1.9.4 on openSUSE 12.3 with Samba4 AD Hi Everything is fine apart from that we'd like for getent passwd to throw out all users. At the moment it only returns single user information and even then only if we specify the user:
getent passwd <loadsa local users> <nothing from AD>
but:
getent passwd steve2 steve2:*:3000034:20513:steve2:/home/users/steve2:/bin/bash
We've tried enumerate = TRUE an waited for 30 minute on a test domain with only 2 users and 2 groups but still getent passwd returns a blank for domain users.
Everything else is fine. Authentication, group membership. . . Any ideas on the getent? Cheers, Steve (This is my first post here and I've only had time for a quick look through the archive so please accept my apologies if this is OT.)
/etc/nsswitch.conf passwd: compat sss group: compat sss
/etc/sssd/sssd.conf [sssd] services = nss, pam config_file_version = 2 domains = default
[nss]
[pam]
[domain/default] ldap_schema = rfc2307bis access_provider = simple enumerate = FALSE cache_credentials = true id_provider = ldap
auth_provider = krb5 chpass_provider = krb5 krb5_realm = HH3.SITE krb5_server = hh16.hh3.site krb5_kpasswd = hh16.hh3.site
ldap_uri = ldap://hh16.hh3.site/ ldap_search_base = dc=hh3,dc=site #ldap_tls_cacertdir = /usr/local/samba/private/tls #ldap_id_use_start_tls = true ldap_user_object_class = user ldap_user_name = samAccountName ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_group_object_class = group ldap_group_search_base = dc=hh3,dc=site ldap_group_name = cn ldap_group_member = member ldap_user_search_filter =(&(objectCategory=User)(uidNumber=*))
ldap_sasl_mech = gssapi ldap_sasl_authid = HH16$ ldap_krb5_keytab = /etc/krb5.keytab ldap_krb5_init_creds = true
On 04/14/2013 10:42 PM, steve wrote:
1.9.4 on openSUSE 12.3 with Samba4 AD Hi Everything is fine apart from that we'd like for getent passwd to throw out all users. At the moment it only returns single user information and even then only if we specify the user:
getent passwd
<loadsa local users> <nothing from AD>
but:
getent passwd steve2 steve2:*:3000034:20513:steve2:/home/users/steve2:/bin/bash
We've tried enumerate = TRUE an waited for 30 minute on a test domain with only 2 users and 2 groups but still getent passwd returns a blank for domain users.
Everything else is fine. Authentication, group membership. . . Any ideas on the getent? Cheers, Steve (This is my first post here and I've only had time for a quick look through the archive so please accept my apologies if this is OT.)
/etc/nsswitch.conf passwd: compat sss group: compat sss
This does not seem right. Why do you need compat? The man page indicates that "compat" can't be used with anything else. http://www.daemon-systems.org/man/nsswitch.conf.5.html May be you mean: files sss
If you need all users to be returned you would need to turn on enumeration, however why is it really needed? Do you have any scripts or apps that rely on the full list of users to be available? If not I suggest you turn the enumeration off.
/etc/sssd/sssd.conf [sssd] services = nss, pam config_file_version = 2 domains = default
[nss]
[pam]
[domain/default] ldap_schema = rfc2307bis access_provider = simple enumerate = FALSE cache_credentials = true id_provider = ldap
auth_provider = krb5 chpass_provider = krb5 krb5_realm = HH3.SITE krb5_server = hh16.hh3.site krb5_kpasswd = hh16.hh3.site
ldap_uri = ldap://hh16.hh3.site/ ldap_search_base = dc=hh3,dc=site #ldap_tls_cacertdir = /usr/local/samba/private/tls #ldap_id_use_start_tls = true ldap_user_object_class = user ldap_user_name = samAccountName ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_group_object_class = group ldap_group_search_base = dc=hh3,dc=site ldap_group_name = cn ldap_group_member = member ldap_user_search_filter =(&(objectCategory=User)(uidNumber=*))
ldap_sasl_mech = gssapi ldap_sasl_authid = HH16$ ldap_krb5_keytab = /etc/krb5.keytab ldap_krb5_init_creds = true
sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
On 04/15/2013 03:15 PM, Dmitri Pal wrote:
On 04/14/2013 10:42 PM, steve wrote:
1.9.4 on openSUSE 12.3 with Samba4 AD Hi Everything is fine apart from that we'd like for getent passwd to throw out all users. At the moment it only returns single user information and even then only if we specify the user:
getent passwd
<loadsa local users> <nothing from AD>
but:
getent passwd steve2 steve2:*:3000034:20513:steve2:/home/users/steve2:/bin/bash
We've tried enumerate = TRUE an waited for 30 minute on a test domain with only 2 users and 2 groups but still getent passwd returns a blank for domain users.
Everything else is fine. Authentication, group membership. . . Any ideas on the getent? Cheers, Steve (This is my first post here and I've only had time for a quick look through the archive so please accept my apologies if this is OT.)
/etc/nsswitch.conf passwd: compat sss group: compat sss
This does not seem right. Why do you need compat? The man page indicates that "compat" can't be used with anything else. http://www.daemon-systems.org/man/nsswitch.conf.5.html May be you mean: files sss
If you need all users to be returned you would need to turn on enumeration, however why is it really needed? Do you have any scripts or apps that rely on the full list of users to be available? If not I suggest you turn the enumeration off.
Hi
Sorry. Yes, in desperation, we've tried all of 'files sss', 'compat sss' and just plain 'sss'. We run a Samba 4 AD and yes we have scripts which use getent passwd. These are mainly wrappers around samba-tool, their cli config tool. Steve
sssd-devel@lists.fedorahosted.org
-
Dmitri Pal -
steve