Hello, I was using previously sssd to authenticate my user using id_provider = LDAP and it
works great.
Now that my samba 4 DC is configured and that the GPO can finally be used, I reconfigured
sssd with realmd to be able to use sssd-ad to centralize the authentification for some
services via the GPO.
SSSD was configured automatically by realm as expected and the server is registrer in the
appropriate OU as define in /etc/realmd.conf in my DC. I can also successfully retrieve
my users/group info with getent and id.
Following the example presented here
https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegration, I notice that
when I try to authenticate a user with SSH I can see errors relative to the retrieve of
the GPO
http://pastebin.com/6wzXUrCr
Here is my sssd,confconfiguration:
[sssd]
config_file_version = 2
services = nss, pam
domains =
hq.mydc.com
[nss]
# Ensure that certain users are not authenticated from network accounts
filter_users =
root,lightdm,nslcd,dnsmasq,dbus,avahi,avahi-autoipd,backup,beagleindex,bin,daemon,games,gdm,gnats,haldaemon,hplip,irc,ivman,klog,libuuid,list,lp,mail,man,messagebus,mysql,news,ntp,openldap,polkituser,proxy,pulse,puppet,saned,sshd,sync,sys,syslog,uucp,vde2-net,www-data
filter_groups = root
[pam]
[
domain/hq.mydc.com]
<----------------------- this part was generated automatically
debug_level = 9
ad_domain =
hq.mydc.com
krb5_realm =
HQ.mydc.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad
Does sssd need to mount/access to the sysvol folder somehow ? Did I missed something in
the configuration of sssd ?
Looking forward for some help ,thanks by advance.