[Samba] sssd with ad backend and "ldap_id_mapping = false" refuse to start
Stefan Schäfer
ml at fsproductions.de
Thu Aug 28 05:24:36 MDT 2014
Problem solved.
Switching from "ldap_id_mapping = true" to "false" forces to delete the
whole database /var/lib/sssd/db/domain.ldb. sss_cache -UG isn't enough.
Stefan
Am 27.08.2014 10:34, schrieb Stefan Schäfer:
> Hello,
>
> we are using sssd version 1.12 on openSUSE 13.1 with Sernet-Samba
> Packages 4.1.11. Samba runs as a single AD DC
>
> We have removed the complete openSUSE samba stuff before testing. sssd
> runs on the same machine as samba.
>
> Our sssd config:
>
> --------------------------------------------------------------------------------
>
>
> [sssd]
> services = nss, pam
> config_file_version = 2
> domains = invis-ad.loc
> debug_level = 0x0370
>
> # globale Cache Steuerung
> # alle Angaben in Sekunden
> # default = 120
> enum_cache_timeout = 10
>
> # default = 15
> entry_negative_timeout = 5
>
> [nss]
>
> [pam]
>
> [domain/invis-ad.loc]
> # Domain bezogene Cache Steuerung
> # Alle Angaben in Sekunden
> # Default = entry_cache_timeout = 5400
> entry_cache_user_timeout = 10
> entry_cache_group_timeout = 10
>
> # Using id_provider=ad sets the best defaults on its own
> id_provider = ad
> # In sssd, the default access provider is always 'permit'. The AD access
> # provider by default checks for account expiration
> access_provider = ad
>
> # Uncomment to use POSIX attributes on the server
> ldap_id_mapping = true
>
> # Uncomment if the client machine hostname doesn't match the computer
> object on the DC.
> #ad_hostname = invisad.invis-ad.loc
>
> # Uncomment if DNS SRV resolution is not working
> #ad_server = invisad.invis-ad.loc
>
> # Uncomment if the domain section is named differently than your Samba
> domain
> #ad_domain = invis-ad.loc
>
> # Enumeration is discouraged for performance reasons.
> enumerate = true
>
> -----------------------------------------------------
>
> With "ldap_id_mapping = true" everything works, getent passwd / group
> gets the user and group entries from our AD.
>
> But we want to use the sfu attributes from the AD, therefore I tried
> to switch to "ldap_id_mapping = true". After this sssd refuses to
> start. The logfile says:
>
> (Wed Aug 27 10:18:11 2014) [sssd[be[invis-ad.loc]]]
> [load_backend_module] (0x0010): Error (5) in module (ad)
> initialization (sssm_ad_id_init)!
> (Wed Aug 27 10:18:11 2014) [sssd[be[invis-ad.loc]]] [be_process_init]
> (0x0010): fatal error initializing data providers
> (Wed Aug 27 10:18:11 2014) [sssd[be[invis-ad.loc]]] [main] (0x0010):
> Could not initialize backend [5]
>
> Our smb.conf:
>
> --------------------------------------------------------
>
> [global]
> workgroup = INVIS-AD
> realm = invis-ad.loc
> netbios name = INVISAD
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbind, ntp_signd, kcc, dnsupdate
> idmap_ldb:use rfc2307 = yes
>
> .....
>
> ------------------------------------------------------------
>
> Any Ideas why sssd crashes?
>
>
> Stefan
>
>
--
www.invis-server.org
Stefan Schäfer
Ludwigstr. 1-3
63679 Schotten
More information about the samba
mailing list