On Tue, 2011-05-03 at 06:51 -0700, Ben Kevan wrote:
On Tue, May 3, 2011 at 4:47 AM, Stephen Gallagher sgallagh@redhat.com wrote: On Mon, 2011-05-02 at 21:56 -0700, Ben Kevan wrote: > I'm wondering what the heck I'm doing wrong. I'm working on getting > SSSD + KRB5 working against 2008 R2 AD. It's working fine in RHEL5 w/ > the standard LDAP.conf configuration. I'm working on sssd, but am not > getting a binddn connection to AD. Here's my config:
... > ldap_default_bind_dn = ldapbinddn@DOMAIN.COM This is not a DN. This is a username. It's not the same thing. You need to figure out ldapbinddn's full distinguished name in LDAP and use that.This wasn't the issue. You're able to use both the full DN, or the shortened target method. It may not be documented, but if you're able to traverse AD anonymously, then you'l ll be successful in the method above. This is how I configured LDAP.con in RHEL5 even though it requested the usage of a full DN.
That sounds like a non-standard extension, and I'd really advise against relying on it. I won't guarantee that we won't parse for a valid DN and reject it as an option (it may work right now, but I might call that a bug rather than a feature).
> wtf am I doing wrong, and is ldap for authentication better then > krb5? or should I stick with ldap for authorization and krb5 for > authentication? Using krb5 for authentication allows you to acquire a single-sign-on TGT for use with other applications, so it's probably the preferred method in your case.The issue was the ldap_uri, where I had both targets space delimited and not comma delimited.
Ah, yes. That's caused problems for people before as well.
However, I'm still having an issue with the results from getent passwd <user>. Right now it's pulling / as homeDirectory, where homeDirectory should report as /home/<user>. What mapping should this be on a 2008 R2 domain?
I'm guessing that ActiveDirectory isn't storing the homedir as the "homeDirectory" attribute by default. You'll have to look up what it should be in Windows Server 2008 R2, but at least on older systems the attribute would have been msSFU30HomeDirectory
So you'd set ldap_user_home_directory = msSFU30HomeDirectory in the sssd.conf
Also, pulling a getent group <groupname> I'm not egtting the correct list of members as it is in AD (in the pure ad group and not in the msSFU30 portion)
You shouldn't be. You should only see the list of POSIX-compliant members. If the user or group members don't have POSIX attributes, we ignore them, since they aren't (and cannot be) relevant.