Re: [Samba] Should I forget sssd ?
On Tue, 2013-10-01 at 17:06 +1100, m...@electronico.nc wrote: Le 01/10/2013 16:44, steve a écrit : Hi It looks as though the ad backend is broken in 1.11.1. At least I can't get it going with a similar sssd.conf: https://lists.fedorahosted.org/pipermail/sssd-devel/2013-September/016892.html I rolled back to 1.10.0 and it's fine. Re: your question. If you can get away without having Linux clients in the domain, then yes, you can forget sssd entirely. HTH and good luck, Steve Ah !!! This makes sense to my life ( https://lists.fedorahosted.org/pipermail/sssd-devel/2013-September/016892.html ) ! I was wondering if I won't go back to sheeps and cows ;-) Will try sssd 1.10.0 ! (Yes Ubuntu host is actually the only Linux 'client' in the domain) Thanks again (posting 48 hours earlier would have save my soul during this time) Nicolas Hi The bug in 1.11.1 has been fixed by the Red Hat guys: [PATCH] AD: properly intitialize GC from ad_server option --- src/providers/ad/ad_common.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c index 700ac03..ab62d64 100644 --- a/src/providers/ad/ad_common.c +++ b/src/providers/ad/ad_common.c @@ -441,7 +441,7 @@ _ad_servers_init(TALLOC_CTX *mem_ctx, } sdata-gc = true; -ret = be_fo_add_server(bectx, fo_service, list[i], 0, sdata, primary); +ret = be_fo_add_server(bectx, fo_gc_service, list[i], 0, sdata, primary); if (ret ret != EEXIST) { DEBUG(SSSDBG_FATAL_FAILURE, (Failed to add server\n)); goto done; -- 1.7.7.6 HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Should I forget sssd ?
Le 01/10/2013 16:44, steve a écrit : Hi It looks as though the ad backend is broken in 1.11.1. At least I can't get it going with a similar sssd.conf: https://lists.fedorahosted.org/pipermail/sssd-devel/2013-September/016892.html I rolled back to 1.10.0 and it's fine. Re: your question. If you can get away without having Linux clients in the domain, then yes, you can forget sssd entirely. HTH and good luck, Steve Ah !!! This makes sense to my life ( https://lists.fedorahosted.org/pipermail/sssd-devel/2013-September/016892.html ) ! I was wondering if I won't go back to sheeps and cows ;-) Will try sssd 1.10.0 ! (Yes Ubuntu host is actually the only Linux 'client' in the domain) Thanks again (posting 48 hours earlier would have save my soul during this time) Nicolas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Should I forget sssd ?
Hi again, Thanks again, Denis, Steve and Rowland for your previous answers about RFC2307 and winbind. Maybe I'm an dreamer but here is that I wanted to achieve : Ubuntu server 12.04.3, samba4 as PDC, several NICS : 1 LAN and 2/3 WANS Use a windows VM (on this server) to control AD through WRAT AD offers me the 'wishdom' of software deployment and GPO, users are can't install anything All standard Linux services (apache, postfix, dovecot, pptp, mysql, webmail, ...) can query AD What is done : I have setup 'folder redirection' in WRAT, so users 'documents' and 'desktop' are avalaible offline and mapped to home/%U on server AD Administrator has a roaming profile Searched a lot and succeed to deploy Office, Acrobat reader, Skype, 7-zip, Firefox to users (windows is another world...) Shares are mounted (depending on AD 'ou' rights) on user's pc Administrator can login via UltraVNC to all workstation What needs to be done: Linux services to auth to AD From what I've read, sssd is the more secure solution to achieve this, but ... Using sssd 1.11.1 : files configuration: 1) sudo cat /etc/sssd/sssd.conf [sssd] services = nss, pam config_file_version = 2 domains = radiodjiido.nc [nss] [pam] [domain/radiodjiido.nc] dyndns_update = false ad_hostname = serveur.radiodjiido.nc ad_server = serveur.radiodjiido.nc ad_domain = radiodjiido.nc ldap_schema = ad id_provider = ad access_provider = simple enumerate = true cache_credentials = true auth_provider = krb5 chpass_provider = krb5 krb5_realm = RADIODJIIDO.NC krb5_server = serveur.radiodjiido.nc krb5_kpasswd = serveur.radiodjiido.nc #next line only lists users with uidNumber/gidNumber entered via ldbedit ldap_id_mapping = false ldap_referrals = false ldap_uri = ldap://serveur.radiodjiido.nc ldap_search_base = dc=radiodjiido,dc=nc ldap_user_object_class = user ldap_user_name = samAccountName ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_group_object_class = group ldap_group_search_base = dc=radiodjiido,dc=nc ldap_group_name = cn ldap_group_member = member ldap_sasl_mech = gssapi #ldap_sasl_authid = serveur$ ldap_sasl_authid = serveur$@RADIODJIIDO.NC krb5_keytab = /etc/krb5.sssd.keytab ldap_krb5_init_creds = true cat /usr/local/samba/etc/smb.conf # Global parameters [global] workgroup = RADIODJIIDO realm = RADIODJIIDO.NC netbios name = SERVEUR server role = active directory domain controller dns forwarder = 192.168.1.1 # for sssd idmap_ldb:use rfc2307 = yes [netlogon] path = /usr/local/samba/var/locks/sysvol/radiodjiido.nc/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [Profiles] path = /media/data/Profiles/ read only = No [partage] comment = partage general path = /media/data/global read only = No [home] comment = dossiers utilisateurs path = /media/data/homes read only = No [journal] comment = journal path = /media/data/journal read only = No [musique] comment = musique path = /media/data/musique read only = No cat /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc Name Service Switch' for information about this file. passwd: compat sss group: compat sss shadow: compat hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files protocols: db files services: db files ethers: db files rpc:db files netgroup: nis sss Result with: getent passwd mysql:x:113:124:MySQL Server,,,:/nonexistent:/bin/false nut:x:114:125::/var/lib/nut:/bin/false nico:*:325:100:nico:/: - the user I entered uidNumber/gidNumber is listed, home dir seems / and no shell Result with: getent group rtkit:x:123: mysql:x:124: nut:x:125: - no AD group listed at all 2) If sssd.conf is modified: #ldap_id_mapping = false ldap_schema = rfc2307bis getent passwd and getent group are listing (nearly all) users and groups in AD with the infamous random IDs like : nico-virtual-7$:*:166801125:166800515:NICO-VIRTUAL-7:/: administrator:*:166800500:166800513:Administrator:/: So I'm a bit desesperate with the sssd use... Is an OpenLDAP proxy the best way to make all this working together ? Thanks in advance for your time. Nicolas In case that could help some, here are the steps I've done to install sssd 1.11.1: cd ~ wget https://fedorahosted.org/released/sssd/sssd-1.11.1.tar.gz sudo apt-get install debhelper quilt dh-autoreconf autopoint lsb-release dpkg-dev dnsutils libpopt-dev libdbus-1-dev libkeyutils-dev libkeyutils-dev libldap2-dev libpam-dev libnl-dev libnss3-dev libnspr4-dev libpcre3-dev libselinux1-dev libsasl2-dev libtevent-dev libldb-dev
Re: [Samba] Should I forget sssd ?
On Tue, 2013-10-01 at 15:48 +1100, m...@electronico.nc wrote: Hi again, Thanks again, Denis, Steve and Rowland for your previous answers about RFC2307 and winbind. Maybe I'm an dreamer but here is that I wanted to achieve : Ubuntu server 12.04.3, samba4 as PDC, several NICS : 1 LAN and 2/3 WANS Use a windows VM (on this server) to control AD through WRAT AD offers me the 'wishdom' of software deployment and GPO, users are can't install anything All standard Linux services (apache, postfix, dovecot, pptp, mysql, webmail, ...) can query AD What is done : I have setup 'folder redirection' in WRAT, so users 'documents' and 'desktop' are avalaible offline and mapped to home/%U on server AD Administrator has a roaming profile Searched a lot and succeed to deploy Office, Acrobat reader, Skype, 7-zip, Firefox to users (windows is another world...) Shares are mounted (depending on AD 'ou' rights) on user's pc Administrator can login via UltraVNC to all workstation What needs to be done: Linux services to auth to AD From what I've read, sssd is the more secure solution to achieve this, but ... Using sssd 1.11.1 : files configuration: 1) sudo cat /etc/sssd/sssd.conf [sssd] services = nss, pam config_file_version = 2 domains = radiodjiido.nc [nss] [pam] [domain/radiodjiido.nc] dyndns_update = false ad_hostname = serveur.radiodjiido.nc ad_server = serveur.radiodjiido.nc ad_domain = radiodjiido.nc ldap_schema = ad id_provider = ad access_provider = simple enumerate = true cache_credentials = true auth_provider = krb5 chpass_provider = krb5 krb5_realm = RADIODJIIDO.NC krb5_server = serveur.radiodjiido.nc krb5_kpasswd = serveur.radiodjiido.nc #next line only lists users with uidNumber/gidNumber entered via ldbedit ldap_id_mapping = false ldap_referrals = false ldap_uri = ldap://serveur.radiodjiido.nc ldap_search_base = dc=radiodjiido,dc=nc ldap_user_object_class = user ldap_user_name = samAccountName ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_group_object_class = group ldap_group_search_base = dc=radiodjiido,dc=nc ldap_group_name = cn ldap_group_member = member ldap_sasl_mech = gssapi #ldap_sasl_authid = serveur$ ldap_sasl_authid = serveur$@RADIODJIIDO.NC krb5_keytab = /etc/krb5.sssd.keytab ldap_krb5_init_creds = true Hi It looks as though the ad backend is broken in 1.11.1. At least I can't get it going with a similar sssd.conf: https://lists.fedorahosted.org/pipermail/sssd-devel/2013-September/016892.html I rolled back to 1.10.0 and it's fine. Re: your question. If you can get away without having Linux clients in the domain, then yes, you can forget sssd entirely. HTH and good luck, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba