On 1/5/2015 2:45 AM, Jakub Hrozek wrote:
On Sun, Jan 04, 2015 at 04:33:29PM -0800, Scott Harvey` wrote:
Tried to post before but the body had too much data deleted graphics from body.
I think the sssd config file and logs would be nice to see. And since Samba is more-or-less an AD DC, maybe even enrolling the client would be possible with adcli: https://jhrozek.livejournal.com/3581.html
But it looks like you've enrolled the client already. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Thank you for getting back.
When you say "enroll a client" what do you mean? I have an spn that I set up that is the machine name of my dc controller as instructed by https://wiki.samba.org/index.php?title=Local_user_management_and_authenticat...
# samba-tool domain exportkeytab /etc/krb5.sssd.keytab --principal=dc1$ # chown root:root /etc/krb5.sssd.keytab # chmod 600 /etc/krb5.sssd.keytab
dc1 is netserver02 in my case.
Contents of the sssd config file: -------------------------------------------------- [sssd] services = nss, pam config_file_version = 2 domains = netserver02.harvey.net #domains = default debug_level = 2 # filter_users_in_groups = false # #ldap_user_principal = netserver02$.harvey.net@HARVEY.NET # #ldap_referrals = true # [nss] # allowed_shells = /bin/bash shell_fallback = /bin/bash # [pam]
[domain/netserver02.harvey.net] #[domain/default] # Using id_provider=ad sets the best defaults on its own id_provider = ad # In sssd, the default access provider is always 'permit'. The AD access # provider by default checks for account expiration access_provider = ad # #dyndns_update=false # Uncomment to use POSIX attributes on the server ldap_id_mapping=false
#ad_enable_dns_sites = true # Uncomment if the client machine hostname doesn't match the # computer object on the DC. #ad_hostname = dc1.samdom.example.com ad_hostname = netserver02.harvey.net
#Uncomment if DNS SRV resolution is not working #ad_server = netserver02.harvey.net
# Uncomment if the domain section is named differently than your Samba domain #ad_domain = harvey.net
# Enumeration is discouraged for performance reasons. #enumerate = true
# location of the keytab # Make sure this is generated before use.. krb5_keytab=/etc/krb5.sssd.keytab ------------------------------------------------------------------------------------------------------------------------