[Samba] sssd + samba4 not working (yet)

Rowland Penny rowlandpenny at googlemail.com
Wed Feb 19 07:04:18 MST 2014 

On 19/02/14 13:52, steve wrote:
> On Wed, 2014-02-19 at 13:52 +0100, Kenneth Westelinck wrote:
>> Thanks.
>> - I compiled Samba 4.1.4 for Wheezy from sernet's package sources
>> - I am compiling sssd 1.11.3 from Sid on Wheezy (it is compiling as we
>> speak, I hope)
>> Thanks for offering packages, but I'm on ARM and I don't have a Debian
>> Intel machine to cross-compile :)
>>
>> If sssd is not supported, why bother documenting it:
>> https://wiki.samba.org/index.php/Local_user_management_and_authentication/sssd:)
>>
> Samba _developers_ don't support it. Many others do however.
>
>> I'll see if I have better luck with sssd 1.11.3 and try to read-up on
>> documentation on the sssd side. Keep you posted.
> Hi, from the sssd thread on sssd-dev, the only reason sssd is not
> working as you expect is because you do not have uidNumber nor gidNumber
> specified in the DN's of your users and/or groups.
> S
>
>>
>> On Wed, Feb 19, 2014 at 1:36 PM, L.P.H. van Belle <belle at bazuin.nl> wrote:
>>
>>> Ai...
>>>
>>> and i forgot to mention.
>>>
>>> SSSD is NOT supported by samba developers, questions about it ask on the
>>> sssd mailing list.
>>>
>>> ;-)
>>>
>>> You better go and try samba4 winbind, i has all you need.
>>> and these questions you can ask here ..
>>>
>>> Regards,
>>>
>>> Louis
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: belle at bazuin.nl [mailto:samba-bounces at lists.samba.org]
>>>> Namens L.P.H. van Belle
>>>> Verzonden: woensdag 19 februari 2014 13:33
>>>> Aan: Kenneth Westelinck
>>>> CC: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] sssd + samba4 not working (yet)
>>>>
>>>> google for : "If people want, this is how:  samba 4.1.3 and
>>>> sssd 1.11.3 for debian wheezy"
>>>> and here you go:
>>>> https://lists.samba.org/archive/samba/2014-January/177934.html
>>>> outlined what you need.
>>>>
>>>> The order of the file you install with dpkg -i must be
>>>> correct. ( or setup a apt repo )
>>>> and you need samba-dev for sssd to compile, so first samba,
>>>> and all samba depends.
>>>>
>>>> I did it..  its do-able.
>>>> and tip samba 4.1.4 is hard to do, didnt work for me last
>>>> time, so pik the source of 4.1.3 and start compileing
>>>>
>>>> and if you ask nice i can put them online, but only for a short time.
>>>> I dont have the needed line atm for everybody.
>>>>
>>>> I have the source and packages there if you want.  ( with
>>>> needed depends )
>>>>
>>>> apt-cache policy sssd-ad
>>>> sssd-ad:
>>>>   Installed: 1.11.3-1
>>>>   Candidate: 1.11.3-1
>>>>   Version table:
>>>> *** 1.11.3-1 0
>>>>         700 http://CENCORED/debian/wheezy/amd64/  Packages
>>>>         100 /var/lib/dpkg/status
>>>>
>>>>
>>>> apt-cache policy samba
>>>> samba:
>>>>   Installed: 2:4.1.3+dfsg-2
>>>>   Candidate: 2:4.1.3+dfsg-2
>>>>   Version table:
>>>> *** 2:4.1.3+dfsg-2 0
>>>>         700 http://CENCORED/debian/wheezy/amd64/  Packages
>>>>         100 /var/lib/dpkg/status
>>>>
>>>> and tip, if you start compiling, i advice to use your own
>>>> compiles samba4 and not the backports.
>>>> this is because of needed depends for compiling.
>>>> you can try but i didnt test that mix
>>>>
>>>>
>>>> Best regards,
>>>>
>>>> Louis
>>>>
>>>>
>>>>
>>>>> -----Oorspronkelijk bericht-----
>>>>> Van: kenneth.westelinck at gmail.com
>>>>> [mailto:samba-bounces at lists.samba.org] Namens Kenneth Westelinck
>>>>> Verzonden: woensdag 19 februari 2014 12:58
>>>>> Aan: steve
>>>>> CC: samba at lists.samba.org
>>>>> Onderwerp: Re: [Samba] sssd + samba4 not working (yet)
>>>>>
>>>>> - Updated (using s4domaingroup-change-gid) gidNumber to 513
>>>>> (to match what
>>>>> it was in my old LDAP + SAMBA setup)
>>>>> - Created a new user (1002:513) with samba-tool and made sure
>>>>> uidNumber and
>>>>> gidNumber are filled in
>>>>> - checked with apache directory studio (
>>>>> http://www.clearcenter.com/support/documentation/clearos_guides
>>>>> /using_apache_directory_studio_with_samba_directory_-_samba_4)
>>>>> if attributes are available in LDAP, they are
>>>>>
>>>>> What's next?
>>>>> (in the meantime I'll try to backport sid's sssd package)
>>>>>
>>>>>
>>>>> On Wed, Feb 19, 2014 at 12:31 PM, Kenneth Westelinck <
>>>>> kenneth.westelinck at gmail.com> wrote:
>>>>>
>>>>>> this might work:
>>>>>>
>>>>> http://linuxcostablanca.blogspot.be/2012/02/samba-4-posix-domai
>>>>> n-user.html
>>>>>>
>>>>>> On Wed, Feb 19, 2014 at 11:58 AM, steve <steve at steve-ss.com> wrote:
>>>>>>
>>>>>>> On Wed, 2014-02-19 at 08:07 +0100, Kenneth Westelinck wrote:
>>>>>>>> All,
>>>>>>>>
>>>>>>>>
>>>>>>>> Keytab should be fine, as I used the instructions from
>>>> the wiki to
>>>>>>>> export it:
>>>>>>>> root at bubba3-one:/etc# klist -k krb5.sssd.keytab
>>>>>>>> Keytab name: FILE:krb5.sssd.keytab
>>>>>>>> KVNO Principal
>>>>>>>> ----
>>>>>>>>
>>>>> ---------------------------------------------------------------
>>>>> -----------
>>>>>>>>     1 bubba3-one$@EARTH.LOCAL
>>>>>>>>     1 bubba3-one$@EARTH.LOCAL
>>>>>>>>     1 bubba3-one$@EARTH.LOCAL
>>>>>>>> root at bubba3-one:/etc#
>>>>>>>>
>>>>>>>>
>>>>>>>> getent passwd Administrator doesn't return anything
>>>>>>>>
>>>>>>>>
>>>>>>>> I guess I have the uid number stored:
>>>>>>>> root at bubba3-one:/etc# wbinfo --user-info Administrator
>>>>>>>> EARTH\Administrator:*:0:100::/home/EARTH/Administrator:/bin/false
>>>>>>>> root at bubba3-one:/etc#
>>>>>>> getent doesn't work because you do not have the uid:gid
>>>>> stored in AD.
>>>>>>> Add something like:
>>>>>>> uidNumber: 10000
>>>>>>> gidNumber: 20513
>>>>>>> to the DN of Administrator
>>>>>>> and:
>>>>>>> gidNumber: 20513
>>>>>>> to the DN of Domain Users
>>>>>>>
>>>>>>> HTH
>>>>>>> Steve
>>>>>>>
>>>>>>> Next question? How?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>>
>>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>
>
Of course the OP could just change this in sssd.conf:

ldap_id_mapping=false

To:

ldap_id_mapping=true

and then restart sssd

He will then get the same effect as the winbind idmap rid backend.

But I am not allowed to tell you this ;-)

Rowland

More information about the samba mailing list