On Mon, Dec 17, 2012 at 06:00:21PM -0800, Andrew Wygle wrote:
Hello,
Thanks to the help of this list I successfully got SSSD to
authenticate against a Windows Server 2008 R2 Active Directory domain
controller. SSH logins work. I am, however, having a problem with UID and
GID mappings. I have set the following mappings in sssd.conf:
ldap_user_uid_number = uidNumber
ldap_user_gid_number =
gidNumber
ldap_group_gid_number = gidNumber
I know these are the
defaults, but I specified them explicitly just in case. I see the same
behavior with them unset, which makes sense.
When I go to look up a
user's information, either with getent or by logging in as them and running
id, I see that their UIDs and GIDs are set to ridiculously large values.
Take Bob as an example. I expect him to have UID 1001 and GID 1003, because
that's what's specified in Active Directory and when I run ldapsearch
that's what I see as the uidNumber and gidNumber properties. However, I get
the following result from getent passwd bob:
bob:*:863601112:863600513:Bobby Wallingford:/home/bob:/bin/bash
This is
internally consistent - if I do getent group on Bob's primary group, it
returns the same GID as the one Bob is set to. However, I don't see the
same behavior on a Mac that is joined to our domain - there, id bob returns
1001 as his UID and 1003 as his GID. The only thing in the logs that looks
much like an error is a line that looks like:
[sssd[be[domain.com]]]
[sdap_save_group] (0x1000): Mapping user [bob] objectSID to unix ID
(replace user with group and bob with the group name when searching for
groups). This doesn't exactly seem correct, but also doesn't seem like it
would produce the error I'm seeing.
I didn't see any obvious pattern to
the bits either (endianness error, inverted somehow, some kind of weird
sign error, etc).
Any help will be appreciated.
Maybe the following snippet from the sssd-ad man page will help:
"By default, the AD provider will map UID and GID values from the
objectSID parameter in Active Directory. For details on this, see the
“ID MAPPING” section below. If you want to disable ID mapping and
instead rely on POSIX attributes defined in Active Directory, you should
set
ldap_id_mapping = False"
Most AD setup do not have the Posix attributes set so sssd defaults to
using the objectSID attribute to calculate UIDs and GID. With
"ldap_id_mapping = False" you should see the same IDs as on your Mac.
HTH
bye,
Sumit
Thanks,
~Andrew Wygle
_______________________________________________
sssd-devel mailing list
sssd-devel(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel