On Fri, Feb 07, 2014 at 11:24:19AM +1000, Donald Casson wrote:
Hi All,
I am trying to get SSSD working with an Active Directory.
The SSSD machine is a member of the sub domain student.example.com and this
works as expected.
I can do all the getent, id's and groups:
[root@puppetmaster-test sssd]# getent group "Server Administrators"
server administrators:*:10006:sa.cassond
[root@puppetmaster-test sssd]# getent passwd sa.cassond
sa.cassond:*:10005:10006:Don Casson:/home/sa.cassond:/bin/bash
[root@puppetmaster-test sssd]# groups sa.cassond
sa.cassond : server administrators
[root@puppetmaster-test sssd]# id cassond
uid=10007(cassond) gid=10006(server administrators) groups=10006(server
administrators)
When I do the same for users in the parent domain (example.com)
[root@puppetmaster-test sssd]# getent passwd duckd@example.com
[root@puppetmaster-test sssd]#
I get no users and this error in the sssd_nss.log:
(Fri Feb 7 11:16:49 2014) [sssd[nss]] [accept_fd_handler] (0x0400): Client
connected!
(Fri Feb 7 11:16:49 2014) [sssd[nss]] [sss_cmd_get_version] (0x0200):
Received client version [1].
(Fri Feb 7 11:16:49 2014) [sssd[nss]] [sss_cmd_get_version] (0x0200):
Offered version [1].
(Fri Feb 7 11:16:49 2014) [sssd[nss]] [sss_dp_issue_request] (0x0400):
Issuing request for [0x435b80:domains@student.example.com]
(Fri Feb 7 11:16:49 2014) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400):
Sending get domains request for [student.example.com][forced][example.com]
(Fri Feb 7 11:16:49 2014) [sssd[nss]] [sss_dp_internal_get_send] (0x0400):
Entering request [0x435b80:domains@student.example.com]
(Fri Feb 7 11:16:49 2014) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got
reply from Data Provider - DP error code: 3 errno: 19 error message:
Subdomains back end target is not configured
(Fri Feb 7 11:16:49 2014) [sssd[nss]] [nss_cmd_getpwnam_cb] (0x0040):
Invalid name received [duckd@example.com]
(Fri Feb 7 11:16:49 2014) [sssd[nss]] [sss_dp_req_destructor] (0x0400):
Deleting request: [0x435b80:domains@student.example.com]
(Fri Feb 7 11:16:49 2014) [sssd[nss]] [client_recv] (0x0200): Client
disconnected!
Please help! Do I need to be on a higher version of SSSD to support
subdomains with the "id_provider=ad"? Am i missing something in the
configuration to support sub domains? Is this a bug in SSSD ?
OS and SSD version: RHEL 6.3 and sssd 1.9.2-129
I'm sorry, but this feature is only available in sssd-1.10 and later
version. See
https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0for details.
Please note that we are currently working on a repository which will
contain sssd-1.11 build for RHEL-6.5 for testing. It might not work
out-of-the-box on RHEL-6.3 but it might help to give you an easier start
to rebuild it on 6.3. Watch out for the announcement on this list and
sssd-devel.
bye,
Sumit
[sssd]
config_file_version = 2
domains = student.example.com
services = nss, pam, ssh
debug_level = 7
[nss]
# The following prevents SSSD from searching for the root user/group in
# all domains (you can add here a comma-separated list of system accounts
that
# are always going to be /etc/passwd users, or that you want to filter out).
filter_groups = root
filter_users = root
reconnection_retries = 3
debug_level = 7
[pam]
debug_level = 7
[domain/student.example.com]
# disable Windows SID to UID mapping
ldap_id_mapping = false
debug_level = 7
cache_credentials = true
#enumerate = true
case_sensitive = false
id_provider = ad
ad_domain = student.example.com
# LDAP options
ldap_user_shell = loginShell
ldap_user_home_directory = unixHomeDirectory
ldap_schema = rfc2307bis
ldap_group_member = msSFU30PosixMember
# krb5 options
krb5_canonicalize = false
Thanks in advance.
Cheers
Don
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.orghttps://lists.fedorahosted.org/mailman/listinfo/sssd-users