[Samba] SSSD - inconsistent UIDs [solved]

Peter Serbe peter at serbe.ch
Thu Sep 18 16:14:14 MDT 2014 

I think I got it working... 

There were mainly two things I still had to fix:

- first there seems to be an issue with SSSD on Debian (and Ubuntu).
see: https://lists.fedorahosted.org/pipermail/sssd-users/2014-May/001685.html
While trying to resolv the Kerberos server sssd tries to get a ticket from 
some Internet root servers... setting the ad_hostname/server/domain fixed these
erratic issues with getting tickets. 

- second I removed the local user account having the same name as the AD user. 
Then I adjusted the UID of the domain user with the RSAT tools on the value 
I got from getent passwd. Finally I fixed the ADCs to reflect these changes 
and removed all the bogus entries. 

Now it seems working. At least for the moment.
Maybe it could help other hobby admins out there...

Best regards
Peter 


Peter Serbe schrieb am 18.09.2014 12:23:

> I followed the advice from Arun, with some mixed success. 
> For a couple of days I had no success, while constantly 
> seeing that 'getent passwd' did not list domain users, but 
> 
> # getent passwd administrator
> administrator:*:1855200500:1855200513:Administrator:/home/Administrator:/bin/sh
> 
> Finally I got 'getent passwd' working by adding 
> 
> enumerate = true
> 
> to the sssd.conf file *). Apparently this is a bug in sssd, 
> which may or may not occur. Maybe it would be a good idea, 
> to add a hint to the wiki documentation, that this option 
> might be a try when troubleshooting sssd. 
> 
> But now I see another strange thing: I did deleted my 
> domain account and added again - but even after a series 
> of rebooting setfacl uses the old uid. I did delete the 
> SSSD cache at /var/lib/sss/db/, but this did not have any 
> effect. 
> 
> Are there any other places, where I should delete something?
> Do I need to disable the idmap_ldb:use rfc2307 entry in 
> smb.conf? Or would it be best to reprovision samba and 
> start all over?
> 
> Thank You in advance!
> Peter
> 
> 
> *) got it from here:
> http://unixspace.wordpress.com/2013/08/20/rhel-6-system-security-services-daemon-sssd-getent-not-showing-all-ldap-accounts/
> 
> 
> 
> Arun Khan schrieb am 09.09.2014 21:55:
> 
>> On Tue, Sep 9, 2014 at 8:04 AM, Peter Serbe <peter at serbe.ch> wrote:
>>>..
>>>
>>> The reason can be found in the nslcd.conf
>>>
>>> ...
>>> map     passwd  uid                sAMAccountName
>>> ...
>> 
>> Suggest use sssd in place of nslcd.  I have posted a copy of my
>> sssd.conf that binds to LDAP (Samba4) in a post.
>> 
>> -- Arun Khan
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list