On Fri, Dec 16, 2016 at 04:33:37PM -0000, [email protected] wrote: > Thanks very much for the response! Much appreciated > Yes it does. getent group does return the proper gid for queried groups > > [root@X samba]# getent group MC-Services > MC-Services:*:11959:
ok, But I guess "getent group 'MC\MC-Services'" (the group name you use in smb.conf) does not return anything. If there a reason you use id_provider=ldap and auth_provider=krb5 instead to id_provider=ad ? The 'MC' before the '\' is the NetBIOS domain name of the AD domain which cannot be discovered by the plain LDAP provider but the AD provider can. If you cannot change the provider you can try to change the SSSD domain name in sssd.conf form 'foo' to MC. Then it should be possible to resolve names like 'MC\MC-Services' but in general I would recommend to try the AD provider. HTH bye, Sumit > > Here is our sssd.conf > >>>> > [sssd] > config_file_version = 2 > debug_level = 6 > reconnection_retries = 3 > sbus_timeout = 30 > services = nss, pam > domains = foo > > [nss] > filter_groups = root, > filter_users = root, > reconnection_retries = 3 > > [pam] > reconnection_retries = 3 > > [domain/foo] > enumerate = False > id_provider = ldap > min_id = 1000 > chpass_provider = krb5 > ldap_schema = rfc2307bis > # currently using ldap over port 389 because ldaps over 686 returns 'encoded > packet size too big' > ldap_uri = ldap://dc.mc.foo.com > ldap_search_base = ou=accounts,dc=mc,dc=foo,dc=com > ldap_id_mapping = false > ldap_tls_reqcert = allow > ldap_sasl_mech = GSSAPI > ldap_sasl_canonicalize = true > ldap_sasl_authid = X$ > ldap_krb5_init_creds = true > ldap_user_object_class = user > ldap_group_object_class = top > ldap_group_nesting_level = 5 > ldap_group_search_base = > ou=accounts,dc=mc,dc=foo,dc=com?subtree?&(objectClass=top)(!(objectClass=computer))(gidnumber=*)(|(groupType<=0)(&(objectClass=user)(objectCategory=person)(uidNumber=*))) > ldap_user_name = sAMAccountName > ldap_group_name = sAMAccountName > ldap_user_fullname = cn > ldap_user_home_directory = unixHomeDirectory > > auth_provider = krb5 > krb5_server = dc.mc.foo.com:88 > krb5_realm = MC.FOO.COM > krb5_canonicalize = false > krb5_changepw_principal = kadmin/changepw > krb5_auth_timeout = 15 > krb5_keytab = /etc/krb5.keytab > krb5_validate = true > > access_provider = simple > simple_allow_users = > simple_allow_groups = MC-Services, > >>> > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
