[SSSD-users] Re: sssd + samba valid users

Understood wrt to getent returning. We are actually using ad provider for our ubu systems. The reason we haven't moved completely to using ad provider is bug 1872, which we have commented on as well as others. https://fedorahosted.org/sssd/ticket/1872 btw do you know if there is any forward moment on this feature with dealing with personal groups? i will try valid users on an ubu system leveraging the ad provider and report back

On Fri, Dec 16, 2016 at 11:39 AM, Sumit Bose sbose@redhat.com wrote:

On Fri, Dec 16, 2016 at 04:33:37PM -0000, js16uy@gmail.com wrote:

...

Thanks very much for the response! Much appreciated Yes it does. getent group does return the proper gid for queried groups

[root@X samba]# getent group MC-Services MC-Services:*:11959:

ok, But I guess "getent group 'MC\MC-Services'" (the group name you use in smb.conf) does not return anything.

If there a reason you use id_provider=ldap and auth_provider=krb5 instead to id_provider=ad ?

The 'MC' before the '' is the NetBIOS domain name of the AD domain which cannot be discovered by the plain LDAP provider but the AD provider can. If you cannot change the provider you can try to change the SSSD domain name in sssd.conf form 'foo' to MC. Then it should be possible to resolve names like 'MC\MC-Services' but in general I would recommend to try the AD provider.

HTH

bye, Sumit

...

Here is our sssd.conf

...

...

...

...

[sssd] config_file_version = 2 debug_level = 6 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = foo

[nss] filter_groups = root, filter_users = root, reconnection_retries = 3

[pam] reconnection_retries = 3

[domain/foo] enumerate = False id_provider = ldap min_id = 1000 chpass_provider = krb5 ldap_schema = rfc2307bis # currently using ldap over port 389 because ldaps over 686 returns

'encoded packet size too big'

...

ldap_uri = ldap://dc.mc.foo.com ldap_search_base = ou=accounts,dc=mc,dc=foo,dc=com ldap_id_mapping = false ldap_tls_reqcert = allow ldap_sasl_mech = GSSAPI ldap_sasl_canonicalize = true ldap_sasl_authid = X$ ldap_krb5_init_creds = true ldap_user_object_class = user ldap_group_object_class = top ldap_group_nesting_level = 5 ldap_group_search_base = ou=accounts,dc=mc,dc=foo,dc=

com?subtree?&(objectClass=top)(!(objectClass=computer))( gidnumber=*)(|(groupType<=0)(&(objectClass=user)(objectCategory=person)( uidNumber=*)))

...

ldap_user_name = sAMAccountName ldap_group_name = sAMAccountName ldap_user_fullname = cn ldap_user_home_directory = unixHomeDirectory

auth_provider = krb5 krb5_server = dc.mc.foo.com:88 krb5_realm = MC.FOO.COM krb5_canonicalize = false krb5_changepw_principal = kadmin/changepw krb5_auth_timeout = 15 krb5_keytab = /etc/krb5.keytab krb5_validate = true

access_provider = simple simple_allow_users = simple_allow_groups = MC-Services,

...

...

...

---

sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org

---

sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org