Hi,

I am trying to Authenticate Linux Users against the Samba 4.3 Active Directory.
The Wiki reference I used is:

https://wiki.samba.org/index.php?title=Local_user_management_and_authentication/sssd&oldid=9652
and
https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC#What_is_RFC2307.3F

The Linux Server configuration is:
[root@netserver02 ~]# cat /etc/redhat-release
CentOS release 6.6 (Final)
[root@netserver02 ~]# uname -a
Linux netserver02.harvey.net 2.6.32-504.3.3.el6.x86_64 #1 SMP Wed Dec 17 01:55:02 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

I used the Method 1: Connecting to AD via Kerberos (recommended) explained in "Local_user_management_and_authentication"
wiki page.

There was a time where this worked i.e. I was able to read back Active Directory Objects i.e. users and
groups.  Although I have not gotten this to work since this was a few days ago.  
It seems like I may have turned on the ldapd communication, CentOS 6 has a gui for configuration how
to authenticate users I used the plus manual configuration file edits and I loaded up the sssd cache. 
I was never able to repeat this and I the Unix Id's did not match what I was
entering for the Unix Attributes in the Windows 8.1 RSAT tools.  
The user id's and group id's had very high numbers i.e. up in the 70000's




I followed the steps for sssd configuration in "Local_user_management_and_authentication"
Created a service principle user i.e used the domain controller server name as the account.
and all of the.

The domain was provisioned with the --use-rfc2307 see "Using_RFC2307_on_a_Samba_DC"  This
describes what you need to do to set up the Active Directory controller to create records for a "nis"
server.   I confirmed all 55 records were loaded in with the correct names for the host domain
and nisdomain names, actually the samba-tool provision now does that when the --use-rfc2307 is one
of the options.

I attempted to use getent passwd  getent group to see if was able to see any of the users or groups from
the active directory.  I was not able to.   Here is the log of sssd -d 3 -i

Note samba is acting as a DNS server it works with my workstations and laptops using dhcp.


Version of sssd that is installed:
[root@netserver02 convTmpYpSetupToDomain]# sssd  --version
1.11.6


The ssd configuration file is shown after this log transaction.


[root@netserver02 convTmpYpSetupToDomain]# sssd  -d 4 -i -c /etc/sssd/sssd.conf
(Sat Jan  3 20:04:34 2015) [sssd] [get_ping_config] (0x0100): Time between service pings for [netserver02.harvey.net]: [10]
(Sat Jan  3 20:04:34 2015) [sssd] [get_ping_config] (0x0100): Time between SIGTERM and SIGKILL for [netserver02.harvey.net]: [60]
(Sat Jan  3 20:04:34 2015) [sssd] [start_service] (0x0100): Queueing service netserver02.harvey.net for startup
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [be_res_get_opts] (0x0100): Lookup order: ipv4_first
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [monitor_common_send_id] (0x0100): Sending ID: (%BE_netserver02.harvey.net,1)
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))].
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [sss_fqnames_init] (0x0100): Found the pattern for domain name
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [ad_get_common_options] (0x0100): No AD server set, will use service discovery!
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [ad_get_common_options] (0x0100): Setting domain case-insensitive
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [ad_failover_init] (0x0100): No primary servers defined, using service discovery
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [_ad_servers_init] (0x0100): Added service discovery for AD
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [ad_dyndns_init] (0x0100): Dynamic DNS updates are on. Checking for nsupdate..
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [ad_set_ad_id_options] (0x0100): Option krb5_realm set to NETSERVER02.HARVEY.NET
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [ad_set_ad_id_options] (0x0100): Option ldap_krb5_keytab set to /etc/krb5.sssd.keytab
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [sdap_set_sasl_options] (0x0100): Will look for netserver02.harvey.net@NETSERVER02.HARVEY.NET in /etc/krb5.sssd.keytab
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to netserver02$
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to HARVEY.NET
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [ad_set_search_bases] (0x0100): Search base not set. SSSD will attempt to discover it later, when connecting to the LDAP server.
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [ad_get_auth_options] (0x0100): Option krb5_server set to (null)
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [ad_get_auth_options] (0x0100): Option krb5_realm set to NETSERVER02.HARVEY.NET
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [ad_get_auth_options] (0x0100): Option krb5_use_kdcinfo set to true
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [check_and_export_options] (0x0100): No KDC explicitly configured, using defaults.
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [check_and_export_options] (0x0100): No kpasswd server explicitly configured, using the KDC or defaults.
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [check_and_export_options] (0x0100): ccache is of type FILE
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [be_process_init] (0x0080): No SUDO module provided for [netserver02.harvey.net] !!
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [be_process_init] (0x0080): No autofs module provided for [netserver02.harvey.net] !!
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [be_process_init] (0x0020): No selinux module provided for [netserver02.harvey.net] !!
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [be_process_init] (0x0020): No host info module provided for [netserver02.harvey.net] !!
(Sat Jan  3 20:04:34 2015) [sssd] [client_registration] (0x0100): Received ID registration: (%BE_netserver02.harvey.net,1)
(Sat Jan  3 20:04:34 2015) [sssd] [mark_service_as_started] (0x0100): Now starting services!
(Sat Jan  3 20:04:34 2015) [sssd] [get_ping_config] (0x0100): Time between service pings for [nss]: [10]
(Sat Jan  3 20:04:34 2015) [sssd] [get_ping_config] (0x0100): Time between SIGTERM and SIGKILL for [nss]: [60]
(Sat Jan  3 20:04:34 2015) [sssd] [start_service] (0x0100): Queueing service nss for startup
(Sat Jan  3 20:04:34 2015) [sssd] [get_ping_config] (0x0100): Time between service pings for [pam]: [10]
(Sat Jan  3 20:04:34 2015) [sssd] [get_ping_config] (0x0100): Time between SIGTERM and SIGKILL for [pam]: [60]
(Sat Jan  3 20:04:34 2015) [sssd] [start_service] (0x0100): Queueing service pam for startup
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [id_callback] (0x0100): Got id ack and version (1) from Monitor
(Sat Jan  3 20:04:34 2015) [sssd[pam]] [monitor_common_send_id] (0x0100): Sending ID: (pam,1)
(Sat Jan  3 20:04:34 2015) [sssd[nss]] [monitor_common_send_id] (0x0100): Sending ID: (nss,1)
(Sat Jan  3 20:04:34 2015) [sssd[nss]] [sss_names_init_from_args] (0x0100): (Sat Jan  3 20:04:34 2015) [sssd[pam]] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))].
Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))].
(Sat Jan  3 20:04:34 2015) [sssd[nss]] [sss_fqnames_init] (0x0100): (Sat Jan  3 20:04:34 2015) [sssd[pam]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
Using fq format [%1$s@%2$s].
(Sat Jan  3 20:04:34 2015) [sssd[nss]] [sss_fqnames_init] (0x0100): (Sat Jan  3 20:04:34 2015) [sssd[pam]] [sss_fqnames_init] (0x0100): Found the pattern for domain name
Found the pattern for domain name
(Sat Jan  3 20:04:34 2015) [sssd[pam]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,PAM)
(Sat Jan  3 20:04:34 2015) [sssd[nss]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,NSS)
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0x1361080]
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0x137ae30]
(Sat Jan  3 20:04:34 2015) [sssd[pam]] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192]
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [client_registration] (0x0100): Cancel DP ID timeout [0x1361080]
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [client_registration] (0x0100): Added Frontend client [PAM]
(Sat Jan  3 20:04:34 2015) [sssd] [client_registration] (0x0100): Received ID registration: (pam,1)
(Sat Jan  3 20:04:34 2015) [sssd[pam]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'
(Sat Jan  3 20:04:34 2015) [sssd[pam]] [id_callback] (0x0100): Got id ack and version (1) from Monitor
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.netserver02.harvey.net'
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [resolv_discover_srv_done] (0x0040): SRV query failed [4]: Domain name not found
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [fo_set_port_status] (0x0100): Marking port 0 of server '(no name)' as 'not working'
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [resolve_srv_done] (0x0040): Unable to resolve SRV [1432158225]: SRV record not found
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'AD' as 'not resolved'
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [be_resolve_server_process] (0x0080): Couldn't resolve server (SRV lookup meta-server), resolver returned (1432158225)
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD'
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error])
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks.
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [ad_subdomains_get_conn_done] (0x0080): No AD server is available, cannot get the subdomain list while offline
(Sat Jan  3 20:04:34 2015) [sssd[nss]] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192]
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [client_registration] (0x0100): Cancel DP ID timeout [0x137ae30]
(Sat Jan  3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [client_registration] (0x0100): Added Frontend client [NSS]
(Sat Jan  3 20:04:34 2015) [sssd] [client_registration] (0x0100): Received ID registration: (nss,1)
(Sat Jan  3 20:04:34 2015) [sssd[nss]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP
(Sat Jan  3 20:04:34 2015) [sssd[nss]] [id_callback] (0x0100): Got id ack and version (1) from Monitor
(Sat Jan  3 20:04:44 2015) [sssd] [service_send_ping] (0x0100): Pinging netserver02.harvey.net
(Sat Jan  3 20:04:44 2015) [sssd] [service_send_ping] (0x0100): Pinging nss
(Sat Jan  3 20:04:44 2015) [sssd] [service_send_ping] (0x0100): Pinging pam
(Sat Jan  3 20:04:44 2015) [sssd] [ping_check] (0x0100): Service netserver02.harvey.net replied to ping
(Sat Jan  3 20:04:44 2015) [sssd] [ping_check] (0x0100): Service pam replied to ping
(Sat Jan  3 20:04:44 2015) [sssd] [ping_check] (0x0100): Service nss replied to ping
(Sat Jan  3 20:04:54 2015) [sssd] [service_send_ping] (0x0100): Pinging netserver02.harvey.net
(Sat Jan  3 20:04:54 2015) [sssd] [service_send_ping] (0x0100): Pinging nss
(Sat Jan  3 20:04:54 2015) [sssd] [service_send_ping] (0x0100): Pinging pam
(Sat Jan  3 20:04:54 2015) [sssd] [ping_check] (0x0100): Service netserver02.harvey.net replied to ping
(Sat Jan  3 20:04:54 2015) [sssd] [ping_check] (0x0100): Service pam replied to ping
(Sat Jan  3 20:04:54 2015) [sssd] [ping_check] (0x0100): Service nss replied to ping
(Sat Jan  3 20:05:04 2015) [sssd] [service_send_ping] (0x0100): Pinging netserver02.harvey.net
(Sat Jan  3 20:05:04 2015) [sssd] [service_send_ping] (0x0100): Pinging nss
(Sat Jan  3 20:05:04 2015) [sssd] [service_send_ping] (0x0100): Pinging pam
(Sat Jan  3 20:05:04 2015) [sssd] [ping_check] (0x0100): Service netserver02.harvey.net replied to ping
(Sat Jan  3 20:05:04 2015) [sssd] [ping_check] (0x0100): Service nss replied to ping
(Sat Jan  3 20:05:04 2015) [sssd] [ping_check] (0x0100): Service pam replied to ping
(Sat Jan  3 20:05:14 2015) [sssd] [service_send_ping] (0x0100): Pinging netserver02.harvey.net
(Sat Jan  3 20:05:14 2015) [sssd] [service_send_ping] (0x0100): Pinging nss
(Sat Jan  3 20:05:14 2015) [sssd] [service_send_ping] (0x0100): Pinging pam
(Sat Jan  3 20:05:14 2015) [sssd] [ping_check] (0x0100): Service netserver02.harvey.net replied to ping
(Sat Jan  3 20:05:14 2015) [sssd] [ping_check] (0x0100): Service nss replied to ping
(Sat Jan  3 20:05:14 2015) [sssd] [ping_check] (0x0100): Service pam replied to ping
(Sat Jan  3 20:05:24 2015) [sssd] [service_send_ping] (0x0100): Pinging netserver02.harvey.net
(Sat Jan  3 20:05:24 2015) [sssd] [service_send_ping] (0x0100): Pinging nss
(Sat Jan  3 20:05:24 2015) [sssd] [service_send_ping] (0x0100): Pinging pam
(Sat Jan  3 20:05:24 2015) [sssd] [ping_check] (0x0100): Service netserver02.harvey.net replied to ping
(Sat Jan  3 20:05:24 2015) [sssd] [ping_check] (0x0100): Service nss replied to ping
(Sat Jan  3 20:05:24 2015) [sssd] [ping_check] (0x0100): Service pam replied to ping
^C(Sat Jan  3 20:05:28 2015) [sssd] [monitor_quit_signal] (0x0040): Monitor received Interrupt: terminating children
(Sat Jan  3 20:05:28 2015) [sssd] [monitor_quit] (0x0040): Returned with: 0
(Sat Jan  3 20:05:28 2015) [sssd] [monitor_quit] (0x0020): Terminating [pam][25954]
(Sat Jan  3 20:05:28 2015) [sssd[be[netserver02.harvey.net]]] [sbus_dispatch] (0x0080): (Sat Jan  3 20:05:28 2015) [sssd] [monitor_quit] (0x0020): Connection is not open for dispatching.
Child [pam] exited gracefully
(Sat Jan  3 20:05:28 2015) [sssd] [monitor_quit] (0x0020): Terminating [nss][25953]
(Sat Jan  3 20:05:28 2015) [sssd[be[netserver02.harvey.net]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching.
(Sat Jan  3 20:05:28 2015) [sssd] [monitor_quit] (0x0020): Child [nss] exited gracefully
(Sat Jan  3 20:05:28 2015) [sssd] [monitor_quit] (0x0020): Terminating [netserver02.harvey.net][25951]
(Sat Jan  3 20:05:28 2015) [sssd] [monitor_quit] (0x0020): Child [netserver02.harvey.net] exited gracefully
[root@netserver02 convTmpYpSetupToDomain]#

contents of sssd.conf
--------------------------------------------------------------------
[sssd]
services = nss, pam
config_file_version = 2
domains = netserver02.harvey.net
#domains = default
debug_level = 2
#
filter_users_in_groups = false
#
#ldap_user_principal = netserver02$.harvey.net@HARVEY.NET
#
#ldap_referrals = true
#
[nss]
#
allowed_shells = /bin/bash
shell_fallback = /bin/bash
#
[pam]

[domain/netserver02.harvey.net]
#[domain/default]
# Using id_provider=ad sets the best defaults on its own
id_provider = ad
# In sssd, the default access provider is always 'permit'. The AD access
# provider by default checks for account expiration
access_provider = ad
#
#dyndns_update=false
# Uncomment to use POSIX attributes on the server
ldap_id_mapping=false

#ad_enable_dns_sites = true
# Uncomment if the client machine hostname doesn't match the
# computer object on the DC.
#ad_hostname = dc1.samdom.example.com
ad_hostname = netserver02.harvey.net

#Uncomment if DNS SRV resolution is not working
#ad_server = netserver02.harvey.net

# Uncomment if the domain section is named differently than your Samba domain
#ad_domain = harvey.net

# Enumeration is discouraged for performance reasons.
#enumerate = true

# location of the keytab
krb5_keytab=/etc/krb5.sssd.keytab
--------------------------------------------------------------------------------------------------------------------

How do you get this to work?

It seems like this is the way to go for using a single user data base for Windows and Linux
it seems like it wants to work.


Scott Harvey