[Samba] sssd with ad backend and "ldap_id_mapping = false" refuse to start

Charles Gomes cgomes at clearpoolgroup.com
Thu Aug 28 08:19:45 MDT 2014 

Did you ever get ACL's working without SFU ?




-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Stefan Schäfer
Sent: Thursday, August 28, 2014 7:25 AM
To: samba at lists.samba.org
Subject: Re: [Samba] sssd with ad backend and "ldap_id_mapping = false" refuse to start

Problem solved.

Switching from "ldap_id_mapping = true" to "false" forces to delete the whole database /var/lib/sssd/db/domain.ldb. sss_cache -UG isn't enough.

Stefan

Am 27.08.2014 10:34, schrieb Stefan Schäfer:
> Hello,
>
> we are using sssd version 1.12 on openSUSE 13.1 with Sernet-Samba 
> Packages 4.1.11. Samba runs as a single AD DC
>
> We have removed the complete openSUSE samba stuff before testing. sssd 
> runs on the same machine as samba.
>
> Our sssd config:
>
> ----------------------------------------------------------------------
> ----------
>
>
> [sssd]
> services = nss, pam
> config_file_version = 2
> domains = invis-ad.loc
> debug_level = 0x0370
>
> # globale Cache Steuerung
> # alle Angaben in Sekunden
> # default = 120
> enum_cache_timeout = 10
>
> # default = 15
> entry_negative_timeout = 5
>
> [nss]
>
> [pam]
>
> [domain/invis-ad.loc]
> # Domain bezogene Cache Steuerung
> # Alle Angaben in Sekunden
> # Default = entry_cache_timeout = 5400 entry_cache_user_timeout = 10 
> entry_cache_group_timeout = 10
>
> # Using id_provider=ad sets the best defaults on its own id_provider = 
> ad # In sssd, the default access provider is always 'permit'. The AD 
> access # provider by default checks for account expiration 
> access_provider = ad
>
> # Uncomment to use POSIX attributes on the server ldap_id_mapping = 
> true
>
> # Uncomment if the client machine hostname doesn't match the computer 
> object on the DC.
> #ad_hostname = invisad.invis-ad.loc
>
> # Uncomment if DNS SRV resolution is not working #ad_server = 
> invisad.invis-ad.loc
>
> # Uncomment if the domain section is named differently than your Samba 
> domain #ad_domain = invis-ad.loc
>
> # Enumeration is discouraged for performance reasons.
> enumerate = true
>
> -----------------------------------------------------
>
> With "ldap_id_mapping = true" everything works, getent passwd / group 
> gets the user and group entries from our AD.
>
> But we want to use the sfu attributes from the AD, therefore I tried 
> to switch to "ldap_id_mapping = true". After this sssd refuses to 
> start. The logfile says:
>
> (Wed Aug 27 10:18:11 2014) [sssd[be[invis-ad.loc]]] 
> [load_backend_module] (0x0010): Error (5) in module (ad) 
> initialization (sssm_ad_id_init)!
> (Wed Aug 27 10:18:11 2014) [sssd[be[invis-ad.loc]]] [be_process_init]
> (0x0010): fatal error initializing data providers (Wed Aug 27 10:18:11 
> 2014) [sssd[be[invis-ad.loc]]] [main] (0x0010):
> Could not initialize backend [5]
>
> Our smb.conf:
>
> --------------------------------------------------------
>
> [global]
>         workgroup = INVIS-AD
>         realm = invis-ad.loc
>         netbios name = INVISAD
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
> drepl, winbind, ntp_signd, kcc, dnsupdate
>         idmap_ldb:use rfc2307 = yes
>
>         .....
>
> ------------------------------------------------------------
>
> Any Ideas why sssd crashes?
>
>
> Stefan
>
>


--
www.invis-server.org

Stefan Schäfer
Ludwigstr. 1-3
63679 Schotten

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list