Hi,
I am trying to Authenticate Linux Users against the Samba 4.3 Active Directory. The Wiki reference I used is:
https://wiki.samba.org/index.php?title=Local_user_management_and_authenticat... and https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC#What_is_RFC2307...
The Linux Server configuration is: [root@netserver02 ~]# cat /etc/redhat-release CentOS release 6.6 (Final) [root@netserver02 ~]# uname -a Linux netserver02.harvey.net 2.6.32-504.3.3.el6.x86_64 #1 SMP Wed Dec 17 01:55:02 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
I used the Method 1: Connecting to AD via Kerberos (recommended) explained in "Local_user_management_and_authentication" wiki page.
There was a time where this worked i.e. I was able to read back Active Directory Objects i.e. users and groups. Although I have not gotten this to work since this was a few days ago. It seems like I may have turned on the ldapd communication, CentOS 6 has a gui for configuration how to authenticate users I used the plus manual configuration file edits and I loaded up the sssd cache. I was never able to repeat this and I the Unix Id's did not match what I was entering for the Unix Attributes in the Windows 8.1 RSAT tools. The user id's and group id's had very high numbers i.e. up in the 70000's
I followed the steps for sssd configuration in "Local_user_management_and_authentication" Created a service principle user i.e used the domain controller server name as the account. and all of the.
The domain was provisioned with the --use-rfc2307 see "Using_RFC2307_on_a_Samba_DC" This describes what you need to do to set up the Active Directory controller to create records for a "nis" server. I confirmed all 55 records were loaded in with the correct names for the host domain and nisdomain names, actually the samba-tool provision now does that when the --use-rfc2307 is one of the options.
I attempted to use getent passwd getent group to see if was able to see any of the users or groups from the active directory. I was not able to. Here is the log of sssd -d 3 -i
Note samba is acting as a DNS server it works with my workstations and laptops using dhcp.
Version of sssd that is installed: [root@netserver02 convTmpYpSetupToDomain]# sssd --version 1.11.6
The ssd configuration file is shown after this log transaction.
[root@netserver02 convTmpYpSetupToDomain]# sssd -d 4 -i -c /etc/sssd/sssd.conf (Sat Jan 3 20:04:34 2015) [sssd] [get_ping_config] (0x0100): Time between service pings for [netserver02.harvey.net]: [10] (Sat Jan 3 20:04:34 2015) [sssd] [get_ping_config] (0x0100): Time between SIGTERM and SIGKILL for [netserver02.harvey.net]: [60] (Sat Jan 3 20:04:34 2015) [sssd] [start_service] (0x0100): Queueing service netserver02.harvey.net for startup (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [be_res_get_opts] (0x0100): Lookup order: ipv4_first (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [monitor_common_send_id] (0x0100): Sending ID: (%BE_netserver02.harvey.net,1) (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\]+)\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\]+)$))]. (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [sss_fqnames_init] (0x0100): Found the pattern for domain name (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [ad_get_common_options] (0x0100): No AD server set, will use service discovery! (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [ad_get_common_options] (0x0100): Setting domain case-insensitive (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [ad_failover_init] (0x0100): No primary servers defined, using service discovery (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [_ad_servers_init] (0x0100): Added service discovery for AD (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [ad_dyndns_init] (0x0100): Dynamic DNS updates are on. Checking for nsupdate.. (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [ad_set_ad_id_options] (0x0100): Option krb5_realm set to NETSERVER02.HARVEY.NET (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [ad_set_ad_id_options] (0x0100): Option ldap_krb5_keytab set to /etc/krb5.sssd.keytab (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [sdap_set_sasl_options] (0x0100): Will look for netserver02.harvey.net@NETSERVER02.HARVEY.NET in /etc/krb5.sssd.keytab (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to netserver02$ (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to HARVEY.NET (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [ad_set_search_bases] (0x0100): Search base not set. SSSD will attempt to discover it later, when connecting to the LDAP server. (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [ad_get_auth_options] (0x0100): Option krb5_server set to (null) (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [ad_get_auth_options] (0x0100): Option krb5_realm set to NETSERVER02.HARVEY.NET (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [ad_get_auth_options] (0x0100): Option krb5_use_kdcinfo set to true (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [check_and_export_options] (0x0100): No KDC explicitly configured, using defaults. (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [check_and_export_options] (0x0100): No kpasswd server explicitly configured, using the KDC or defaults. (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [check_and_export_options] (0x0100): ccache is of type FILE (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [be_process_init] (0x0080): No SUDO module provided for [netserver02.harvey.net] !! (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [be_process_init] (0x0080): No autofs module provided for [netserver02.harvey.net] !! (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [be_process_init] (0x0020): No selinux module provided for [netserver02.harvey.net] !! (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [be_process_init] (0x0020): No host info module provided for [netserver02.harvey.net] !! (Sat Jan 3 20:04:34 2015) [sssd] [client_registration] (0x0100): Received ID registration: (%BE_netserver02.harvey.net,1) (Sat Jan 3 20:04:34 2015) [sssd] [mark_service_as_started] (0x0100): Now starting services! (Sat Jan 3 20:04:34 2015) [sssd] [get_ping_config] (0x0100): Time between service pings for [nss]: [10] (Sat Jan 3 20:04:34 2015) [sssd] [get_ping_config] (0x0100): Time between SIGTERM and SIGKILL for [nss]: [60] (Sat Jan 3 20:04:34 2015) [sssd] [start_service] (0x0100): Queueing service nss for startup (Sat Jan 3 20:04:34 2015) [sssd] [get_ping_config] (0x0100): Time between service pings for [pam]: [10] (Sat Jan 3 20:04:34 2015) [sssd] [get_ping_config] (0x0100): Time between SIGTERM and SIGKILL for [pam]: [60] (Sat Jan 3 20:04:34 2015) [sssd] [start_service] (0x0100): Queueing service pam for startup (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Sat Jan 3 20:04:34 2015) [sssd[pam]] [monitor_common_send_id] (0x0100): Sending ID: (pam,1) (Sat Jan 3 20:04:34 2015) [sssd[nss]] [monitor_common_send_id] (0x0100): Sending ID: (nss,1) (Sat Jan 3 20:04:34 2015) [sssd[nss]] [sss_names_init_from_args] (0x0100): (Sat Jan 3 20:04:34 2015) [sssd[pam]] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\]+)\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\]+)$))]. Using re [(((?P<domain>[^\]+)\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\]+)$))]. (Sat Jan 3 20:04:34 2015) [sssd[nss]] [sss_fqnames_init] (0x0100): (Sat Jan 3 20:04:34 2015) [sssd[pam]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. Using fq format [%1$s@%2$s]. (Sat Jan 3 20:04:34 2015) [sssd[nss]] [sss_fqnames_init] (0x0100): (Sat Jan 3 20:04:34 2015) [sssd[pam]] [sss_fqnames_init] (0x0100): Found the pattern for domain name Found the pattern for domain name (Sat Jan 3 20:04:34 2015) [sssd[pam]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,PAM) (Sat Jan 3 20:04:34 2015) [sssd[nss]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,NSS) (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0x1361080] (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0x137ae30] (Sat Jan 3 20:04:34 2015) [sssd[pam]] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192] (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [client_registration] (0x0100): Cancel DP ID timeout [0x1361080] (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [client_registration] (0x0100): Added Frontend client [PAM] (Sat Jan 3 20:04:34 2015) [sssd] [client_registration] (0x0100): Received ID registration: (pam,1) (Sat Jan 3 20:04:34 2015) [sssd[pam]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Sat Jan 3 20:04:34 2015) [sssd[pam]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.netserver02.harvey.net' (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [resolv_discover_srv_done] (0x0040): SRV query failed [4]: Domain name not found (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [fo_set_port_status] (0x0100): Marking port 0 of server '(no name)' as 'not working' (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [resolve_srv_done] (0x0040): Unable to resolve SRV [1432158225]: SRV record not found (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'AD' as 'not resolved' (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [be_resolve_server_process] (0x0080): Couldn't resolve server (SRV lookup meta-server), resolver returned (1432158225) (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD' (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error]) (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks. (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [ad_subdomains_get_conn_done] (0x0080): No AD server is available, cannot get the subdomain list while offline (Sat Jan 3 20:04:34 2015) [sssd[nss]] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192] (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [client_registration] (0x0100): Cancel DP ID timeout [0x137ae30] (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [client_registration] (0x0100): Added Frontend client [NSS] (Sat Jan 3 20:04:34 2015) [sssd] [client_registration] (0x0100): Received ID registration: (nss,1) (Sat Jan 3 20:04:34 2015) [sssd[nss]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Sat Jan 3 20:04:34 2015) [sssd[nss]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Sat Jan 3 20:04:44 2015) [sssd] [service_send_ping] (0x0100): Pinging netserver02.harvey.net (Sat Jan 3 20:04:44 2015) [sssd] [service_send_ping] (0x0100): Pinging nss (Sat Jan 3 20:04:44 2015) [sssd] [service_send_ping] (0x0100): Pinging pam (Sat Jan 3 20:04:44 2015) [sssd] [ping_check] (0x0100): Service netserver02.harvey.net replied to ping (Sat Jan 3 20:04:44 2015) [sssd] [ping_check] (0x0100): Service pam replied to ping (Sat Jan 3 20:04:44 2015) [sssd] [ping_check] (0x0100): Service nss replied to ping (Sat Jan 3 20:04:54 2015) [sssd] [service_send_ping] (0x0100): Pinging netserver02.harvey.net (Sat Jan 3 20:04:54 2015) [sssd] [service_send_ping] (0x0100): Pinging nss (Sat Jan 3 20:04:54 2015) [sssd] [service_send_ping] (0x0100): Pinging pam (Sat Jan 3 20:04:54 2015) [sssd] [ping_check] (0x0100): Service netserver02.harvey.net replied to ping (Sat Jan 3 20:04:54 2015) [sssd] [ping_check] (0x0100): Service pam replied to ping (Sat Jan 3 20:04:54 2015) [sssd] [ping_check] (0x0100): Service nss replied to ping (Sat Jan 3 20:05:04 2015) [sssd] [service_send_ping] (0x0100): Pinging netserver02.harvey.net (Sat Jan 3 20:05:04 2015) [sssd] [service_send_ping] (0x0100): Pinging nss (Sat Jan 3 20:05:04 2015) [sssd] [service_send_ping] (0x0100): Pinging pam (Sat Jan 3 20:05:04 2015) [sssd] [ping_check] (0x0100): Service netserver02.harvey.net replied to ping (Sat Jan 3 20:05:04 2015) [sssd] [ping_check] (0x0100): Service nss replied to ping (Sat Jan 3 20:05:04 2015) [sssd] [ping_check] (0x0100): Service pam replied to ping (Sat Jan 3 20:05:14 2015) [sssd] [service_send_ping] (0x0100): Pinging netserver02.harvey.net (Sat Jan 3 20:05:14 2015) [sssd] [service_send_ping] (0x0100): Pinging nss (Sat Jan 3 20:05:14 2015) [sssd] [service_send_ping] (0x0100): Pinging pam (Sat Jan 3 20:05:14 2015) [sssd] [ping_check] (0x0100): Service netserver02.harvey.net replied to ping (Sat Jan 3 20:05:14 2015) [sssd] [ping_check] (0x0100): Service nss replied to ping (Sat Jan 3 20:05:14 2015) [sssd] [ping_check] (0x0100): Service pam replied to ping (Sat Jan 3 20:05:24 2015) [sssd] [service_send_ping] (0x0100): Pinging netserver02.harvey.net (Sat Jan 3 20:05:24 2015) [sssd] [service_send_ping] (0x0100): Pinging nss (Sat Jan 3 20:05:24 2015) [sssd] [service_send_ping] (0x0100): Pinging pam (Sat Jan 3 20:05:24 2015) [sssd] [ping_check] (0x0100): Service netserver02.harvey.net replied to ping (Sat Jan 3 20:05:24 2015) [sssd] [ping_check] (0x0100): Service nss replied to ping (Sat Jan 3 20:05:24 2015) [sssd] [ping_check] (0x0100): Service pam replied to ping ^C(Sat Jan 3 20:05:28 2015) [sssd] [monitor_quit_signal] (0x0040): Monitor received Interrupt: terminating children (Sat Jan 3 20:05:28 2015) [sssd] [monitor_quit] (0x0040): Returned with: 0 (Sat Jan 3 20:05:28 2015) [sssd] [monitor_quit] (0x0020): Terminating [pam][25954] (Sat Jan 3 20:05:28 2015) [sssd[be[netserver02.harvey.net]]] [sbus_dispatch] (0x0080): (Sat Jan 3 20:05:28 2015) [sssd] [monitor_quit] (0x0020): Connection is not open for dispatching. Child [pam] exited gracefully (Sat Jan 3 20:05:28 2015) [sssd] [monitor_quit] (0x0020): Terminating [nss][25953] (Sat Jan 3 20:05:28 2015) [sssd[be[netserver02.harvey.net]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching. (Sat Jan 3 20:05:28 2015) [sssd] [monitor_quit] (0x0020): Child [nss] exited gracefully (Sat Jan 3 20:05:28 2015) [sssd] [monitor_quit] (0x0020): Terminating [netserver02.harvey.net][25951] (Sat Jan 3 20:05:28 2015) [sssd] [monitor_quit] (0x0020): Child [netserver02.harvey.net] exited gracefully [root@netserver02 convTmpYpSetupToDomain]#
contents of sssd.conf -------------------------------------------------------------------- [sssd] services = nss, pam config_file_version = 2 domains = netserver02.harvey.net #domains = default debug_level = 2 # filter_users_in_groups = false # #ldap_user_principal = netserver02$.harvey.net@HARVEY.NET # #ldap_referrals = true # [nss] # allowed_shells = /bin/bash shell_fallback = /bin/bash # [pam]
[domain/netserver02.harvey.net] #[domain/default] # Using id_provider=ad sets the best defaults on its own id_provider = ad # In sssd, the default access provider is always 'permit'. The AD access # provider by default checks for account expiration access_provider = ad # #dyndns_update=false # Uncomment to use POSIX attributes on the server ldap_id_mapping=false
#ad_enable_dns_sites = true # Uncomment if the client machine hostname doesn't match the # computer object on the DC. #ad_hostname = dc1.samdom.example.com ad_hostname = netserver02.harvey.net
#Uncomment if DNS SRV resolution is not working #ad_server = netserver02.harvey.net
# Uncomment if the domain section is named differently than your Samba domain #ad_domain = harvey.net
# Enumeration is discouraged for performance reasons. #enumerate = true
# location of the keytab krb5_keytab=/etc/krb5.sssd.keytab --------------------------------------------------------------------------------------------------------------------
How do you get this to work?
It seems like this is the way to go for using a single user data base for Windows and Linux it seems like it wants to work.
Scott Harvey
Tried to post before but the body had too much data deleted graphics from body. -------- Forwarded Message -------- Subject: Attempting to Get sssd to Work With Samba 4.3 Active Directory Date: Sat, 03 Jan 2015 20:17:40 -0800 From: Scott Harvey` sbharvey@verizon.net To: sssd-users@lists.fedorahosted.org
Hi,
I am trying to Authenticate Linux Users against the Samba 4.3 Active Directory. The Wiki reference I used is:
https://wiki.samba.org/index.php?title=Local_user_management_and_authenticat... and https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC#What_is_RFC2307...
The Linux Server configuration is: [root@netserver02 ~]# cat /etc/redhat-release CentOS release 6.6 (Final) [root@netserver02 ~]# uname -a Linux netserver02.harvey.net 2.6.32-504.3.3.el6.x86_64 #1 SMP Wed Dec 17 01:55:02 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
I used the Method 1: Connecting to AD via Kerberos (recommended) explained in "Local_user_management_and_authentication" wiki page.
There was a time where this worked i.e. I was able to read back Active Directory Objects i.e. users and groups. Although I have not gotten this to work since this was a few days ago. It seems like I may have turned on the ldapd communication, CentOS 6 has a gui for configuration how to authenticate users I used the plus manual configuration file edits and I loaded up the sssd cache. I was never able to repeat this and I the Unix Id's did not match what I was entering for the Unix Attributes in the Windows 8.1 RSAT tools. The user id's and group id's had very high numbers i.e. up in the 70000's
Picture that was here showed the Unix Attribute panel. Deleted to save space.
I followed the steps for sssd configuration in "Local_user_management_and_authentication" Created a service principle user i.e used the domain controller server name as the account. and all of the.
The domain was provisioned with the --use-rfc2307 see "Using_RFC2307_on_a_Samba_DC" This describes what you need to do to set up the Active Directory controller to create records for a "nis" server. I confirmed all 55 records were loaded in with the correct names for the host domain and nisdomain names, actually the samba-tool provision now does that when the --use-rfc2307 is one of the options.
I attempted to use getent passwd getent group to see if was able to see any of the users or groups from the active directory. I was not able to. Here is the log of sssd -d 3 -i
Note samba is acting as a DNS server it works with my workstations and laptops using dhcp.
Version of sssd that is installed: [root@netserver02 convTmpYpSetupToDomain]# sssd --version 1.11.6
The ssd configuration file is shown after this log transaction.
[root@netserver02 convTmpYpSetupToDomain]# sssd -d 4 -i -c /etc/sssd/sssd.conf (Sat Jan 3 20:04:34 2015) [sssd] [get_ping_config] (0x0100): Time between service pings for [netserver02.harvey.net]: [10] (Sat Jan 3 20:04:34 2015) [sssd] [get_ping_config] (0x0100): Time between SIGTERM and SIGKILL for [netserver02.harvey.net]: [60] (Sat Jan 3 20:04:34 2015) [sssd] [start_service] (0x0100): Queueing service netserver02.harvey.net for startup (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [be_res_get_opts] (0x0100): Lookup order: ipv4_first (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [monitor_common_send_id] (0x0100): Sending ID: (%BE_netserver02.harvey.net,1) (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\]+)\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\]+)$))]. (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [sss_fqnames_init] (0x0100): Found the pattern for domain name (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [ad_get_common_options] (0x0100): No AD server set, will use service discovery! (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [ad_get_common_options] (0x0100): Setting domain case-insensitive (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [ad_failover_init] (0x0100): No primary servers defined, using service discovery (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [_ad_servers_init] (0x0100): Added service discovery for AD (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [ad_dyndns_init] (0x0100): Dynamic DNS updates are on. Checking for nsupdate.. (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [ad_set_ad_id_options] (0x0100): Option krb5_realm set to NETSERVER02.HARVEY.NET (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [ad_set_ad_id_options] (0x0100): Option ldap_krb5_keytab set to /etc/krb5.sssd.keytab (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [sdap_set_sasl_options] (0x0100): Will look for netserver02.harvey.net@NETSERVER02.HARVEY.NET in /etc/krb5.sssd.keytab (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to netserver02$ (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to HARVEY.NET (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [ad_set_search_bases] (0x0100): Search base not set. SSSD will attempt to discover it later, when connecting to the LDAP server. (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [ad_get_auth_options] (0x0100): Option krb5_server set to (null) (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [ad_get_auth_options] (0x0100): Option krb5_realm set to NETSERVER02.HARVEY.NET (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [ad_get_auth_options] (0x0100): Option krb5_use_kdcinfo set to true (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [check_and_export_options] (0x0100): No KDC explicitly configured, using defaults. (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [check_and_export_options] (0x0100): No kpasswd server explicitly configured, using the KDC or defaults. (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [check_and_export_options] (0x0100): ccache is of type FILE (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [be_process_init] (0x0080): No SUDO module provided for [netserver02.harvey.net] !! (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [be_process_init] (0x0080): No autofs module provided for [netserver02.harvey.net] !! (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [be_process_init] (0x0020): No selinux module provided for [netserver02.harvey.net] !! (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [be_process_init] (0x0020): No host info module provided for [netserver02.harvey.net] !! (Sat Jan 3 20:04:34 2015) [sssd] [client_registration] (0x0100): Received ID registration: (%BE_netserver02.harvey.net,1) (Sat Jan 3 20:04:34 2015) [sssd] [mark_service_as_started] (0x0100): Now starting services! (Sat Jan 3 20:04:34 2015) [sssd] [get_ping_config] (0x0100): Time between service pings for [nss]: [10] (Sat Jan 3 20:04:34 2015) [sssd] [get_ping_config] (0x0100): Time between SIGTERM and SIGKILL for [nss]: [60] (Sat Jan 3 20:04:34 2015) [sssd] [start_service] (0x0100): Queueing service nss for startup (Sat Jan 3 20:04:34 2015) [sssd] [get_ping_config] (0x0100): Time between service pings for [pam]: [10] (Sat Jan 3 20:04:34 2015) [sssd] [get_ping_config] (0x0100): Time between SIGTERM and SIGKILL for [pam]: [60] (Sat Jan 3 20:04:34 2015) [sssd] [start_service] (0x0100): Queueing service pam for startup (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Sat Jan 3 20:04:34 2015) [sssd[pam]] [monitor_common_send_id] (0x0100): Sending ID: (pam,1) (Sat Jan 3 20:04:34 2015) [sssd[nss]] [monitor_common_send_id] (0x0100): Sending ID: (nss,1) (Sat Jan 3 20:04:34 2015) [sssd[nss]] [sss_names_init_from_args] (0x0100): (Sat Jan 3 20:04:34 2015) [sssd[pam]] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\]+)\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\]+)$))]. Using re [(((?P<domain>[^\]+)\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\]+)$))]. (Sat Jan 3 20:04:34 2015) [sssd[nss]] [sss_fqnames_init] (0x0100): (Sat Jan 3 20:04:34 2015) [sssd[pam]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. Using fq format [%1$s@%2$s]. (Sat Jan 3 20:04:34 2015) [sssd[nss]] [sss_fqnames_init] (0x0100): (Sat Jan 3 20:04:34 2015) [sssd[pam]] [sss_fqnames_init] (0x0100): Found the pattern for domain name Found the pattern for domain name (Sat Jan 3 20:04:34 2015) [sssd[pam]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,PAM) (Sat Jan 3 20:04:34 2015) [sssd[nss]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,NSS) (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0x1361080] (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0x137ae30] (Sat Jan 3 20:04:34 2015) [sssd[pam]] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192] (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [client_registration] (0x0100): Cancel DP ID timeout [0x1361080] (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [client_registration] (0x0100): Added Frontend client [PAM] (Sat Jan 3 20:04:34 2015) [sssd] [client_registration] (0x0100): Received ID registration: (pam,1) (Sat Jan 3 20:04:34 2015) [sssd[pam]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Sat Jan 3 20:04:34 2015) [sssd[pam]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.netserver02.harvey.net' (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [resolv_discover_srv_done] (0x0040): SRV query failed [4]: Domain name not found (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [fo_set_port_status] (0x0100): Marking port 0 of server '(no name)' as 'not working' (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [resolve_srv_done] (0x0040): Unable to resolve SRV [1432158225]: SRV record not found (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'AD' as 'not resolved' (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [be_resolve_server_process] (0x0080): Couldn't resolve server (SRV lookup meta-server), resolver returned (1432158225) (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD' (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error]) (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks. (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [ad_subdomains_get_conn_done] (0x0080): No AD server is available, cannot get the subdomain list while offline (Sat Jan 3 20:04:34 2015) [sssd[nss]] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192] (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [client_registration] (0x0100): Cancel DP ID timeout [0x137ae30] (Sat Jan 3 20:04:34 2015) [sssd[be[netserver02.harvey.net]]] [client_registration] (0x0100): Added Frontend client [NSS] (Sat Jan 3 20:04:34 2015) [sssd] [client_registration] (0x0100): Received ID registration: (nss,1) (Sat Jan 3 20:04:34 2015) [sssd[nss]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Sat Jan 3 20:04:34 2015) [sssd[nss]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Sat Jan 3 20:04:44 2015) [sssd] [service_send_ping] (0x0100): Pinging netserver02.harvey.net (Sat Jan 3 20:04:44 2015) [sssd] [service_send_ping] (0x0100): Pinging nss (Sat Jan 3 20:04:44 2015) [sssd] [service_send_ping] (0x0100): Pinging pam (Sat Jan 3 20:04:44 2015) [sssd] [ping_check] (0x0100): Service netserver02.harvey.net replied to ping (Sat Jan 3 20:04:44 2015) [sssd] [ping_check] (0x0100): Service pam replied to ping (Sat Jan 3 20:04:44 2015) [sssd] [ping_check] (0x0100): Service nss replied to ping (Sat Jan 3 20:04:54 2015) [sssd] [service_send_ping] (0x0100): Pinging netserver02.harvey.net (Sat Jan 3 20:04:54 2015) [sssd] [service_send_ping] (0x0100): Pinging nss (Sat Jan 3 20:04:54 2015) [sssd] [service_send_ping] (0x0100): Pinging pam (Sat Jan 3 20:04:54 2015) [sssd] [ping_check] (0x0100): Service netserver02.harvey.net replied to ping (Sat Jan 3 20:04:54 2015) [sssd] [ping_check] (0x0100): Service pam replied to ping (Sat Jan 3 20:04:54 2015) [sssd] [ping_check] (0x0100): Service nss replied to ping (Sat Jan 3 20:05:04 2015) [sssd] [service_send_ping] (0x0100): Pinging netserver02.harvey.net (Sat Jan 3 20:05:04 2015) [sssd] [service_send_ping] (0x0100): Pinging nss (Sat Jan 3 20:05:04 2015) [sssd] [service_send_ping] (0x0100): Pinging pam (Sat Jan 3 20:05:04 2015) [sssd] [ping_check] (0x0100): Service netserver02.harvey.net replied to ping (Sat Jan 3 20:05:04 2015) [sssd] [ping_check] (0x0100): Service nss replied to ping (Sat Jan 3 20:05:04 2015) [sssd] [ping_check] (0x0100): Service pam replied to ping (Sat Jan 3 20:05:14 2015) [sssd] [service_send_ping] (0x0100): Pinging netserver02.harvey.net (Sat Jan 3 20:05:14 2015) [sssd] [service_send_ping] (0x0100): Pinging nss (Sat Jan 3 20:05:14 2015) [sssd] [service_send_ping] (0x0100): Pinging pam (Sat Jan 3 20:05:14 2015) [sssd] [ping_check] (0x0100): Service netserver02.harvey.net replied to ping (Sat Jan 3 20:05:14 2015) [sssd] [ping_check] (0x0100): Service nss replied to ping (Sat Jan 3 20:05:14 2015) [sssd] [ping_check] (0x0100): Service pam replied to ping (Sat Jan 3 20:05:24 2015) [sssd] [service_send_ping] (0x0100): Pinging netserver02.harvey.net (Sat Jan 3 20:05:24 2015) [sssd] [service_send_ping] (0x0100): Pinging nss (Sat Jan 3 20:05:24 2015) [sssd] [service_send_ping] (0x0100): Pinging pam (Sat Jan 3 20:05:24 2015) [sssd] [ping_check] (0x0100): Service netserver02.harvey.net replied to ping (Sat Jan 3 20:05:24 2015) [sssd] [ping_check] (0x0100): Service nss replied to ping (Sat Jan 3 20:05:24 2015) [sssd] [ping_check] (0x0100): Service pam replied to ping ^C(Sat Jan 3 20:05:28 2015) [sssd] [monitor_quit_signal] (0x0040): Monitor received Interrupt: terminating children (Sat Jan 3 20:05:28 2015) [sssd] [monitor_quit] (0x0040): Returned with: 0 (Sat Jan 3 20:05:28 2015) [sssd] [monitor_quit] (0x0020): Terminating [pam][25954] (Sat Jan 3 20:05:28 2015) [sssd[be[netserver02.harvey.net]]] [sbus_dispatch] (0x0080): (Sat Jan 3 20:05:28 2015) [sssd] [monitor_quit] (0x0020): Connection is not open for dispatching. Child [pam] exited gracefully (Sat Jan 3 20:05:28 2015) [sssd] [monitor_quit] (0x0020): Terminating [nss][25953] (Sat Jan 3 20:05:28 2015) [sssd[be[netserver02.harvey.net]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching. (Sat Jan 3 20:05:28 2015) [sssd] [monitor_quit] (0x0020): Child [nss] exited gracefully (Sat Jan 3 20:05:28 2015) [sssd] [monitor_quit] (0x0020): Terminating [netserver02.harvey.net][25951] (Sat Jan 3 20:05:28 2015) [sssd] [monitor_quit] (0x0020): Child [netserver02.harvey.net] exited gracefully [root@netserver02 convTmpYpSetupToDomain]#
contents of sssd.conf -------------------------------------------------------------------- [sssd] services = nss, pam config_file_version = 2 domains = netserver02.harvey.net #domains = default debug_level = 2 # filter_users_in_groups = false # #ldap_user_principal = netserver02$.harvey.net@HARVEY.NET # #ldap_referrals = true # [nss] # allowed_shells = /bin/bash shell_fallback = /bin/bash # [pam]
[domain/netserver02.harvey.net] #[domain/default] # Using id_provider=ad sets the best defaults on its own id_provider = ad # In sssd, the default access provider is always 'permit'. The AD access # provider by default checks for account expiration access_provider = ad # #dyndns_update=false # Uncomment to use POSIX attributes on the server ldap_id_mapping=false
#ad_enable_dns_sites = true # Uncomment if the client machine hostname doesn't match the # computer object on the DC. #ad_hostname = dc1.samdom.example.com ad_hostname = netserver02.harvey.net
#Uncomment if DNS SRV resolution is not working #ad_server = netserver02.harvey.net
# Uncomment if the domain section is named differently than your Samba domain #ad_domain = harvey.net
# Enumeration is discouraged for performance reasons. #enumerate = true
# location of the keytab krb5_keytab=/etc/krb5.sssd.keytab --------------------------------------------------------------------------------------------------------------------
How do you get this to work?
It seems like this is the way to go for using a single user data base for Windows and Linux it seems like it wants to work.
Scott Harvey
On Sun, Jan 04, 2015 at 04:33:29PM -0800, Scott Harvey` wrote:
Tried to post before but the body had too much data deleted graphics from body.
I think the sssd config file and logs would be nice to see. And since Samba is more-or-less an AD DC, maybe even enrolling the client would be possible with adcli: https://jhrozek.livejournal.com/3581.html
But it looks like you've enrolled the client already.
On 1/5/2015 2:45 AM, Jakub Hrozek wrote:
On Sun, Jan 04, 2015 at 04:33:29PM -0800, Scott Harvey` wrote:
Tried to post before but the body had too much data deleted graphics from body.
I think the sssd config file and logs would be nice to see. And since Samba is more-or-less an AD DC, maybe even enrolling the client would be possible with adcli: https://jhrozek.livejournal.com/3581.html
But it looks like you've enrolled the client already. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Thank you for getting back.
When you say "enroll a client" what do you mean? I have an spn that I set up that is the machine name of my dc controller as instructed by https://wiki.samba.org/index.php?title=Local_user_management_and_authenticat...
# samba-tool domain exportkeytab /etc/krb5.sssd.keytab --principal=dc1$ # chown root:root /etc/krb5.sssd.keytab # chmod 600 /etc/krb5.sssd.keytab
dc1 is netserver02 in my case.
Contents of the sssd config file: -------------------------------------------------- [sssd] services = nss, pam config_file_version = 2 domains = netserver02.harvey.net #domains = default debug_level = 2 # filter_users_in_groups = false # #ldap_user_principal = netserver02$.harvey.net@HARVEY.NET # #ldap_referrals = true # [nss] # allowed_shells = /bin/bash shell_fallback = /bin/bash # [pam]
[domain/netserver02.harvey.net] #[domain/default] # Using id_provider=ad sets the best defaults on its own id_provider = ad # In sssd, the default access provider is always 'permit'. The AD access # provider by default checks for account expiration access_provider = ad # #dyndns_update=false # Uncomment to use POSIX attributes on the server ldap_id_mapping=false
#ad_enable_dns_sites = true # Uncomment if the client machine hostname doesn't match the # computer object on the DC. #ad_hostname = dc1.samdom.example.com ad_hostname = netserver02.harvey.net
#Uncomment if DNS SRV resolution is not working #ad_server = netserver02.harvey.net
# Uncomment if the domain section is named differently than your Samba domain #ad_domain = harvey.net
# Enumeration is discouraged for performance reasons. #enumerate = true
# location of the keytab # Make sure this is generated before use.. krb5_keytab=/etc/krb5.sssd.keytab ------------------------------------------------------------------------------------------------------------------------
Hi, your sssd.conf shows that your domain name is 'netserver02.harvey.net' and RSAT shows the NIS domain to be 'harvey', so could 'netserver02' be the hostname of the machine and 'harvey.net' is the domain name ?
Could you please also post your smb.conf
Rowland
On 1/5/2015 3:19 AM, Rowland Penny wrote:
Hi, your sssd.conf shows that your domain name is 'netserver02.harvey.net' and RSAT shows the NIS domain to be 'harvey', so could 'netserver02' be the hostname of the machine and 'harvey.net' is the domain name ?
Could you please also post your smb.conf
Rowland
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Thank you for getting back. The NIS name cannot be changed in Active Directory at least not in the menu. It seems I remember reading the the nis name should be domain name not harvey.net.
Contents of smb.conf: ------------------------------------------------------------------------------------- # Global parameters [global] workgroup = HARVEY realm = HARVEY.NET netbios name = NETSERVER02 server string = Samba PDC Harvey House server role = active directory domain controller dns forwarder = 192.168.1.1 # allow dns updates = nonsecure server services = +dns, +dnsupdate # idmap_ldb:use rfc2307 = yes # # From #https://wiki.archlinux.org/index.php/Active_Directory_Integration # # encrypt passwords = yes # password server = netserver02.harvey.net # # idmap config * : backend = rid # idmap config * : range = 10000-20000 # # winbind use default domain = Yes # winbind enum users = Yes # winbind enum groups = Yes # winbind nested groups = Yes # winbind separator = + # winbind refresh tickets = yes # template shell = /bin/bash template homedir = /home/%D/%U # #preferred master = no #dns proxy = no #wins server = netserver02.harvey.net #wins proxy = no # #inherit acls = Yes #map acl inherit = Yes #acl group control = yes # # End From # #acl map full control = True #acl group control = yes # # Controlling Access Control list, the way windows does # For member domain controllers only # #vfs objects = acl_xattr #map acl inherit = Yes #store dos attributes = Yes # # # this tells Samba to use a separate log file for each machine # that connects #log file = /var/samba/log/log.%m # Put a capping on the size of the log files (in Kb). # log level = 3 max log size = 1000 log file = /var/samba/log/%m.log # hosts allow = 192.168.1.0/26 192.168.1.64/26 192.168.1.128/26 127.0.0.1 hosts deny = 0.0.0.0/0 # Note this will have to remain because authentication # does not work with sssd yet service principle not recgonice etc.. # this seems to work for a semi manual approach for synchronize password # with the local account on this server unix password sync = Yes # passwd chat etc.. does not seem to be needed in this setup This server is the Active directory it's not #clear what is making it work sssd is not requied # it function I have cycled smamb4 service off/on to make sure it's the setttings have been updated # passwd program = /usr/bin/passwd %u # passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* # [netlogon] path = /usr/local/samba/var/locks/sysvol/harvey.net/scripts read only = No
[sysvol] path = /usr/local/samba/var/locks/sysvol read only = No
#============================ Share Definitions ============================== -------------------------------------
On 06/01/15 05:26, Scott Harvey` wrote:
On 1/5/2015 3:19 AM, Rowland Penny wrote:
Hi, your sssd.conf shows that your domain name is 'netserver02.harvey.net' and RSAT shows the NIS domain to be 'harvey', so could 'netserver02' be the hostname of the machine and 'harvey.net' is the domain name ?
Could you please also post your smb.conf
Rowland
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Thank you for getting back. The NIS name cannot be changed in Active Directory at least not in the menu. It seems I remember reading the the nis name should be domain name not harvey.net.
Contents of smb.conf:
# Global parameters [global] workgroup = HARVEY realm = HARVEY.NET netbios name = NETSERVER02 server string = Samba PDC Harvey House server role = active directory domain controller dns forwarder = 192.168.1.1 # allow dns updates = nonsecure server services = +dns, +dnsupdate # idmap_ldb:use rfc2307 = yes # # From #https://wiki.archlinux.org/index.php/Active_Directory_Integration # # encrypt passwords = yes # password server = netserver02.harvey.net # # idmap config * : backend = rid # idmap config * : range = 10000-20000 # # winbind use default domain = Yes # winbind enum users = Yes # winbind enum groups = Yes # winbind nested groups = Yes # winbind separator = + # winbind refresh tickets = yes # template shell = /bin/bash template homedir = /home/%D/%U # #preferred master = no #dns proxy = no #wins server = netserver02.harvey.net #wins proxy = no # #inherit acls = Yes #map acl inherit = Yes #acl group control = yes # # End From # #acl map full control = True #acl group control = yes # # Controlling Access Control list, the way windows does # For member domain controllers only # #vfs objects = acl_xattr #map acl inherit = Yes #store dos attributes = Yes # # # this tells Samba to use a separate log file for each machine # that connects #log file = /var/samba/log/log.%m # Put a capping on the size of the log files (in Kb). # log level = 3 max log size = 1000 log file = /var/samba/log/%m.log # hosts allow = 192.168.1.0/26 192.168.1.64/26 192.168.1.128/26 127.0.0.1 hosts deny = 0.0.0.0/0 # Note this will have to remain because authentication # does not work with sssd yet service principle not recgonice etc.. # this seems to work for a semi manual approach for synchronize password # with the local account on this server unix password sync = Yes # passwd chat etc.. does not seem to be needed in this setup This server is the Active directory it's not #clear what is making it work sssd is not requied # it function I have cycled smamb4 service off/on to make sure it's the setttings have been updated # passwd program = /usr/bin/passwd %u # passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* # [netlogon] path = /usr/local/samba/var/locks/sysvol/harvey.net/scripts read only = No
[sysvol] path = /usr/local/samba/var/locks/sysvol read only = No
#============================ Share Definitions
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
OK, it is what I thought, try changing these lines in sssd.conf:
domains = netserver02.harvey.net
[domain/netserver02.harvey.net]
To:
domains = harvey.net
[domain/harvey.net]
Also you have this line in smb.conf:
unix password sync = Yes
Why? I do hope that you are not trying to have Unix users and users in AD with the same username.
Rowland
sssd-users@lists.fedorahosted.org
-
Jakub Hrozek -
Rowland Penny -
Scott Harvey`