIS-AD
>>>> realm = invis-ad.loc
>>>> netbios name = INVISAD
>>>> server role = active directory domain controller
>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>>>> drepl, winbind, ntp_signd, kcc, dnsupdate
>>>> idmap_ldb:use rfc2307 = yes
>>>>
>>>> .....
>>>>
>>>> ------------------------------------------------------------
>>>>
>>>> Any Ideas why sssd crashes?
>>>>
>>>>
>>>> Stefan
>>>>
>>>>
>>>
>>>
>> You might get more response if you posted on the correct mailing
>> list, sssd has nothing to do with samba.
>>
>> Rowland
>>
> OK, thanks for your answers. I took the whole configuration from the
> Samba-Wiki, that's why I posted it here.
>
> Stefan
>
Yes I know it is on the wiki, but it is only there as an example, you
will have a lot more chance of getting help if you take your problem to
the sssd mailing list. They are very good at getting problems fixed with
their software, you will probably get a response from one of the people
who write the software.
Rowland
More information about the samba
mailing list