[Samba] sssd configuration

Lars Hanke debian at lhanke.de
Tue Sep 16 00:48:57 MDT 2014

Am 16.09.2014 07:53, schrieb steve:
> On Mon, 2014-09-15 at 23:05 +0200, Lars Hanke wrote:
>>> Older versions of sssd back to 1.8 supported AD through the rfc2307bis
>>> ldap schema. The configuration is a little more involved and you don't
>>> get the drop-in AD engineered product, but it works and what's more it
>>> would solve your Domain Users != domain users problem at the client end
>>> at least. We documented the method for sssd <= 1.9.6 here:
>>> http://linuxcostablanca.blogspot.com.es/2013/04/sssd-in-samba-40.html
>> Thanks for the hint. I started out to install sssd on my test system. I
>> followed that link quite closely. But something strange happens: if I do
>> 'id myuser' it claims the user is unknown. Of course I can neither log
>> in with that user.
>> I did sssd -i -d 0x7f0 and checked what happens. For login I see that it
>> queries the AD LDAP for myuser, finds all its groups and then enters
>> PAM. It performs a successful Kerberos authentication for the user.
>> For id it does not query LDAP at all. Nothing in the logs, no traffic in
>> wireshark.
>> Of course nssswitch.conf has 'compat sss' for passwd, group, and shadow.
>> Also pam_sss.so is listed in /etc/pam.d/common-*.
>> Any ideas for troubleshooting?
> It could be that old versions don't support it. Does a:
> sssd -i -d7 give any clues?
> Is there any way you can get an AD version for your distro? Or build it?
> Any of the 1.11.x or 1.12.x series is fine.

I gave backporting 1.11 from Jessie a try, but I either have to rely on 
wheezy-backports for the samba-dev packet or get a dozen samba4*-dev 
packets from wheezy as dependency. I'm not sure that I really want that now.

I actually even gave winbind another try last night. I could log in, I 
had all the users and groups, but it did not use any of the RFC2307 
information. In fact everything was mapped into the default range 
instead of the AD range. In fact I now have 3 samba 3.6.6 winbind test 
clients using the same config and producing different issues.

I'll probably stay with nslcd for now and rename all my relevant users 
and groups in the AD to lower case, Then it works fine with idmapd and 
the NAS. When Jessie becomes stable I'll probably revisit sssd.

Thanks for your help,
- lars.

More information about the samba mailing list