Notice: I sent this email to the list using another mail address, which i
believe whas not verified properly. If this emali is properly sent to the
list you can disregard moderating the message.
Hello
Im setting up a single signon solution for about 1200 servers. The
situation as it seems is that we are setting up all users in a windows 2008
r2 active directory, adding proper unix permissions. A user with proper
priveliges to read active directory is being used by sssd to read which
users is allowed in and not. If the users does not have a home directory
they are being created automatically. So whats the issue here? Access to
the system does not happen instantanely and i believe its because sssd is
polling active directory every 120 seconds. It seems as if it has issues
remaining its state and it is just as if it would loose its local database.
I would like to be able to have users being logged directly after a user is
being added to active directory. Is this possible and how could this be
achieved?
Versions being used: Debian 7.4
ii sssd 1.8.4-2 amd64
System Security Services Daemon
ii sssd-tools 1.8.4-2 amd64
System Security Services Daemon -- tools
config:
--
[sssd]
config_file_version = 2
domains = int.home.local
services = nss, pam
debug_level = 0
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/int.home.local]
# Unless you know you need referrals, turn them off
ldap_referrals = false
# Uncomment if you need offline logins
cache_credentials = true
enumerate = true
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
# Uncomment if service discovery is not working
ldap_uri = ldap://win-04vje0onhci.int.home.local
# Comment out if not using SASL/GSSAPI to bind
#ldap_sasl_mech = GSSAPI
# Uncomment and adjust if the default principal host/fqdn@REALM is not
available
#ldap_sasl_authid = nfs/client.ad.example.com(a)AD.EXAMPLE.COM
# Define these only if anonymous binds are not allowed and no keytab is
available
# Enabling use_start_tls is very important, otherwise the bind password is
transmitted
# over the network in the clear
#ldap_id_use_start_tls = True
ldap_default_bind_dn = CN=test,CN=Users,DC=int,DC=home,DC=local
ldap_default_authtok_type = password
ldap_default_authtok = secretpassword
ldap_schema = rfc2307bis
ldap_user_search_base = CN=Users,DC=int,DC=home,DC=local
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_group_search_base = CN=Builtin,DC=int,DC=home,DC=local
#ldap_group_search_base = ou=group,dc=int,dc=home,dc=local
ldap_group_object_class = group
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
# Uncomment if dns discovery of your AD servers isn't working.
krb5_server = win-04vje0onhci.int.home.local
krb5_realm = int.home.local
# Probably required with sssd 1.8.x and newer
krb5_canonicalize = false
# Perhaps you need to redirect to certain attributes?
# ldap_user_object_class = user
# ldap_user_name = sAMAccountName
# ldap_user_uid_number = msSFU30UidNumber
# ldap_user_gid_number = msSFU30GidNumber
# ldap_user_gecos = displayName
# ldap_user_home_directory = msSFU30HomeDirectory
# ldap_user_shell = msSFU30LoginShell
# ldap_user_principal = userPrincipalName
# ldap_group_object_class = group
# ldap_group_name = cn
# ldap_group_gid_number = msSFU30GidNumber
--
Vänliga Hälsningar / Best Regards
Paul Liljenberg