[Samba] sssd configuration

Rowland Penny rowlandpenny at googlemail.com
Tue Sep 16 01:28:41 MDT 2014

On 16/09/14 08:19, Karel Lang AFD wrote:
> Hi,
> i'm not completely sure, if this is related to your problem, but when 
> i was configuring sssd.conf to look for information at 389 directory 
> server i had problem with 'id' command not showing the supplementary 
> groups of user.
> Problem was in combination of 'ldap_schema' and 'ldap_group_member'.
> The 'id' command got working properly when i used combination of:
> ldap_schema = rfc2307 with ldap_group_member = memberUID
> or
> ldap_schema = rfc2307bis with ldap_group_member = uniquemember
> Other combinations were failures
> Might that have any infuence?
You could very well be right, but not for the reasons you are thinking 
of. AD does not have 'uniquemember', but it does have 'memberUID' and 
depending on how Lars created his groups, it is more than likely that he 
doesn't have that either.


> cheers,
> On 09/16/2014 07:53 AM, steve wrote:
>> On Mon, 2014-09-15 at 23:05 +0200, Lars Hanke wrote:
>>>> Older versions of sssd back to 1.8 supported AD through the rfc2307bis
>>>> ldap schema. The configuration is a little more involved and you don't
>>>> get the drop-in AD engineered product, but it works and what's more it
>>>> would solve your Domain Users != domain users problem at the client 
>>>> end
>>>> at least. We documented the method for sssd <= 1.9.6 here:
>>>> http://linuxcostablanca.blogspot.com.es/2013/04/sssd-in-samba-40.html
>>> Thanks for the hint. I started out to install sssd on my test system. I
>>> followed that link quite closely. But something strange happens: if 
>>> I do
>>> 'id myuser' it claims the user is unknown. Of course I can neither log
>>> in with that user.
>>> I did sssd -i -d 0x7f0 and checked what happens. For login I see 
>>> that it
>>> queries the AD LDAP for myuser, finds all its groups and then enters
>>> PAM. It performs a successful Kerberos authentication for the user.
>>> For id it does not query LDAP at all. Nothing in the logs, no 
>>> traffic in
>>> wireshark.
>>> Of course nssswitch.conf has 'compat sss' for passwd, group, and 
>>> shadow.
>>> Also pam_sss.so is listed in /etc/pam.d/common-*.
>>> Any ideas for troubleshooting?
>> It could be that old versions don't support it. Does a:
>> sssd -i -d7 give any clues?
>> Is there any way you can get an AD version for your distro? Or build it?
>> Any of the 1.11.x or 1.12.x series is fine.

More information about the samba mailing list