[Samba] SSSD - inconsistent UIDs [solved]
steve
steve at steve-ss.com
Fri Sep 19 02:15:57 MDT 2014
On 19/09/14 00:14, Peter Serbe wrote:
> I think I got it working...
>
> There were mainly two things I still had to fix:
>
> - first there seems to be an issue with SSSD on Debian (and Ubuntu).
> see: https://lists.fedorahosted.org/pipermail/sssd-users/2014-May/001685.html
> While trying to resolv the Kerberos server sssd tries to get a ticket from
> some Internet root servers... setting the ad_hostname/server/domain fixed these
> erratic issues with getting tickets.
Hi
It's a workaround though as it means that your DNS is wrong. sssd should
be able to find the DC using SRV. If you're in production, you need to
sort DNS as if it has a bad habit of letting you down when you really
need it.
>
> - second I removed the local user account having the same name as the AD user.
> Then I adjusted the UID of the domain user with the RSAT tools on the value
> I got from getent passwd. Finally I fixed the ADCs to reflect these changes
> and removed all the bogus entries.
Yeah. If yo need a local account and a domain account just use e.g.
peter and peter2. The one it picks depends on the order you have files
and sss in nsswitch.conf.
HTH,
Steve
>
> Now it seems working. At least for the moment.
> Maybe it could help other hobby admins out there...
>
> Best regards
> Peter
>
>
> Peter Serbe schrieb am 18.09.2014 12:23:
>
>> I followed the advice from Arun, with some mixed success.
>> For a couple of days I had no success, while constantly
>> seeing that 'getent passwd' did not list domain users, but
>>
>> # getent passwd administrator
>> administrator:*:1855200500:1855200513:Administrator:/home/Administrator:/bin/sh
>>
>> Finally I got 'getent passwd' working by adding
>>
>> enumerate = true
>>
>> to the sssd.conf file *). Apparently this is a bug in sssd,
>> which may or may not occur. Maybe it would be a good idea,
>> to add a hint to the wiki documentation, that this option
>> might be a try when troubleshooting sssd.
>>
>> But now I see another strange thing: I did deleted my
>> domain account and added again - but even after a series
>> of rebooting setfacl uses the old uid. I did delete the
>> SSSD cache at /var/lib/sss/db/, but this did not have any
>> effect.
>>
>> Are there any other places, where I should delete something?
>> Do I need to disable the idmap_ldb:use rfc2307 entry in
>> smb.conf? Or would it be best to reprovision samba and
>> start all over?
>>
>> Thank You in advance!
>> Peter
>>
>>
>> *) got it from here:
>> http://unixspace.wordpress.com/2013/08/20/rhel-6-system-security-services-daemon-sssd-getent-not-showing-all-ldap-accounts/
>>
>>
>>
>> Arun Khan schrieb am 09.09.2014 21:55:
>>
>>> On Tue, Sep 9, 2014 at 8:04 AM, Peter Serbe <peter at serbe.ch> wrote:
>>>> ..
>>>>
>>>> The reason can be found in the nslcd.conf
>>>>
>>>> ...
>>>> map passwd uid sAMAccountName
>>>> ...
>>>
>>> Suggest use sssd in place of nslcd. I have posted a copy of my
>>> sssd.conf that binds to LDAP (Samba4) in a post.
>>>
>>> -- Arun Khan
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
More information about the samba
mailing list