Hi,
I am trying to Authenticate Linux Users against the Samba 4.3 Active
Directory.
The Wiki reference I used is:
https://wiki.samba.org/index.php?title=Local_user_management_and_authenti...
and
https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC#What_is_RFC2...
The Linux Server configuration is:
[root@netserver02 ~]# cat /etc/redhat-release
CentOS release 6.6 (Final)
[root@netserver02 ~]# uname -a
Linux
netserver02.harvey.net 2.6.32-504.3.3.el6.x86_64 #1 SMP Wed Dec 17
01:55:02 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
I used the Method 1: Connecting to AD via Kerberos (recommended)
explained in "Local_user_management_and_authentication"
wiki page.
There was a time where this worked i.e. I was able to read back Active
Directory Objects i.e. users and
groups. Although I have not gotten this to work since this was a few
days ago.
It seems like I may have turned on the ldapd communication, CentOS 6 has
a gui for configuration how
to authenticate users I used the plus manual configuration file edits
and I loaded up the sssd cache.
I was never able to repeat this and I the Unix Id's did not match what I was
entering for the Unix Attributes in the Windows 8.1 RSAT tools.
The user id's and group id's had very high numbers i.e. up in the 70000's
I followed the steps for sssd configuration in
"Local_user_management_and_authentication"
Created a service principle user i.e used the domain controller server
name as the account.
and all of the.
The domain was provisioned with the --use-rfc2307 see
"Using_RFC2307_on_a_Samba_DC" This
describes what you need to do to set up the Active Directory controller
to create records for a "nis"
server. I confirmed all 55 records were loaded in with the correct
names for the host domain
and nisdomain names, actually the samba-tool provision now does that
when the --use-rfc2307 is one
of the options.
I attempted to use getent passwd getent group to see if was able to see
any of the users or groups from
the active directory. I was not able to. Here is the log of sssd -d 3 -i
Note samba is acting as a DNS server it works with my workstations and
laptops using dhcp.
Version of sssd that is installed:
[root@netserver02 convTmpYpSetupToDomain]# sssd --version
1.11.6
The ssd configuration file is shown after this log transaction.
[root@netserver02 convTmpYpSetupToDomain]# sssd -d 4 -i -c
/etc/sssd/sssd.conf
(Sat Jan 3 20:04:34 2015) [sssd] [get_ping_config] (0x0100): Time
between service pings for [
netserver02.harvey.net]: [10]
(Sat Jan 3 20:04:34 2015) [sssd] [get_ping_config] (0x0100): Time
between SIGTERM and SIGKILL for [
netserver02.harvey.net]: [60]
(Sat Jan 3 20:04:34 2015) [sssd] [start_service] (0x0100): Queueing
service
netserver02.harvey.net for startup
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[be_res_get_opts] (0x0100): Lookup order: ipv4_first
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[recreate_ares_channel] (0x0100): Initializing new c-ares channel
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[monitor_common_send_id] (0x0100): Sending ID:
(%BE_netserver02.harvey.net,1)
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[sss_names_init_from_args] (0x0100): Using re
[(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^(a)\\]+)$))].
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[sss_fqnames_init] (0x0100): Found the pattern for domain name
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[ad_get_common_options] (0x0100): No AD server set, will use service
discovery!
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[ad_get_common_options] (0x0100): Setting domain case-insensitive
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[ad_failover_init] (0x0100): No primary servers defined, using service
discovery
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[_ad_servers_init] (0x0100): Added service discovery for AD
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[ad_dyndns_init] (0x0100): Dynamic DNS updates are on. Checking for
nsupdate..
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[ad_set_ad_id_options] (0x0100): Option krb5_realm set to
NETSERVER02.HARVEY.NET
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[ad_set_ad_id_options] (0x0100): Option ldap_krb5_keytab set to
/etc/krb5.sssd.keytab
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[sdap_set_sasl_options] (0x0100): Will look for
netserver02.harvey.net(a)NETSERVER02.HARVEY.NET in /etc/krb5.sssd.keytab
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to
netserver02$
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to
HARVEY.NET
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[ad_set_search_bases] (0x0100): Search base not set. SSSD will attempt
to discover it later, when connecting to the LDAP server.
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[ad_get_auth_options] (0x0100): Option krb5_server set to (null)
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[ad_get_auth_options] (0x0100): Option krb5_realm set to
NETSERVER02.HARVEY.NET
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[ad_get_auth_options] (0x0100): Option krb5_use_kdcinfo set to true
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[check_and_export_options] (0x0100): No KDC explicitly configured, using
defaults.
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[check_and_export_options] (0x0100): No kpasswd server explicitly
configured, using the KDC or defaults.
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[check_and_export_options] (0x0100): ccache is of type FILE
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[be_process_init] (0x0080): No SUDO module provided for
[
netserver02.harvey.net] !!
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[be_process_init] (0x0080): No autofs module provided for
[
netserver02.harvey.net] !!
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[be_process_init] (0x0020): No selinux module provided for
[
netserver02.harvey.net] !!
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[be_process_init] (0x0020): No host info module provided for
[
netserver02.harvey.net] !!
(Sat Jan 3 20:04:34 2015) [sssd] [client_registration] (0x0100):
Received ID registration: (%BE_netserver02.harvey.net,1)
(Sat Jan 3 20:04:34 2015) [sssd] [mark_service_as_started] (0x0100):
Now starting services!
(Sat Jan 3 20:04:34 2015) [sssd] [get_ping_config] (0x0100): Time
between service pings for [nss]: [10]
(Sat Jan 3 20:04:34 2015) [sssd] [get_ping_config] (0x0100): Time
between SIGTERM and SIGKILL for [nss]: [60]
(Sat Jan 3 20:04:34 2015) [sssd] [start_service] (0x0100): Queueing
service nss for startup
(Sat Jan 3 20:04:34 2015) [sssd] [get_ping_config] (0x0100): Time
between service pings for [pam]: [10]
(Sat Jan 3 20:04:34 2015) [sssd] [get_ping_config] (0x0100): Time
between SIGTERM and SIGKILL for [pam]: [60]
(Sat Jan 3 20:04:34 2015) [sssd] [start_service] (0x0100): Queueing
service pam for startup
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[id_callback] (0x0100): Got id ack and version (1) from Monitor
(Sat Jan 3 20:04:34 2015) [sssd[pam]] [monitor_common_send_id]
(0x0100): Sending ID: (pam,1)
(Sat Jan 3 20:04:34 2015) [sssd[nss]] [monitor_common_send_id]
(0x0100): Sending ID: (nss,1)
(Sat Jan 3 20:04:34 2015) [sssd[nss]] [sss_names_init_from_args]
(0x0100): (Sat Jan 3 20:04:34 2015) [sssd[pam]]
[sss_names_init_from_args] (0x0100): Using re
[(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^(a)\\]+)$))].
Using re
[(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^(a)\\]+)$))].
(Sat Jan 3 20:04:34 2015) [sssd[nss]] [sss_fqnames_init] (0x0100): (Sat
Jan 3 20:04:34 2015) [sssd[pam]] [sss_fqnames_init] (0x0100): Using fq
format [%1$s@%2$s].
Using fq format [%1$s@%2$s].
(Sat Jan 3 20:04:34 2015) [sssd[nss]] [sss_fqnames_init] (0x0100): (Sat
Jan 3 20:04:34 2015) [sssd[pam]] [sss_fqnames_init] (0x0100): Found the
pattern for domain name
Found the pattern for domain name
(Sat Jan 3 20:04:34 2015) [sssd[pam]] [dp_common_send_id] (0x0100):
Sending ID to DP: (1,PAM)
(Sat Jan 3 20:04:34 2015) [sssd[nss]] [dp_common_send_id] (0x0100):
Sending ID to DP: (1,NSS)
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[be_client_init] (0x0100): Set-up Backend ID timeout [0x1361080]
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[be_client_init] (0x0100): Set-up Backend ID timeout [0x137ae30]
(Sat Jan 3 20:04:34 2015) [sssd[pam]] [responder_set_fd_limit]
(0x0100): Maximum file descriptors set to [8192]
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[client_registration] (0x0100): Cancel DP ID timeout [0x1361080]
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[client_registration] (0x0100): Added Frontend client [PAM]
(Sat Jan 3 20:04:34 2015) [sssd] [client_registration] (0x0100):
Received ID registration: (pam,1)
(Sat Jan 3 20:04:34 2015) [sssd[pam]] [dp_id_callback] (0x0100): Got id
ack and version (1) from DP
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'
(Sat Jan 3 20:04:34 2015) [sssd[pam]] [id_callback] (0x0100): Got id
ack and version (1) from Monitor
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[resolv_getsrv_send] (0x0100): Trying to resolve SRV record of
'_ldap._tcp.netserver02.harvey.net'
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[resolv_discover_srv_done] (0x0040): SRV query failed [4]: Domain name
not found
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[fo_set_port_status] (0x0100): Marking port 0 of server '(no name)' as
'not working'
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[resolve_srv_done] (0x0040): Unable to resolve SRV [1432158225]: SRV
record not found
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[set_srv_data_status] (0x0100): Marking SRV lookup of service 'AD' as
'not resolved'
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[be_resolve_server_process] (0x0080): Couldn't resolve server (SRV
lookup meta-server), resolver returned (1432158225)
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[fo_resolve_service_send] (0x0020): No available servers for service 'AD'
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5
[Input/output error])
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[be_run_offline_cb] (0x0080): Going offline. Running callbacks.
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[ad_subdomains_get_conn_done] (0x0080): No AD server is available,
cannot get the subdomain list while offline
(Sat Jan 3 20:04:34 2015) [sssd[nss]] [responder_set_fd_limit]
(0x0100): Maximum file descriptors set to [8192]
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[client_registration] (0x0100): Cancel DP ID timeout [0x137ae30]
(Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]]
[client_registration] (0x0100): Added Frontend client [NSS]
(Sat Jan 3 20:04:34 2015) [sssd] [client_registration] (0x0100):
Received ID registration: (nss,1)
(Sat Jan 3 20:04:34 2015) [sssd[nss]] [dp_id_callback] (0x0100): Got id
ack and version (1) from DP
(Sat Jan 3 20:04:34 2015) [sssd[nss]] [id_callback] (0x0100): Got id
ack and version (1) from Monitor
(Sat Jan 3 20:04:44 2015) [sssd] [service_send_ping] (0x0100): Pinging
netserver02.harvey.net
(Sat Jan 3 20:04:44 2015) [sssd] [service_send_ping] (0x0100): Pinging nss
(Sat Jan 3 20:04:44 2015) [sssd] [service_send_ping] (0x0100): Pinging pam
(Sat Jan 3 20:04:44 2015) [sssd] [ping_check] (0x0100): Service
netserver02.harvey.net replied to ping
(Sat Jan 3 20:04:44 2015) [sssd] [ping_check] (0x0100): Service pam
replied to ping
(Sat Jan 3 20:04:44 2015) [sssd] [ping_check] (0x0100): Service nss
replied to ping
(Sat Jan 3 20:04:54 2015) [sssd] [service_send_ping] (0x0100): Pinging
netserver02.harvey.net
(Sat Jan 3 20:04:54 2015) [sssd] [service_send_ping] (0x0100): Pinging nss
(Sat Jan 3 20:04:54 2015) [sssd] [service_send_ping] (0x0100): Pinging pam
(Sat Jan 3 20:04:54 2015) [sssd] [ping_check] (0x0100): Service
netserver02.harvey.net replied to ping
(Sat Jan 3 20:04:54 2015) [sssd] [ping_check] (0x0100): Service pam
replied to ping
(Sat Jan 3 20:04:54 2015) [sssd] [ping_check] (0x0100): Service nss
replied to ping
(Sat Jan 3 20:05:04 2015) [sssd] [service_send_ping] (0x0100): Pinging
netserver02.harvey.net
(Sat Jan 3 20:05:04 2015) [sssd] [service_send_ping] (0x0100): Pinging nss
(Sat Jan 3 20:05:04 2015) [sssd] [service_send_ping] (0x0100): Pinging pam
(Sat Jan 3 20:05:04 2015) [sssd] [ping_check] (0x0100): Service
netserver02.harvey.net replied to ping
(Sat Jan 3 20:05:04 2015) [sssd] [ping_check] (0x0100): Service nss
replied to ping
(Sat Jan 3 20:05:04 2015) [sssd] [ping_check] (0x0100): Service pam
replied to ping
(Sat Jan 3 20:05:14 2015) [sssd] [service_send_ping] (0x0100): Pinging
netserver02.harvey.net
(Sat Jan 3 20:05:14 2015) [sssd] [service_send_ping] (0x0100): Pinging nss
(Sat Jan 3 20:05:14 2015) [sssd] [service_send_ping] (0x0100): Pinging pam
(Sat Jan 3 20:05:14 2015) [sssd] [ping_check] (0x0100): Service
netserver02.harvey.net replied to ping
(Sat Jan 3 20:05:14 2015) [sssd] [ping_check] (0x0100): Service nss
replied to ping
(Sat Jan 3 20:05:14 2015) [sssd] [ping_check] (0x0100): Service pam
replied to ping
(Sat Jan 3 20:05:24 2015) [sssd] [service_send_ping] (0x0100): Pinging
netserver02.harvey.net
(Sat Jan 3 20:05:24 2015) [sssd] [service_send_ping] (0x0100): Pinging nss
(Sat Jan 3 20:05:24 2015) [sssd] [service_send_ping] (0x0100): Pinging pam
(Sat Jan 3 20:05:24 2015) [sssd] [ping_check] (0x0100): Service
netserver02.harvey.net replied to ping
(Sat Jan 3 20:05:24 2015) [sssd] [ping_check] (0x0100): Service nss
replied to ping
(Sat Jan 3 20:05:24 2015) [sssd] [ping_check] (0x0100): Service pam
replied to ping
^C(Sat Jan 3 20:05:28 2015) [sssd] [monitor_quit_signal] (0x0040):
Monitor received Interrupt: terminating children
(Sat Jan 3 20:05:28 2015) [sssd] [monitor_quit] (0x0040): Returned with: 0
(Sat Jan 3 20:05:28 2015) [sssd] [monitor_quit] (0x0020): Terminating
[pam][25954]
(Sat Jan 3 20:05:28 2015) [sssd[be[netserver02.harvey.net]]]
[sbus_dispatch] (0x0080): (Sat Jan 3 20:05:28 2015) [sssd]
[monitor_quit] (0x0020): Connection is not open for dispatching.
Child [pam] exited gracefully
(Sat Jan 3 20:05:28 2015) [sssd] [monitor_quit] (0x0020): Terminating
[nss][25953]
(Sat Jan 3 20:05:28 2015) [sssd[be[netserver02.harvey.net]]]
[sbus_dispatch] (0x0080): Connection is not open for dispatching.
(Sat Jan 3 20:05:28 2015) [sssd] [monitor_quit] (0x0020): Child [nss]
exited gracefully
(Sat Jan 3 20:05:28 2015) [sssd] [monitor_quit] (0x0020): Terminating
[netserver02.harvey.net][25951]
(Sat Jan 3 20:05:28 2015) [sssd] [monitor_quit] (0x0020): Child
[
netserver02.harvey.net] exited gracefully
[root@netserver02 convTmpYpSetupToDomain]#
contents of sssd.conf
--------------------------------------------------------------------
[sssd]
services = nss, pam
config_file_version = 2
domains =
netserver02.harvey.net
#domains = default
debug_level = 2
#
filter_users_in_groups = false
#
#ldap_user_principal = netserver02$.harvey.net(a)HARVEY.NET
#
#ldap_referrals = true
#
[nss]
#
allowed_shells = /bin/bash
shell_fallback = /bin/bash
#
[pam]
[
domain/netserver02.harvey.net]
#[domain/default]
# Using id_provider=ad sets the best defaults on its own
id_provider = ad
# In sssd, the default access provider is always 'permit'. The AD access
# provider by default checks for account expiration
access_provider = ad
#
#dyndns_update=false
# Uncomment to use POSIX attributes on the server
ldap_id_mapping=false
#ad_enable_dns_sites = true
# Uncomment if the client machine hostname doesn't match the
# computer object on the DC.
#ad_hostname =
dc1.samdom.example.com
ad_hostname =
netserver02.harvey.net
#Uncomment if DNS SRV resolution is not working
#ad_server =
netserver02.harvey.net
# Uncomment if the domain section is named differently than your Samba
domain
#ad_domain =
harvey.net
# Enumeration is discouraged for performance reasons.
#enumerate = true
# location of the keytab
krb5_keytab=/etc/krb5.sssd.keytab
--------------------------------------------------------------------------------------------------------------------
How do you get this to work?
It seems like this is the way to go for using a single user data base
for Windows and Linux
it seems like it wants to work.
Scott Harvey