On (19/07/17 19:37), Jelle de Jong wrote:
Hello everybody,
On 19/07/17 16:57, Jelle de Jong wrote:
Hello everybody,
I been trying hard to get sssd to work on a new CentOS 7 workstation.
sssd --version 1.14.0
# working ldapsearch command and output https://paste.fedoraproject.org/paste/L3Uv8Mg6FMuLlIHXkL5~0Q/raw
The problem is I am at a customer that has an old Windows 2008 AD server with Unix tools and the uidNumber, gidNumber, unixHomeDirectory and loginShell need to be used, so that my nfs shares have the correct mapping.
They used an old NIS server in the passed but it is broken and has no AD connection any more.
I can not seem to bind to the RootDSE without using a username and password, see the ldapsearch command, i tried converting the "LDAP@wdm.local" to a cn path, but whatever i try i get a " additional info: 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1" back.
My sssd just keeps loging: ([sssd[be[default]]] [dp_req_reply_gen_error] (0x0080): DP Request [Subdomains #0]: Finished. Target is not supported with this configuration.
[root@vsxtest01 ~]# cat /etc/sssd/sssd.conf [domain/default] id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://sw008.wdm.local/ ldap_search_base = ou=COMPANY,dc=wdm,dc=local #ldap_schema = rfc2307bis #ldap_user_home_directory = unixHomeDirectory #ldap_tls_reqcert = allow #ldap_id_use_start_tls = True ldap_tls_cacertdir = /etc/openldap/cacerts debug_level = 5 autofs_provider = ldap #ldap_default_bind_dn = cn=LDAP,ou=Users,ou=COMPANY,dc=wdm,dc=local ldap_default_bind_dn = LDAP@wdm.local ldap_default_authtok = *secret* ldap_default_authtok_type = password cache_credentials = True
[sssd] config_file_version = 2 services = autofs domains = default
[autofs]
I have no idea how to get my user authentication working with the correct uidNumber, gidNumber mapping.
Can somebody maybe help?
I got a working setup... I split the config between custom and standard created settings, I do not know where I need the nss or autofs service for but these seem to be auto created. The ldap.conf is untouched, standard config from authconfig, the ldap_user and ldap_group all seem to be needed to make it work.... of the entryuuid I do not now what is does exactly. Does this look okay to try to take into production?
- name: "setup authentication sssd configs"
command: "authconfig --enablesssd --enablesssdauth --enablerfc2307bis --enablemkhomedir --update"
I think I overlooked an answer to our questions.
Is there a reason why do you need to you authconfig + rfc2307bif instead of "realm join" ?
And if you cannot use "id_provider = ad" which is generated by realm join then it would be better to use "ldap_schema = ad".
LS