Basic Info
I'm running sssd (1.13.3-22) on Centos (6.8) to authenticate with Active Directory (2012). I do not wish to use uid numbers stored in AD, so I have ldap_id_mapping set to true.
When I run "id ValidUsername" I get the response "No Such User". I look in the sssd domain log and see the ldap search for ValidUsername returned no results. When I run the same query with ldapsearch it also returns no results, but I can modify the query to exclude uidNumber and it will return a result. See details below for ldap query info.
Detailed Info
sssd_VALID.DOMAIN.CORP.log Snippet
[sdap_search_user_next_base] (0x0400): Searching for users with base [DC=valid,DC=domain,DC=corp]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=ValidUsername)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][DC=valid,DC=domain,DC=corp].
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
[sdap_search_user_process] (0x0400): Search for users, returned 0 results.
[sdap_get_users_done] (0x0040): Failed to retrieve users
[sysdb_search_by_name] (0x0400): No such entry
[sysdb_delete_user] (0x0400): Error: 2 (No such file or directory)
[acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
[be_ptask_online_cb] (0x0400): Back end is online
The ldap query sssd used is listed in the log at [sdap_get_generic_ext_step]. If I take the same query and test it by running ldap search, I also get no result:
ldapsearch -LLL -Y GSSAPI -N -H ldap://dc1.valid.domain.corp -b "DC=valid,DC=domain,DC=corp" '(&(sAMAccountName=ValidUsername)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))'
However, if I remove the uidNumber lookup parts of the query, I get the expected user data as a result:
ldapsearch -LLL -Y GSSAPI -N -H ldap://dc1.valid.domain.corp -b "DC=valid,DC=domain,DC=corp" '(&(sAMAccountName=ValidUsername)(objectclass=user)(sAMAccountName=*))'
If ldap_id_mapping is set to true, why is sssd querying AD for uidNumber data? I checked the user attributes and the uidNumber attribute has no value, so sssd won't work unless I populate this value. Microsoft is deprecating the management tools for unix attributes, so I'd prefer to not bother with them.
I'd don't want to use winbind, which has been flaky for me in the past.
Is there any config item I can use to force sssd to send a valid user lookup query? Or is there something else I'm missing?
sssd.conf
[sssd]
config_file_version = 2
debug_level = 6
domains = VALID.DOMAIN.CORP
services = nss, pam
[nss]
debug_level = 6
[pam]
debug_level = 6
[domain/VALID.DOMAIN.CORP]
debug_level = 8
id_provider = ad
access_provider = ad
auth_provider = ad
chpass_provider = ad
subdomains_provider = none
dyndns_update = false
ad_server = dc1.VALID.DOMAIN.corp
ad_backup_server = dc2.VALID.DOMAIN.corp
ldap_id_mapping = true
ldap_schema = ad
fallback_homedir = /home/%d/%u
default_shell = /bin/bash
smb.conf
workgroup = VALID
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = VALID.DOMAIN.CORP
security = ads
log file = /var/log/samba/log.%m
max log size = 50
Answer
It's because you set subdomains provider to none. It's a bit counter-intuitive, but the subdomains provider also retrieves information about the joined domain including the SID which is needed for ID mapping.
You have three options:
- enable the subdomains provider. I don't know why you disabled it, most people do that in order to work around trusted domain being unreachable
- if you need to keep the subdomains provider disabled, you need to manually set the domain SID, see man sssd-ldap and search for "domain_sid"
- If you are running 7.3, you can only enable the joined domain using
ad_enabled_domains
No comments:
Post a Comment