[Samba] sssd with ad backend and "ldap_id_mapping = false" refuse to start

steve steve at steve-ss.com
Thu Aug 28 02:17:50 MDT 2014 

On Thu, 2014-08-28 at 10:04 +0200, Stefan Schäfer wrote:
> Am 28.08.2014 09:58, schrieb Rowland Penny:
> > On 28/08/14 08:35, Stefan Schäfer wrote:
> >> Nobody an idea?
> >>
> >> Stefan
> >>
> >> Am 27.08.2014 10:34, schrieb Stefan Schäfer:
> >>> Hello,
> >>>
> >>> we are using sssd version 1.12 on openSUSE 13.1 with Sernet-Samba 
> >>> Packages 4.1.11. Samba runs as a single AD DC
> >>>
> >>> We have removed the complete openSUSE samba stuff before testing. 
> >>> sssd runs on the same machine as samba.
> >>>
> >>> Our sssd config:
> >>>
> >>> -------------------------------------------------------------------------------- 
> >>>
> >>>
> >>> [sssd]
> >>> services = nss, pam
> >>> config_file_version = 2
> >>> domains = invis-ad.loc
> >>> debug_level = 0x0370
> >>>
> >>> # globale Cache Steuerung
> >>> # alle Angaben in Sekunden
> >>> # default = 120
> >>> enum_cache_timeout = 10
> >>>
> >>> # default = 15
> >>> entry_negative_timeout = 5
> >>>
> >>> [nss]
> >>>
> >>> [pam]
> >>>
> >>> [domain/invis-ad.loc]
> >>> # Domain bezogene Cache Steuerung
> >>> # Alle Angaben in Sekunden
> >>> # Default = entry_cache_timeout = 5400
> >>> entry_cache_user_timeout = 10
> >>> entry_cache_group_timeout = 10
> >>>
> >>> # Using id_provider=ad sets the best defaults on its own
> >>> id_provider = ad
> >>> # In sssd, the default access provider is always 'permit'. The AD 
> >>> access
> >>> # provider by default checks for account expiration
> >>> access_provider = ad
> >>>
> >>> # Uncomment to use POSIX attributes on the server
> >>> ldap_id_mapping = true
> >>>
> >>> # Uncomment if the client machine hostname doesn't match the 
> >>> computer object on the DC.
> >>> #ad_hostname = invisad.invis-ad.loc
> >>>
> >>> # Uncomment if DNS SRV resolution is not working
> >>> #ad_server = invisad.invis-ad.loc
> >>>
> >>> # Uncomment if the domain section is named differently than your 
> >>> Samba domain
> >>> #ad_domain = invis-ad.loc
> >>>
> >>> # Enumeration is discouraged for performance reasons.
> >>> enumerate = true
> >>>
> >>> -----------------------------------------------------
> >>>
> >>> With "ldap_id_mapping = true" everything works, getent passwd / 
> >>> group gets the user and group entries from our AD.
> >>>
> >>> But we want to use the sfu attributes from the AD, therefore I 
> >>> tried  to switch to "ldap_id_mapping = true". After this sssd 
> >>> refuses to start. The logfile says:
> >>>
> >>> (Wed Aug 27 10:18:11 2014) [sssd[be[invis-ad.loc]]] 
> >>> [load_backend_module] (0x0010): Error (5) in module (ad) 
> >>> initialization (sssm_ad_id_init)!
> >>> (Wed Aug 27 10:18:11 2014) [sssd[be[invis-ad.loc]]] 
> >>> [be_process_init] (0x0010): fatal error initializing data providers
> >>> (Wed Aug 27 10:18:11 2014) [sssd[be[invis-ad.loc]]] [main] (0x0010): 
> >>> Could not initialize backend [5]
> >>>
> >>> Our smb.conf:
> >>>
> >>> --------------------------------------------------------
> >>>
> >>> [global]
> >>>         workgroup = INVIS-AD
> >>>         realm = invis-ad.loc
> >>>         netbios name = INVISAD
> >>>         server role = active directory domain controller
> >>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
> >>> drepl, winbind, ntp_signd, kcc, dnsupdate
> >>>         idmap_ldb:use rfc2307 = yes
> >>>
> >>>         .....
> >>>
> >>> ------------------------------------------------------------
> >>>
> >>> Any Ideas why sssd crashes?
> >>>
> >>>
> >>> Stefan
> >>>
> >>>
> >>
> >>
> > You might get more response if you posted on the correct mailing list, 
> > sssd has nothing to do with samba.
> >
> > Rowland
> >
> OK, thanks for your answers. I took the whole configuration from the 
> Samba-Wiki, that's why I posted it here.

Uncomment ad_hostname and ad_server above and set up sssd correctly:
http://linuxcostablanca.blogspot.com.es/2014/04/sssd-ad-backend-with-samba4.html

More information about the samba mailing list