sssd performance on large domains
by zfnoctis@gmail.com
Hi,
I'm wondering if there are any plans to improve sssd performance on large active directory domains (100k+ users, 40k+ groups), or if there are settings I am not aware of that can greatly improve performance, specifically for workstation use cases.
Currently if I do not set "ignore_group_members = True" in sssd.conf, logins can take upwards of 6 minutes and "sssd_be" will max the CPU for up to 20 minutes after logon, which makes it a non-starter. The reason I want to allow group members to be seen is that I want certain domain groups to be able to perform elevated actions using polkit. If I ignore group members, polkit reports that the group is empty and so no one can elevate in the graphical environment.
Ultimately this means that Linux workstations are at a severe disadvantage since they cannot be bound to the domain and have the normal set of access features users and IT expect from macOS or Windows.
Distributions used: Ubuntu 16.04 (sssd 1.13.4-1ubuntu1.1), Ubuntu 16.10 (sssd 1.13.4-3) and Fedora 24 (sssd-1.13.4-3.fc24). All exhibit the same problems.
I've also tried "ldap_group_nesting_level = 1" without seeing any noticeable improvement with respect to performance. Putting the database on /tmp isn't viable as these are workstations that will reboot semi-frequently, and I don't believe this is an I/O bound performance issue anyways.
Thanks for your time.
1 year, 8 months
Enumerate users from external group from AD trust
by Bolke de Bruin
Hello,
I have sssd 1.13.00 working against FreeIPA 4.2 domain. This domain has a trust relationship with a active directory domain.
One of the systems we are using requires to enumerate all users in groups by (unfortunate) design (Apache Ranger). This is done by using
“getent group”. During this enumeration the full user list for a group that has a nested external member group* is not always returned so we thought to
add “getent group mygroup” in order to get more details. Unfortunately this does not seem to work consistently: sometimes this gives information sometimes it does not:
[root@master centos]# getent group ad_users
ad_users:*:1950000004:
[root@master centos]# id bolke(a)ad.local
UID=1796201107(bolke(a)ad.local) GID=1796201107(bolke(a)ad.local) groepen=1796201107(bolke(a)ad.local),1796200513(domain users@ad.local),1796201108(test(a)ad.local)
[root@master centos]# getent group ad_users
ad_users:*:1950000004:bolke@ad.local <mailto:bolke@ad.local>
If I clear the cache (sss_cache -E) the entry is gone again:
[root@master centos]# getent group ad_users
ad_users:*:1950000004:
My question is how do I get sssd to enumerate *all users* in a group consistently?
Thanks!
Bolke
* https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/trust-g...
3 years, 10 months
SSSD for one-way trusted AD domain
by Ondrej Valousek
Hi List,
Question, we have joined machine into AD domain B. This domain has one way trust to domain A. No direct connection from domain B network to DCs in domain A is possible.
Can we use SSSD to authenticate members in domain A.
In windows, this works - but can't get it working in Linux via SSSD (Fedora 25, used realmd for AD join).
Thanks,
Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
5 years, 4 months
id -G user only showing primary group
by Jeff Sadowski
I'm running Fedora 26
sssd --version
1.15.3
I am authentication against an Active Directory Domain that has posix
extensions enabled.
All my ubuntu and centos machines are using power broker or winbind to
authenticate to the domain.
I want to transition away from power broker.
I tried using winbind to connect fedora but I end up with issues of it
not using posix extensions from my active directory.
So I tried sssd out and see that users show correctly when I run the command
getent passwd <username>
when using winbind I had to use template for the shell and home
directories which I did not like.
This is not happening on my ubuntu or centos servers with the same config.
There config if it helps is as follows
[global]
security = ads
realm = MIND.UNM.EDU
workgroup = MIND
idmap config * : backend = tdb
idmap config * : range = 2000-7999
idmap config MIND:backend = ad
idmap config MIND:schema_mode = rfc2307
idmap config MIND:range = 8000-9999999
winbind nss info = rfc2307
winbind use default domain = yes
# so that the users show up in getent
winbind enum users = yes
# so that the groups show up in getent
winbind enum groups = yes
restrict anonymous = 2
#added the following 2 for the Badlock updates that change the defaults
#to no longer work with my domain controllers
ldap server require strong auth = no
client ldap sasl wrapping = plain
Since that wasn't working, I uninstalled winbind and reinstalled sssd
(I had removed it while testing samba since I know they can
interfere.)
I used realm to leave and rejoin the domain
It looks like realm rewrote my smb.conf file as such
[global]
security = user
idmap config * : backend = tdb
idmap config * : range = 2000-7999
idmap config MIND:backend = ad
idmap config MIND:schema_mode = rfc2307
idmap config MIND:range = 8000-9999999
winbind nss info = rfc2307
winbind use default domain = yes
# so that the users show up in getent
winbind enum users = yes
# so that the groups show up in getent
winbind enum groups = yes
restrict anonymous = 2
#added the following 2 for the Badlock updates that change the defaults
#to no longer work with my domain controllers
ldap server require strong auth = no
client ldap sasl wrapping = plain
template homedir=/na/homes/%U
template shell=/bin/bash
My sssd.conf file looks like so
[sssd]
domains = mind.unm.edu
config_file_version = 2
services = nss, pam
[domain/mind.unm.edu]
ad_domain = mind.unm.edu
krb5_realm = MIND.UNM.EDU
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
#ldap_id_mapping = True
ldap_id_mapping = False
#use_fully_qualified_names = True
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
access_provider = ad
#
debug = 3
I learned with ldap_id_mapping = True I was getting funny uid's and
that interfered with my isilon that is using rfc2307 to our domain.
And I want to login with <username> not <domain>\\<username> so i set
use_fully_qualified_names = False
While reading this
https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
under sections:
Common AD provider issues->A group my user is a member of doesn’t
display in the id output
In case the group is not present in the id -G output at all, there is
something up with the initgroups part.
This is the case but I'm not really sure where to go from here.
I set debug on the domain to 3 and my /var/log/sssd/sssd_<domainname>
looks as follows when I run id -G <user>
in this case the user is jsadowski
id -G <username> is only showing the primary group for any user I have tried.
...
(Tue Oct 31 09:16:10 2017) [sssd[be[mind.unm.edu]]] [orderly_shutdown]
(0x0010): SIGTERM: killing children
(Tue Oct 31 09:17:11 2017) [sssd[be[mind.unm.edu]]] [orderly_shutdown]
(0x0010): SIGTERM: killing children
(Tue Oct 31 09:17:39 2017) [sssd[be[mind.unm.edu]]] [orderly_shutdown]
(0x0010): SIGTERM: killing children
(Tue Oct 31 09:17:39 2017) [sssd[be[mind.unm.edu]]]
[get_access_filter] (0x0010): Warning: LDAP access rule 'filter' is
set, but no ldap_access_filter configured. All domain users will be
denied access.
(Tue Oct 31 09:18:16 2017) [sssd[be[mind.unm.edu]]] [orderly_shutdown]
(0x0010): SIGTERM: killing children
(Tue Oct 31 09:21:03 2017) [sssd[be[mind.unm.edu]]] [orderly_shutdown]
(0x0010): SIGTERM: killing children
(Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]] [orderly_shutdown]
(0x0010): SIGTERM: killing children
(Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]] [krb5_init_kdc]
(0x0010): Missing krb5_realm option!
(Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]]
[dp_module_run_constructor] (0x0010): Module [krb5] constructor failed
[22]: Invalid argument
(Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]] [dp_target_init]
(0x0010): Unable to load module krb5
(Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]] [be_process_init]
(0x0010): Unable to setup data provider [1432158209]: Internal Error
(Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]] [main] (0x0010):
Could not initialize backend [1432158209]
(Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]] [krb5_init_kdc]
(0x0010): Missing krb5_realm option!
(Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]]
[dp_module_run_constructor] (0x0010): Module [krb5] constructor failed
[22]: Invalid argument
(Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]] [dp_target_init]
(0x0010): Unable to load module krb5
(Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]] [be_process_init]
(0x0010): Unable to setup data provider [1432158209]: Internal Error
(Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]] [main] (0x0010):
Could not initialize backend [1432158209]
(Tue Oct 31 09:21:56 2017) [sssd[be[mind.unm.edu]]] [krb5_init_kdc]
(0x0010): Missing krb5_realm option!
(Tue Oct 31 09:21:56 2017) [sssd[be[mind.unm.edu]]]
[dp_module_run_constructor] (0x0010): Module [krb5] constructor failed
[22]: Invalid argument
(Tue Oct 31 09:21:56 2017) [sssd[be[mind.unm.edu]]] [dp_target_init]
(0x0010): Unable to load module krb5
(Tue Oct 31 09:21:56 2017) [sssd[be[mind.unm.edu]]] [be_process_init]
(0x0010): Unable to setup data provider [1432158209]: Internal Error
(Tue Oct 31 09:21:56 2017) [sssd[be[mind.unm.edu]]] [main] (0x0010):
Could not initialize backend [1432158209]
(Tue Oct 31 09:22:00 2017) [sssd[be[mind.unm.edu]]] [krb5_init_kdc]
(0x0010): Missing krb5_realm option!
(Tue Oct 31 09:22:00 2017) [sssd[be[mind.unm.edu]]]
[dp_module_run_constructor] (0x0010): Module [krb5] constructor failed
[22]: Invalid argument
(Tue Oct 31 09:22:00 2017) [sssd[be[mind.unm.edu]]] [dp_target_init]
(0x0010): Unable to load module krb5
(Tue Oct 31 09:22:00 2017) [sssd[be[mind.unm.edu]]] [be_process_init]
(0x0010): Unable to setup data provider [1432158209]: Internal Error
(Tue Oct 31 09:22:00 2017) [sssd[be[mind.unm.edu]]] [main] (0x0010):
Could not initialize backend [1432158209]
(Tue Oct 31 09:23:45 2017) [sssd[be[mind.unm.edu]]] [orderly_shutdown]
(0x0010): SIGTERM: killing children
(Tue Oct 31 09:26:03 2017) [sssd[be[mind.unm.edu]]] [orderly_shutdown]
(0x0010): SIGTERM: killing children
(Tue Oct 31 09:36:00 2017) [sssd[be[mind.unm.edu]]] [orderly_shutdown]
(0x0010): SIGTERM: killing children
...
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [ad_sasl_log]
(0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may
provide more information (Server not found in Kerberos database)
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [sasl_bind_send]
(0x0020): ldap_sasl_bind failed (-2)[Local error]
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [sasl_bind_send]
(0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure. Minor code may provide more
information (Server not found in Kerberos database)]
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]]
[sdap_cli_connect_recv] (0x0040): Unable to establish connection
[1432158226]: Authentication Failed
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [be_run_online_cb]
(0x0080): Going online. Running callbacks.
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [be_ptask_enable]
(0x0080): Task [Subdomains Refresh]: already enabled
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [be_ptask_enable]
(0x0080): Task [SUDO Smart Refresh]: already enabled
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [be_ptask_enable]
(0x0080): Task [SUDO Full Refresh]: already enabled
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [be_ptask_enable]
(0x0080): Task [AD machine account password renewal]: already enabled
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]]
[resolv_gethostbyname_done] (0x0040): querying hosts database failed
[5]: Input/output error
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]]
[nsupdate_get_addrs_done] (0x0040): Could not resolve address for this
machine, error [5]: Input/output error, resolver returned: [11]: Could
not contact DNS servers
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]]
[nsupdate_get_addrs_done] (0x0040): nsupdate_get_addrs_done failed:
[5]: [Input/output error]
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]]
[sdap_dyndns_dns_addrs_done] (0x0040): Could not receive list of
current addresses [5]: Input/output error
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]]
[ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed [5]:
Input/output error
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]]
[ad_dyndns_nsupdate_done] (0x0040): Updating DNS entry failed [5]:
Input/output error
(Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]] [ad_sasl_log]
(0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may
provide more information (Server not found in Kerberos database)
(Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]] [sasl_bind_send]
(0x0020): ldap_sasl_bind failed (-2)[Local error]
(Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]] [sasl_bind_send]
(0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure. Minor code may provide more
information (Server not found in Kerberos database)]
(Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]]
[sdap_cli_connect_recv] (0x0040): Unable to establish connection
[1432158226]: Authentication Failed
(Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]]
[sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for
SID S-1-5-32-545
(Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]]
[sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for
SID S-1-5-32-544
(Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]]
[sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for
SID S-1-5-32-555
(Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]]
[sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for
SID S-1-5-32-551
(Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]]
[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
attribute](16)[attribute 'member': no matching attribute value while
deleting attribute on
'name=Administrators(a)mind.unm.edu,cn=groups,cn=mind.unm.edu,cn=sysdb']
(Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]]
[sysdb_error_to_errno] (0x0020): LDB returned unexpected error: [No
such attribute]
(Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]]
[sysdb_update_members_ex] (0x0020): Could not remove member
[jsadowski(a)mind.unm.edu] from group
[name=Administrators(a)mind.unm.edu,cn=groups,cn=mind.unm.edu,cn=sysdb].
Skipping
(Tue Oct 31 10:16:54 2017) [sssd[be[mind.unm.edu]]]
[sdap_sudo_load_sudoers_done] (0x0040): Received 0 sudo rules
5 years, 10 months
what are the causes of Port status of port 389 for server is 'not working'
by Jeremy Monnet
Hi,
I have that error message that I do not understand, because I have 2 ubuntu
servers setup the same way (but 1 ubuntu 14.04 and 1 ubuntu 16.04). Ubuntu
14 is working fine, I can authenticate and sudo just fine, Ubuntu 16 can
list users and groups but I cannot authenticate nor sudo. And I see in the
sssd_domain.log :
(Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [fo_resolve_service_send]
(0x0100): Trying to resolve service 'AD'
(Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [get_server_status] (0x1000):
Status of server '<servername>' is 'name resolved'
(Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [get_port_status] (0x1000):
Port status of port 389 for server '<servername>' is 'not working'
(Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [get_server_status] (0x1000):
Status of server '<servername2>' is 'name resolved'
(Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [get_port_status] (0x1000):
Port status of port 389 for server '<servername2>' is 'not working'
(Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [fo_resolve_service_send]
(0x0020): No available servers for service 'AD'
(Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [be_resolve_server_done]
(0x1000): Server resolution failed: 5
(Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [sdap_id_op_connect_done]
(0x0020): Failed to connect, going offline (5 [Input/output error])
Of course, port 389 is indeed reachable, and I have joined and re-joined
the domain several times, deleted the object computer in AD, checked
several times that the keytab was created, and that I could kinit with it...
One thing is that I join a child AD domain and tries to login with an
account from the main domain, that is probably an issue, but as that work
on the other Ubuntu with the same setup, I am stuck...
Thanks,
Jeremy
5 years, 10 months
AD auth with multiple domains
by Jeremy Monnet
Hi,
I am trying to setup an authentication against Active Directory, with
multiple domains, and I haven't been able to find the recommended way to do
it (it is very possible I missed it...), so I am looking for explanation
and advice.
With a master domain example.com, and subdomains sub1.example.com,
sub2.example.com, etc, how would you setup sssd (and the linux system) to
authenticate the users from all the domains ?
To give te example, my user is ad admin across all the forests (
my_user(a)example.com), and I want to authenticate on all the servers,
smtp.example.com or proxy.sub1.example.com, etc. I also want on some
computer to authenticate customer's account (my_customer(a)sub1.example.com).
For now, I have 2 different setups :
- on computers from example.com
[sssd]
config_file_version = 2
debug_level =0
domains = example.com
services = nss, pam
[domain/example.com]
enumerate = true
dns_discovery_domain = cy2._sites.example.com
debug_level = 8
id_provider = ad
access_provider = ad
ldap_id_mapping = false
#dyndns_update = false
- on computer from sub1.example.com
[sssd]
config_file_version = 2
debug_level =0
domains = sub1.example.com,example.com
services = nss, pam
[domain/example.com]
enumerate = true
dns_discovery_domain = cy2._sites.example.com
debug_level = 9
id_provider = ad
access_provider = ad
ldap_id_mapping = false
[domain/sub1.example.com]
enumerate = true
dns_discovery_domain = cy2._sites.sub1.example.com
debug_level = 7
id_provider = ad
access_provider = ad
ldap_id_mapping = false
I join computer to example.com or to sub1.example.com:
adcli join example.com -U my_user(a)EXAMPLE.COM
or
adcli join sub1.example.com -U my_user(a)EXAMPLE.COM
as I would do with an ordinary windows workstation.
And for AD, I use the posix attributes (and that may be the way...) so if a
UID or GID exists in both domains, I happen to find wrong group names, etc.
I hope my questions are clear enough ! :-) What am I doing wrong ? What are
the recommended settings for that situation ?
Thanks,
Jeremy
5 years, 10 months
Re: [Freeipa-interest] Announcing SSSD 1.16.0
by Jakub Hrozek
On Mon, Oct 23, 2017 at 08:46:08PM +0200, Michael Ströder wrote:
> HI!
>
> Has anything changed with building the man pages?
>
> I'm asking because I now get formatting markup in the output of man (see
> below).
No, not that I'm aware of. You render the man pages locally, right,
because the tarball only contains the XML sources?
>
> Ciao, Michael.
>
> SSSD-LDAP(5)
> File Formats and Conventions
> SSSD-LDAP(5)
>
> .SH "NAME" sssd-ldap - SSSD LDAP provider
>
> .SH "DESCRIPTION"
>
> .PP This manual page describes the configuration of LDAP domains
> for sssd(8). Refer to the “FILE FORMAT” section of the sssd.conf(5)
> manual page for detailed syntax information.
>
> .PP You can configure SSSD to use more than one LDAP domain.
>
5 years, 10 months
sssd with OTP does not work in all cases.
by Asif Iqbal
With pam_securid.so
I can on /etc/pam.d/sshd
auth sufficient pam_securid.so
and at ssh login, I just put PIN at Password: prompt and then I get Enter
SMS Token: prompt and I can then put the
tokencode and I can ssh into the server fine.
If I do the same with pam_sss.so it keeps asking for Password: and never
changes the prompt to Enter SMS Token: and ssh fails badly.
At this second Password: prompt I tried with just tokencode (at 18:45:34 in
log below) or PIN and tokencode (at 18:47:55). Neither let
me in and failed eventually.
I think it is because pam_sss -> proxy -> securid -> pam_securd is failing
to handle PAM conversation?
Is there a way to fix that to so pam_sss to behave the right way and let
authenticate in two steps with PIN and then TokenCode on next step?
Also without this PAM conversation, when the PIN expires it will not let
you update it. With simple pam.d/sshd and auth sufficient pam_securid.so
that works very well as well.
I have sssd.conf setup like this
auth_server = proxy
proxy_target_pam = securid
And in pam.d/securid file
auth sufficient pam_securid.so
Here are some log http://dpaste.com/2HD27XH.txt where
I tried with PIN at first Password: prompt and then TokenCode at second
Password: prompt at 18:45:34 and failed to login
And
I tried with PIN at first Password: prompt and then PIN and TokenCode at
second Password: prompt at 18:47:55 and failed to login
I tried with SElinux off and on and same result
If I put PIN and TokenCode at the first Password: prompt, login works fine
. I did not put any log for that here.
Any suggestion how to fix pam_sss for OTP?
Thanks!
--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
5 years, 11 months
loss of id / i have no name!
by Thomas Beaudry
Hi,
I have repeated issues with users losing their usernames (only being mapped to their uid / in the terminal it says "i have no name!@host"). It doesn't happen daily, but it is extremely frustrating because they are running scientific pipelines that take a few hours to several days to complete, and as soon as their name is lost, it fails and the pipeline has to start from scratch.
My setup is as follows.
Client: Ubuntu 16.04 (Note that my university has licenses for Redhat, I could upgrade to it if it will 100% fix my problem. I simply use Ubuntu since a lot of scientific packages are already tailored for it, and it saves me weeks of work).
Server: Windows AD, with a Windows NFS file server.
What i don't understand is that if a user is successfully able to authenticate, why isn't the account cached, and used for their entire session? How can a name be lost if it is cached. I have the following in my sssd.conf:
cache_credentials = True
krb5_store_password_if_offline = True
I have had this issue for quite awhile, so upon a previous sssd users suggestion, i disabled reverse DNS and it seemed to make this occur less often, but as far as I can tell my DNS is setup properly. I can do a `nslookup <host>` and get the proper ip address, and vice versa.
Any help would be greatly appreciated!
Thomas
5 years, 11 months
idmap_sss Backend for Winbind
by rdratlos@yahoo.co.uk
Dear all,
I would like to use SSSD's dmap_sss backend (1.15.3) for winbindd (Version 4.6.7) to let SSSD map UIDs/GIDs and SIDs on a file server in an samba based AD environment. I've followed the limited instructions of the man page but from the logs it seems that winbindd does directly communicate with the AD server.
The major settings in smb.conf are:
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.COM
security = ads
...
winbind use default domain = yes
winbind nss info = rfc2307
# Default idmap config for local BUILTIN accounts and groups
idmap config * : range = 10000-19999
# idmap config for MYDOMAIN
idmap config MYDOMAIN:backend = sss
idmap config MYDOMAIN:schema_mode = rfc2307
idmap config MYDOMAIN:range = 500-9999
What's wrong here? Could someone please provide me with a working example?
5 years, 11 months
