[Samba] sssd configuration

Karel Lang AFD lang at afd.cz
Tue Sep 16 01:19:07 MDT 2014

i'm not completely sure, if this is related to your problem, but when i 
was configuring sssd.conf to look for information at 389 directory 
server i had problem with 'id' command not showing the supplementary 
groups of user.
Problem was in combination of 'ldap_schema' and 'ldap_group_member'.
The 'id' command got working properly when i used combination of:
ldap_schema = rfc2307 with ldap_group_member = memberUID
ldap_schema = rfc2307bis with ldap_group_member = uniquemember

Other combinations were failures
Might that have any infuence?


On 09/16/2014 07:53 AM, steve wrote:
> On Mon, 2014-09-15 at 23:05 +0200, Lars Hanke wrote:
>>> Older versions of sssd back to 1.8 supported AD through the rfc2307bis
>>> ldap schema. The configuration is a little more involved and you don't
>>> get the drop-in AD engineered product, but it works and what's more it
>>> would solve your Domain Users != domain users problem at the client end
>>> at least. We documented the method for sssd <= 1.9.6 here:
>>> http://linuxcostablanca.blogspot.com.es/2013/04/sssd-in-samba-40.html
>> Thanks for the hint. I started out to install sssd on my test system. I
>> followed that link quite closely. But something strange happens: if I do
>> 'id myuser' it claims the user is unknown. Of course I can neither log
>> in with that user.
>> I did sssd -i -d 0x7f0 and checked what happens. For login I see that it
>> queries the AD LDAP for myuser, finds all its groups and then enters
>> PAM. It performs a successful Kerberos authentication for the user.
>> For id it does not query LDAP at all. Nothing in the logs, no traffic in
>> wireshark.
>> Of course nssswitch.conf has 'compat sss' for passwd, group, and shadow.
>> Also pam_sss.so is listed in /etc/pam.d/common-*.
>> Any ideas for troubleshooting?
> It could be that old versions don't support it. Does a:
> sssd -i -d7 give any clues?
> Is there any way you can get an AD version for your distro? Or build it?
> Any of the 1.11.x or 1.12.x series is fine.

More information about the samba mailing list