Active Directory Integration with SSSD

TheRyaz · 06-25-2015, 07:44 PM

I'm trying to set up Windows active directory integration with SSSD and realmd on a Red had 7 machine at my workplace. The goal is to let users log onto linux machines with their windows accounts.

I'm running into an issue that I'm having a hard time finding help with, when I try to login to the linux machine an error gets written to the log;
[sdap_idmap_sid_to_unix] (0x0080): Could not convert objectSID [S-1-5-21-2303841414-160008165-815047518-2195312] to a UNIX ID

I've read that it's probably because the SID number is too large. I've tried messing with the ldap_id_range_max/min values, but I end up running into an error when SSSD tries to start that the value is "out of range" when I make them too big (over 3000000000 or so)

Does anyone have any experience with this and can help?

Ser Olmy · 06-27-2015, 03:09 PM

The idmap range parameters control which range of Unix UIDs/GIDs are to be associated with Windows SIDs. Since a UID/GID is an unsigned 32 bit integer, you'll get an error message if you specify a number larger than 4,294,967,295.

The "could not convert objectSID" error message simply means that ID mapping isn't working. The length of the SID is of no consequence.

I have no experience with SSSD, but it is my understanding that it takes over the id mapping tasks normally performed by Samba/winbindd, and that it supports algorithmic ID mapping (similar to the RID backend) and RFC 2307. Which setting are you using? And if you're using RFC 2307, is the AD UID field populated for the user account in question?

TheRyaz · 06-29-2015, 04:19 PM

I'm using realmd to join the domain. I had tried changing a bunch of the settings, but I narrowed it down to the idmapping causing the problem.

My sssd.config looks like this (DOMAIN is the domain I'm trying to authenticate in);

Code:

[sssd]
debug_level =9
domains = DOMAIN
services = nss, pam
config_file_version = 2

[domain/DOMAIN]
debug_level = 9
ad_domain = DOMAIN
krb5_realm = DOMAIN
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad
ldap_idmap_range_min = 100000
ldap_idmap_range_max = 2000100000
ldap_idmap_range_size = 100000

These are mostly defaults, except for the idmap_range values, I've been experimenting with all sorts of values and can't get anything to work.

TheRyaz · 07-13-2015, 02:39 PM

Anyone?