[Samba] sssd on a DC

Achim Gottinger achim at ag-web.biz
Mon May 11 23:34:43 MDT 2015


Hello Jonathan,

Am 11.05.2015 um 17:19 schrieb Jonathan Hunter:
> On 10 May 2015 at 16:11, Jonathan Hunter <jmhunter1 at gmail.com> wrote:
>> OK, I've got a little further and I think I have tracked this down to
>> a reverse DNS issue - which was non-obvious to me, so here is a
>> write-up for the benefit of the archives.
> Just to close this off - I have now got sssd configured and working on
> my Samba4 DCs (well, if I'm being picky, I have it on two out of three
> so far - the third is still to come, as I'll need to chown/chgrp
> thousands of files when I do that one)
>
> On these two separate machines (which were not ones I copied across
> idmap.ldb on (not that I'm using winbind now)), with a random test
> user (created some months ago, and which I have not used or tried to
> enumerate before), I get the following (sanitised) with sssd
> configured on each machine:
>
> [root at dc1 private]# id testuser
> uid=1528401182(testuser) gid=1528400513(domain users)
> groups=1528400513(domain
> users),1528402109(abc-test-ssh),1528402118(abc-test2-ssh),1528402646(users)
>
> and
>
> [root at dc2 ~]# id testuser
> uid=1528401182(testuser) gid=1528400513(domain users)
> groups=1528400513(domain
> users),1528402109(abc-test-ssh),1528402118(abc-test2-ssh)
>
> I have to say, I'm not sure where the 'users' group has gone to on dc2
> (or possibly where it comes from on dc1; these two machines are
> different builds actually) but I'm happy enough that the UIDs and GIDs
> are now identical across these two machines.
>
> In case anyone needs it, my sssd.conf is very simple. I'm using the
> standard sssd that comes with CentOS 6.6 (which is 1.11.6). Conf file
> is:
>
> [sssd]
> config_file_version = 2
> domains = domain.tld
> services = nss, pam
>
> [domain/domain.tld]
> id_provider = ad
> auth_provider = ad
> access_provider = ad
> chpass_provider = ad
> ldap_id_mapping = True
> ldap_schema = ad
> default_shell = /bin/bash
> fallback_homedir = /home/%d/%u
>
The example you provided shows only domain groups i guess, does it also 
work with system groups like "Authetnticated Users" whom are used for 
sysvol.


With ldap_id_mapping=True  sssd does this

/By default, the AD provider will map UID and GID values from the 
objectSID parameter in Active Directory. For details on this, see the 
"ID MAPPING" section below. If you want to disable ID mapping and 
instead rely on POSIX attributes defined in Active Directory, you should 
set//ldap_id_mapping = False./

Achim~


More information about the samba mailing list