LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 09-16-2013, 06:35 AM   #1
anindyameister
Member
 
Registered: Oct 2012
Posts: 40

Rep: Reputation: Disabled
sssd ldap authentication against samba4 not working


I have recently upgraded to samba 4 from samba 3.5 on a RHEL 6.3 platform. It is pleasing that the new version can replace AD DC and has it's own built it kdc and ldb database. Now my intention is to make linux boxes authenticate to samba4 by connecting through ldap as samba 4 works like a kerberized ldap server. I am able to connect using Apache directory studio using the administrator dn to the ldap database. However I am unable to properly configure sssd on RHEL 6 client machines to authenticate against the samba server via ldap. Here is my sssd configuration file-

Code:
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = default

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[domain/default]
ldap_default_authtok_type = password
ldap_id_use_start_tls = False
cache_credentials = True
ldap_group_object_class = group
ldap_search_base = <My Domain dn>
chpass_provider = krb5
ldap_default_authtok = <Administrator Password>
id_provider = ldap
auth_provider = krb5
ldap_default_bind_dn = cn=Administrator,cn=Users,<My Domain dn>
ldap_user_gecos = displayName
debug_level = 0
ldap_uri = ldap://<samba_server_hostname>/
krb5_realm = <krb auth realm(same as domain name)>
krb5_kpasswd = <samba_server_hostname>
ldap_schema = rfc2307bis
ldap_force_upper_case_realm = True
ldap_user_object_class = person
ldap_tls_cacertdir = /etc/openldap/cacerts
krb5_kdcip = <samba_server_hostname>


I can run kinit for Administrator on the client successfully, and I can run ldapsearch when binding as Administrator but id or getent passwd for any user is not working. Any ideas please ??

Last edited by anindyameister; 09-16-2013 at 06:36 AM.
 
Old 09-30-2013, 08:16 AM   #2
anindyameister
Member
 
Registered: Oct 2012
Posts: 40

Original Poster
Rep: Reputation: Disabled
I have finally got it working. Turns out, the user entry in the ldb database did not have posixAccount objectclass and uidNumber/gidnumber attributes. After adding them, and recompiling samba4 with gnu-tls support, linux is able to authenticate against samba4 AD DC as if authenticating against an ldap databse via tls. Guess I'll have to write a script to add the necessary objectclasses and attributes to every user entry immediately after adding them. The above sssd conf stays the same.
 
  


Reply

Tags
rhel6, samba


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SSO SSSD/Kerberos/LDAP with Active Directory yuanjunliang Linux - Server 1 09-13-2013 03:59 PM
SSSD/Kerberos/LDAP- Permission denied using ssh R09u3Bull Linux - Server 6 11-16-2012 02:04 AM
Specifying LDAP password format for SSSD in CentOS 6.2 TomL Linux - Enterprise 3 06-27-2012 07:09 AM
rhel6 sssd ldap for authentication and local files for userNumber (unix uid). mwd Linux - Enterprise 1 08-22-2011 08:14 AM
LDAP Authentication not working t0bias Linux - Server 1 09-25-2008 10:02 AM


All times are GMT -5. The time now is 10:32 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration