[Samba] Samba AD domain member with SSSD: ACL not work
L.P.H. van Belle
belle at bazuin.nl
Wed Feb 15 07:42:17 UTC 2017
Have you seen :
( centos/redhat )
https://outsideit.net/realmd-sssd-ad-authentication/
( debian/ubuntu )
http://www.alandmoore.com/blog/2015/05/06/joining-debian-8-to-active-directory/
but i must say, i havent tested/tried these, i dont use sssd.
But i think these are usefull for you to read at least.
If you use the debian variant, you may need to install also :
One or more of these : libnss-sss libpam-sss libsss-idmap0 libsss-sudo
But same as Rowland is saying, you get better support at the sssd list.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Dario Lesca via
> samba
> Verzonden: dinsdag 14 februari 2017 18:08
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba AD domain member with SSSD: ACL not work
>
> Il giorno mar, 14/02/2017 alle 16.13 +0000, Rowland Penny via samba ha
> scritto:
> > Have you modified /etc/nsswitch.conf ?
> No:
> > passwd: files sss
> > shadow: files sss
> > group: files sss
>
> for default nsswitch.conf is configure to use sssd
>
> > If you haven't, then you are not using winbind, you are using sssd.
> Yes. I use sssd, If this is not a problem for samba.
>
> > In which case you should remove the 'idmap config' lines from
> > smb.conf.
>
> Ok, now I have remove this 4 lines, restart smb and test: ACLs still
> not work.
>
> > feb 14 17:45:24 samba-dati.srl.local nmbd[3338]: *****
> > feb 14 17:45:24 samba-dati.srl.local nmbd[3338]:
> > feb 14 17:45:24 samba-dati.srl.local nmbd[3338]: Samba name server
> SAMBA-DATI is now a local master browser for workgroup SRL on subnet
> 192.168.1.5
> > feb 14 17:45:24 samba-dati.srl.local nmbd[3338]:
> > feb 14 17:45:24 samba-dati.srl.local nmbd[3338]: *****
> > feb 14 17:45:44 samba-dati.srl.local smbd[3369]: [2017/02/14
> 17:45:44.973268, 0]
> ../source3/smbd/posix_acls.c:2080(create_canon_ace_lists)
> > feb 14 17:45:44 samba-dati.srl.local
> smbd[3369]: create_canon_ace_lists: unable to map SID S-1-5-21-
> 347198863-3916504048-2821235790-1213 to uid or gid.
>
> The error still exist
>
> > You should also try asking on the sssd users mailing list for help,
> > because if you are not using winbind for authentication, this is
> > probably where your problem lies.
>
> Ok, but my question now is: it's possible to use samba in conjunction
> to sssd?
>
> or this kind of configuration is not allowed or not fully tested or
> supported by samba team?
>
> > If you want use winbind instead of sssd, you will need to turn sssd
> > off.
>
> Ok, this way it's another possible solution, if I am not able to
> configure samba + sssd
>
>
> Many Thanks
>
>
> --
> Dario Lesca
> (inviato dal mio Linux Fedora 25 Workstation)
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list