On (19/07/17 19:37), Jelle de Jong wrote: >Hello everybody, > >On 19/07/17 16:57, Jelle de Jong wrote: >> Hello everybody, >> >> I been trying hard to get sssd to work on a new CentOS 7 workstation. >> >> sssd --version >> 1.14.0 >> >> # working ldapsearch command and output >> https://paste.fedoraproject.org/paste/L3Uv8Mg6FMuLlIHXkL5~0Q/raw >> >> The problem is I am at a customer that has an old Windows 2008 AD server >> with Unix tools and the uidNumber, gidNumber, unixHomeDirectory and >> loginShell need to be used, so that my nfs shares have the correct mapping. >> >> They used an old NIS server in the passed but it is broken and has no AD >> connection any more. >> >> I can not seem to bind to the RootDSE without using a username and >> password, see the ldapsearch command, i tried converting the >> "[email protected]" to a cn path, but whatever i try i get a " >> additional info: 80090308: LdapErr: DSID-0C0903A8, comment: >> AcceptSecurityContext error, data 52e, v1db1" back. >> >> My sssd just keeps loging: ([sssd[be[default]]] [dp_req_reply_gen_error] >> (0x0080): DP Request [Subdomains #0]: Finished. Target is not supported >> with this configuration. >> >> [root@vsxtest01 ~]# cat /etc/sssd/sssd.conf >> [domain/default] >> id_provider = ldap >> auth_provider = ldap >> chpass_provider = ldap >> ldap_uri = ldap://sw008.wdm.local/ >> ldap_search_base = ou=COMPANY,dc=wdm,dc=local >> #ldap_schema = rfc2307bis >> #ldap_user_home_directory = unixHomeDirectory >> #ldap_tls_reqcert = allow >> #ldap_id_use_start_tls = True >> ldap_tls_cacertdir = /etc/openldap/cacerts >> debug_level = 5 >> autofs_provider = ldap >> #ldap_default_bind_dn = cn=LDAP,ou=Users,ou=COMPANY,dc=wdm,dc=local >> ldap_default_bind_dn = [email protected] >> ldap_default_authtok = *secret* >> ldap_default_authtok_type = password >> cache_credentials = True >> >> [sssd] >> config_file_version = 2 >> services = autofs >> domains = default >> >> [autofs] >> >> I have no idea how to get my user authentication working with the >> correct uidNumber, gidNumber mapping. >> >> Can somebody maybe help? > >I got a working setup... I split the config between custom and standard >created settings, I do not know where I need the nss or autofs service for >but these seem to be auto created. The ldap.conf is untouched, standard >config from authconfig, the ldap_user and ldap_group all seem to be needed to >make it work.... of the entryuuid I do not now what is does exactly. Does >this look okay to try to take into production? > >- name: "setup authentication sssd configs" > command: "authconfig --enablesssd --enablesssdauth --enablerfc2307bis >--enablemkhomedir --update" > I think I overlooked an answer to our questions.
Is there a reason why do you need to you authconfig + rfc2307bif instead of "realm join" ? And if you cannot use "id_provider = ad" which is generated by realm join then it would be better to use "ldap_schema = ad". LS _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
