Understood wrt to getent returning. We are actually using ad provider for our ubu systems. The reason we haven't moved completely to using ad provider is bug 1872, which we have commented on as well as others. https://fedorahosted.org/sssd/ticket/1872 btw do you know if there is any forward moment on this feature with dealing with personal groups? i will try valid users on an ubu system leveraging the ad provider and report back
On Fri, Dec 16, 2016 at 11:39 AM, Sumit Bose <[email protected]> wrote: > On Fri, Dec 16, 2016 at 04:33:37PM -0000, [email protected] wrote: > > Thanks very much for the response! Much appreciated > > Yes it does. getent group does return the proper gid for queried groups > > > > [root@X samba]# getent group MC-Services > > MC-Services:*:11959: > > ok, But I guess "getent group 'MC\MC-Services'" (the group name you use > in smb.conf) does not return anything. > > If there a reason you use id_provider=ldap and auth_provider=krb5 > instead to id_provider=ad ? > > The 'MC' before the '\' is the NetBIOS domain name of the AD domain > which cannot be discovered by the plain LDAP provider but the AD > provider can. If you cannot change the provider you can try to change > the SSSD domain name in sssd.conf form 'foo' to MC. Then it should be > possible to resolve names like 'MC\MC-Services' but in general I would > recommend to try the AD provider. > > HTH > > bye, > Sumit > > > > > Here is our sssd.conf > > >>>> > > [sssd] > > config_file_version = 2 > > debug_level = 6 > > reconnection_retries = 3 > > sbus_timeout = 30 > > services = nss, pam > > domains = foo > > > > [nss] > > filter_groups = root, > > filter_users = root, > > reconnection_retries = 3 > > > > [pam] > > reconnection_retries = 3 > > > > [domain/foo] > > enumerate = False > > id_provider = ldap > > min_id = 1000 > > chpass_provider = krb5 > > ldap_schema = rfc2307bis > > # currently using ldap over port 389 because ldaps over 686 returns > 'encoded packet size too big' > > ldap_uri = ldap://dc.mc.foo.com > > ldap_search_base = ou=accounts,dc=mc,dc=foo,dc=com > > ldap_id_mapping = false > > ldap_tls_reqcert = allow > > ldap_sasl_mech = GSSAPI > > ldap_sasl_canonicalize = true > > ldap_sasl_authid = X$ > > ldap_krb5_init_creds = true > > ldap_user_object_class = user > > ldap_group_object_class = top > > ldap_group_nesting_level = 5 > > ldap_group_search_base = ou=accounts,dc=mc,dc=foo,dc= > com?subtree?&(objectClass=top)(!(objectClass=computer))( > gidnumber=*)(|(groupType<=0)(&(objectClass=user)(objectCategory=person)( > uidNumber=*))) > > ldap_user_name = sAMAccountName > > ldap_group_name = sAMAccountName > > ldap_user_fullname = cn > > ldap_user_home_directory = unixHomeDirectory > > > > auth_provider = krb5 > > krb5_server = dc.mc.foo.com:88 > > krb5_realm = MC.FOO.COM > > krb5_canonicalize = false > > krb5_changepw_principal = kadmin/changepw > > krb5_auth_timeout = 15 > > krb5_keytab = /etc/krb5.keytab > > krb5_validate = true > > > > access_provider = simple > > simple_allow_users = > > simple_allow_groups = MC-Services, > > >>> > > _______________________________________________ > > sssd-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
