[Samba] sssd on a DC

buhorojo buhorojo.lcb at gmail.com
Mon May 11 12:08:48 MDT 2015 

On 11/05/15 19:19, Jonathan Hunter wrote:
> On 10 May 2015 at 16:11, Jonathan Hunter <jmhunter1 at gmail.com> wrote:
>> OK, I've got a little further and I think I have tracked this down to
>> a reverse DNS issue - which was non-obvious to me, so here is a
>> write-up for the benefit of the archives.
> Just to close this off - I have now got sssd configured and working on
> my Samba4 DCs (well, if I'm being picky, I have it on two out of three
> so far - the third is still to come, as I'll need to chown/chgrp
> thousands of files when I do that one)
>
> On these two separate machines (which were not ones I copied across
> idmap.ldb on (not that I'm using winbind now)), with a random test
> user (created some months ago, and which I have not used or tried to
> enumerate before), I get the following (sanitised) with sssd
> configured on each machine:
>
> [root at dc1 private]# id testuser
> uid=1528401182(testuser) gid=1528400513(domain users)
> groups=1528400513(domain
> users),1528402109(abc-test-ssh),1528402118(abc-test2-ssh),1528402646(users)
>
> and
>
> [root at dc2 ~]# id testuser
> uid=1528401182(testuser) gid=1528400513(domain users)
> groups=1528400513(domain
> users),1528402109(abc-test-ssh),1528402118(abc-test2-ssh)
>
> I have to say, I'm not sure where the 'users' group has gone to on dc2
> (or possibly where it comes from on dc1; these two machines are
> different builds actually) but I'm happy enough that the UIDs and GIDs
> are now identical across these two machines.
>
> In case anyone needs it, my sssd.conf is very simple. I'm using the
> standard sssd that comes with CentOS 6.6 (which is 1.11.6). Conf file
> is:
>
> [sssd]
> config_file_version = 2
> domains = domain.tld
> services = nss, pam
>
> [domain/domain.tld]
> id_provider = ad
> auth_provider = ad
> access_provider = ad
> chpass_provider = ad
> ldap_id_mapping = True
> ldap_schema = ad
> default_shell = /bin/bash
> fallback_homedir = /home/%d/%u
>
Wow. Consistent idmapping without hacking the database. Give that man a 
large cool beer:)

More information about the samba mailing list