Hi everyone,
I'm using sssd 1.62 in CentOS 7.4。 The sssd is very good, I love it!
But, when I use "ldap_id_mapping=False" in /etc/sssd/sssd.conf the user's password will not availabe. Why? How to solve it?
Thanks
On Fri, Feb 15, 2019 at 07:05:37AM -0000, CharlesLee wrote:
Hi everyone,
I'm using sssd 1.62 in CentOS 7.4。 The sssd is very good, I love it!
But, when I use "ldap_id_mapping=False" in /etc/sssd/sssd.conf the user's password will not availabe.
I assume with 'the user's password will not available' you mean that the user cannot log in?
I guess that the user cannot even be found if you call 'getent passwd username'.
Why?
With "ldap_id_mapping=False" SSSD expects that the POSIX UIDs and GIDs are stored in Active Directory (I assume you are using AD). By default this is not the case and recent version of Windows Servers even removed some tools which made it easy to set them.
How to solve it?
Either use "ldap_id_mapping=True" (recommended) or add suit uidNumber and gidNumer attributes in AD to the users and groups.
HTH
bye, Sumit
Thanks _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Hi sumit,
Thanks for your reply.
I'm using windows server 2008R2 AD. I use "ldap_id_mapping=False" because I want the AD's user in linux UID is gidNumber, if I use "ldap_id_mapping=True" the user's uid in linux will can not control.
I want to the AD user in linux can use gidNumber and AD user login linux use AD password. So, How should I do ?
Thanks
On Fri, Feb 15, 2019 at 09:47:46AM -0000, CharlesLee wrote:
Hi sumit,
Thanks for your reply.
I'm using windows server 2008R2 AD. I use "ldap_id_mapping=False" because I want the AD's user in linux UID is gidNumber, if I use "ldap_id_mapping=True" the user's uid in linux will can not control.
I want to the AD user in linux can use gidNumber and AD user login linux use AD password. So, How should I do ?
Do you already have the IDs created and stored in AD?
One thing you might need to do after switching the ID mapping on or off is to clear the sssd cache. With newer versions: sssctl cache-remove or with older versions: rm -f /var/lib/sss/db/* systemctl restart sssd
Hi Jakub,
Yes, I did rm -rf /var/lib/sss/db/* after turn off ldap_id_mapping. In the linux AD's user can have uidNumber, but the AD user's password was invalid in linux.
Thanks for your reply.
On Mon, Feb 18, 2019 at 03:21:55PM -0000, CharlesLee wrote:
Hi Jakub,
Yes, I did rm -rf /var/lib/sss/db/* after turn off ldap_id_mapping. In the linux AD's user can have uidNumber, but the AD user's password was invalid in linux.
Then please follow the debugging steps: https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
Thanks Jakub, I solved my problem.
sssd-users@lists.fedorahosted.org