Hello everybody,
On 19/07/17 16:57, Jelle de Jong wrote:
> Hello everybody,
>
> I been trying hard to get sssd to work on a new CentOS 7 workstation.
>
> sssd --version
> 1.14.0
>
> # working ldapsearch command and output
>
https://paste.fedoraproject.org/paste/L3Uv8Mg6FMuLlIHXkL5~0Q/raw
>
> The problem is I am at a customer that has an old Windows 2008 AD server
> with Unix tools and the uidNumber, gidNumber, unixHomeDirectory and
> loginShell need to be used, so that my nfs shares have the correct mapping.
>
> They used an old NIS server in the passed but it is broken and has no AD
> connection any more.
>
> I can not seem to bind to the RootDSE without using a username and
> password, see the ldapsearch command, i tried converting the
> "LDAP(a)wdm.local" to a cn path, but whatever i try i get a "
> additional info: 80090308: LdapErr: DSID-0C0903A8, comment:
> AcceptSecurityContext error, data 52e, v1db1" back.
>
> My sssd just keeps loging: ([sssd[be[default]]] [dp_req_reply_gen_error]
> (0x0080): DP Request [Subdomains #0]: Finished. Target is not supported
> with this configuration.
>
> [root@vsxtest01 ~]# cat /etc/sssd/sssd.conf
> [domain/default]
> id_provider = ldap
> auth_provider = ldap
> chpass_provider = ldap
> ldap_uri = ldap://sw008.wdm.local/
> ldap_search_base = ou=COMPANY,dc=wdm,dc=local
> #ldap_schema = rfc2307bis
> #ldap_user_home_directory = unixHomeDirectory
> #ldap_tls_reqcert = allow
> #ldap_id_use_start_tls = True
> ldap_tls_cacertdir = /etc/openldap/cacerts
> debug_level = 5
> autofs_provider = ldap
> #ldap_default_bind_dn = cn=LDAP,ou=Users,ou=COMPANY,dc=wdm,dc=local
> ldap_default_bind_dn = LDAP(a)wdm.local
> ldap_default_authtok = *secret*
> ldap_default_authtok_type = password
> cache_credentials = True
>
> [sssd]
> config_file_version = 2
> services = autofs
> domains = default
>
> [autofs]
>
> I have no idea how to get my user authentication working with the
> correct uidNumber, gidNumber mapping.
>
> Can somebody maybe help?
I got a working setup... I split the config between custom and standard
created settings, I do not know where I need the nss or autofs service for
but these seem to be auto created. The ldap.conf is untouched, standard
config from authconfig, the ldap_user and ldap_group all seem to be needed to
make it work.... of the entryuuid I do not now what is does exactly. Does
this look okay to try to take into production?
- name: "setup authentication sssd configs"
command: "authconfig --enablesssd --enablesssdauth --enablerfc2307bis
--enablemkhomedir --update"
I think I overlooked an answer to our questions.
Is there a reason why do you need to you authconfig + rfc2307bif instead of
"realm join" ?
And if you cannot use "id_provider = ad" which is generated by realm join
then it would be better to use "ldap_schema = ad".
LS