Hello everybody,
I been trying hard to get sssd to work on a new CentOS 7 workstation.
sssd --version 1.14.0
# working ldapsearch command and output https://paste.fedoraproject.org/paste/L3Uv8Mg6FMuLlIHXkL5~0Q/raw
The problem is I am at a customer that has an old Windows 2008 AD server with Unix tools and the uidNumber, gidNumber, unixHomeDirectory and loginShell need to be used, so that my nfs shares have the correct mapping.
They used an old NIS server in the passed but it is broken and has no AD connection any more.
I can not seem to bind to the RootDSE without using a username and password, see the ldapsearch command, i tried converting the "LDAP@wdm.local" to a cn path, but whatever i try i get a " additional info: 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1" back.
My sssd just keeps loging: ([sssd[be[default]]] [dp_req_reply_gen_error] (0x0080): DP Request [Subdomains #0]: Finished. Target is not supported with this configuration.
[root@vsxtest01 ~]# cat /etc/sssd/sssd.conf [domain/default] id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://sw008.wdm.local/ ldap_search_base = ou=COMPANY,dc=wdm,dc=local #ldap_schema = rfc2307bis #ldap_user_home_directory = unixHomeDirectory #ldap_tls_reqcert = allow #ldap_id_use_start_tls = True ldap_tls_cacertdir = /etc/openldap/cacerts debug_level = 5 autofs_provider = ldap #ldap_default_bind_dn = cn=LDAP,ou=Users,ou=COMPANY,dc=wdm,dc=local ldap_default_bind_dn = LDAP@wdm.local ldap_default_authtok = *secret* ldap_default_authtok_type = password cache_credentials = True
[sssd] config_file_version = 2 services = autofs domains = default
[autofs]
I have no idea how to get my user authentication working with the correct uidNumber, gidNumber mapping.
Can somebody maybe help?
Kind regards,
Jelle de Jong
On Wed, 19 Jul 2017, Jelle de Jong wrote:
The problem is I am at a customer that has an old Windows 2008 AD server with Unix tools and the uidNumber, gidNumber, unixHomeDirectory and loginShell need to be used, so that my nfs shares have the correct mapping.
That's fine.
[sssd] services = autofs
Do you really only want autofs?
[autofs]
I have no idea how to get my user authentication working with the correct uidNumber, gidNumber mapping.
Can somebody maybe help?
My advice would be:
Stop using the ldap provider. Use the ad provider, and join your machines to the domain and use GSSAPI auth. No need to do anything with TLS, auth will just work.
ldap_id_mapping = False
Point it specifically at whatever attributes you need to, e.g. ldap_user_uid_number = msSFU30UidNumber
jh
On (19/07/17 16:57), Jelle de Jong wrote:
Hello everybody,
I been trying hard to get sssd to work on a new CentOS 7 workstation.
sssd --version 1.14.0
# working ldapsearch command and output https://paste.fedoraproject.org/paste/L3Uv8Mg6FMuLlIHXkL5~0Q/raw
The problem is I am at a customer that has an old Windows 2008 AD server with Unix tools and the uidNumber, gidNumber, unixHomeDirectory and loginShell need to be used, so that my nfs shares have the correct mapping.
You might check sssd nfs idmap plugin (man sss_rpcidmapd) But the biggest problem is wrong sssd configuration.
Is there a reason why you cannot join machine to AD with "realm join". It will use krb5 keytab for connection to AD instead of certificate. But configuration is much simpler.
LS
Hello everybody,
On 19/07/17 16:57, Jelle de Jong wrote:
Hello everybody,
I been trying hard to get sssd to work on a new CentOS 7 workstation.
sssd --version 1.14.0
# working ldapsearch command and output https://paste.fedoraproject.org/paste/L3Uv8Mg6FMuLlIHXkL5~0Q/raw
The problem is I am at a customer that has an old Windows 2008 AD server with Unix tools and the uidNumber, gidNumber, unixHomeDirectory and loginShell need to be used, so that my nfs shares have the correct mapping.
They used an old NIS server in the passed but it is broken and has no AD connection any more.
I can not seem to bind to the RootDSE without using a username and password, see the ldapsearch command, i tried converting the "LDAP@wdm.local" to a cn path, but whatever i try i get a " additional info: 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1" back.
My sssd just keeps loging: ([sssd[be[default]]] [dp_req_reply_gen_error] (0x0080): DP Request [Subdomains #0]: Finished. Target is not supported with this configuration.
[root@vsxtest01 ~]# cat /etc/sssd/sssd.conf [domain/default] id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://sw008.wdm.local/ ldap_search_base = ou=COMPANY,dc=wdm,dc=local #ldap_schema = rfc2307bis #ldap_user_home_directory = unixHomeDirectory #ldap_tls_reqcert = allow #ldap_id_use_start_tls = True ldap_tls_cacertdir = /etc/openldap/cacerts debug_level = 5 autofs_provider = ldap #ldap_default_bind_dn = cn=LDAP,ou=Users,ou=COMPANY,dc=wdm,dc=local ldap_default_bind_dn = LDAP@wdm.local ldap_default_authtok = *secret* ldap_default_authtok_type = password cache_credentials = True
[sssd] config_file_version = 2 services = autofs domains = default
[autofs]
I have no idea how to get my user authentication working with the correct uidNumber, gidNumber mapping.
Can somebody maybe help?
I got a working setup... I split the config between custom and standard created settings, I do not know where I need the nss or autofs service for but these seem to be auto created. The ldap.conf is untouched, standard config from authconfig, the ldap_user and ldap_group all seem to be needed to make it work.... of the entryuuid I do not now what is does exactly. Does this look okay to try to take into production?
- name: "setup authentication sssd configs" command: "authconfig --enablesssd --enablesssdauth --enablerfc2307bis --enablemkhomedir --update"
- name: "setup authentication ldap configs" command: "authconfig --enableldap --enableldapauth --ldapserver=sw008.wdm.local --ldapbasedn=ou=COMPANY,dc=wdm,dc=local --ldaploadcacert=http://vsxansible01.wdm.local/msadmaster.pem --enableldaptls --update"
[domain/default]
autofs_provider = ldap ldap_schema = rfc2307bis ldap_search_base = ou=COMPANY,dc=wdm,dc=local id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://sw008.wdm.local/ ldap_id_use_start_tls = True cache_credentials = True ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_user_object_class = user ldap_user_name = sAMAccountName ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_user_principal = userPrincipalName ldap_group_object_class = group ldap_group_gid_number = gidNumber ldap_user_uuid = entryuuid ldap_group_uuid = entryuuid enumerate = True ldap_default_authtok_type = password ldap_default_authtok = *secret* ldap_default_bind_dn = LDAP@wdm.local
[sssd] domains = default services = nss, autofs config_file_version = 2
[nss] filter_groups = root filter_users = root
[autofs]
On (19/07/17 19:37), Jelle de Jong wrote:
Hello everybody,
On 19/07/17 16:57, Jelle de Jong wrote:
Hello everybody,
I been trying hard to get sssd to work on a new CentOS 7 workstation.
sssd --version 1.14.0
# working ldapsearch command and output https://paste.fedoraproject.org/paste/L3Uv8Mg6FMuLlIHXkL5~0Q/raw
The problem is I am at a customer that has an old Windows 2008 AD server with Unix tools and the uidNumber, gidNumber, unixHomeDirectory and loginShell need to be used, so that my nfs shares have the correct mapping.
They used an old NIS server in the passed but it is broken and has no AD connection any more.
I can not seem to bind to the RootDSE without using a username and password, see the ldapsearch command, i tried converting the "LDAP@wdm.local" to a cn path, but whatever i try i get a " additional info: 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1" back.
My sssd just keeps loging: ([sssd[be[default]]] [dp_req_reply_gen_error] (0x0080): DP Request [Subdomains #0]: Finished. Target is not supported with this configuration.
[root@vsxtest01 ~]# cat /etc/sssd/sssd.conf [domain/default] id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://sw008.wdm.local/ ldap_search_base = ou=COMPANY,dc=wdm,dc=local #ldap_schema = rfc2307bis #ldap_user_home_directory = unixHomeDirectory #ldap_tls_reqcert = allow #ldap_id_use_start_tls = True ldap_tls_cacertdir = /etc/openldap/cacerts debug_level = 5 autofs_provider = ldap #ldap_default_bind_dn = cn=LDAP,ou=Users,ou=COMPANY,dc=wdm,dc=local ldap_default_bind_dn = LDAP@wdm.local ldap_default_authtok = *secret* ldap_default_authtok_type = password cache_credentials = True
[sssd] config_file_version = 2 services = autofs domains = default
[autofs]
I have no idea how to get my user authentication working with the correct uidNumber, gidNumber mapping.
Can somebody maybe help?
I got a working setup... I split the config between custom and standard created settings, I do not know where I need the nss or autofs service for but these seem to be auto created. The ldap.conf is untouched, standard config from authconfig, the ldap_user and ldap_group all seem to be needed to make it work.... of the entryuuid I do not now what is does exactly. Does this look okay to try to take into production?
- name: "setup authentication sssd configs"
command: "authconfig --enablesssd --enablesssdauth --enablerfc2307bis --enablemkhomedir --update"
I think I overlooked an answer to our questions.
Is there a reason why do you need to you authconfig + rfc2307bif instead of "realm join" ?
And if you cannot use "id_provider = ad" which is generated by realm join then it would be better to use "ldap_schema = ad".
LS
sssd-users@lists.fedorahosted.org
-
Jelle de Jong -
John Hodrien -
Lukas Slebodnik