Stefan Schäfer
2014-Aug-27 08:34 UTC
[Samba] sssd with ad backend and "ldap_id_mapping = false" refuse to start
Hello,
we are using sssd version 1.12 on openSUSE 13.1 with Sernet-Samba
Packages 4.1.11. Samba runs as a single AD DC
We have removed the complete openSUSE samba stuff before testing. sssd
runs on the same machine as samba.
Our sssd config:
--------------------------------------------------------------------------------
[sssd]
services = nss, pam
config_file_version = 2
domains = invis-ad.loc
debug_level = 0x0370
# globale Cache Steuerung
# alle Angaben in Sekunden
# default = 120
enum_cache_timeout = 10
# default = 15
entry_negative_timeout = 5
[nss]
[pam]
[domain/invis-ad.loc]
# Domain bezogene Cache Steuerung
# Alle Angaben in Sekunden
# Default = entry_cache_timeout = 5400
entry_cache_user_timeout = 10
entry_cache_group_timeout = 10
# Using id_provider=ad sets the best defaults on its own
id_provider = ad
# In sssd, the default access provider is always 'permit'. The AD access
# provider by default checks for account expiration
access_provider = ad
# Uncomment to use POSIX attributes on the server
ldap_id_mapping = true
# Uncomment if the client machine hostname doesn't match the computer
object on the DC.
#ad_hostname = invisad.invis-ad.loc
# Uncomment if DNS SRV resolution is not working
#ad_server = invisad.invis-ad.loc
# Uncomment if the domain section is named differently than your Samba
domain
#ad_domain = invis-ad.loc
# Enumeration is discouraged for performance reasons.
enumerate = true
-----------------------------------------------------
With "ldap_id_mapping = true" everything works, getent passwd / group
gets the user and group entries from our AD.
But we want to use the sfu attributes from the AD, therefore I tried to
switch to "ldap_id_mapping = true". After this sssd refuses to start.
The logfile says:
(Wed Aug 27 10:18:11 2014) [sssd[be[invis-ad.loc]]]
[load_backend_module] (0x0010): Error (5) in module (ad) initialization
(sssm_ad_id_init)!
(Wed Aug 27 10:18:11 2014) [sssd[be[invis-ad.loc]]] [be_process_init]
(0x0010): fatal error initializing data providers
(Wed Aug 27 10:18:11 2014) [sssd[be[invis-ad.loc]]] [main] (0x0010):
Could not initialize backend [5]
Our smb.conf:
--------------------------------------------------------
[global]
workgroup = INVIS-AD
realm = invis-ad.loc
netbios name = INVISAD
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
.....
------------------------------------------------------------
Any Ideas why sssd crashes?
Stefan
--
www.invis-server.org
Stefan Sch?fer
Ludwigstr. 1-3
63679 Schotten
Stefan Schäfer
2014-Aug-28 07:35 UTC
[Samba] sssd with ad backend and "ldap_id_mapping = false" refuse to start
Nobody an idea? Stefan Am 27.08.2014 10:34, schrieb Stefan Sch?fer:> Hello, > > we are using sssd version 1.12 on openSUSE 13.1 with Sernet-Samba > Packages 4.1.11. Samba runs as a single AD DC > > We have removed the complete openSUSE samba stuff before testing. sssd > runs on the same machine as samba. > > Our sssd config: > > -------------------------------------------------------------------------------- > > > [sssd] > services = nss, pam > config_file_version = 2 > domains = invis-ad.loc > debug_level = 0x0370 > > # globale Cache Steuerung > # alle Angaben in Sekunden > # default = 120 > enum_cache_timeout = 10 > > # default = 15 > entry_negative_timeout = 5 > > [nss] > > [pam] > > [domain/invis-ad.loc] > # Domain bezogene Cache Steuerung > # Alle Angaben in Sekunden > # Default = entry_cache_timeout = 5400 > entry_cache_user_timeout = 10 > entry_cache_group_timeout = 10 > > # Using id_provider=ad sets the best defaults on its own > id_provider = ad > # In sssd, the default access provider is always 'permit'. The AD access > # provider by default checks for account expiration > access_provider = ad > > # Uncomment to use POSIX attributes on the server > ldap_id_mapping = true > > # Uncomment if the client machine hostname doesn't match the computer > object on the DC. > #ad_hostname = invisad.invis-ad.loc > > # Uncomment if DNS SRV resolution is not working > #ad_server = invisad.invis-ad.loc > > # Uncomment if the domain section is named differently than your Samba > domain > #ad_domain = invis-ad.loc > > # Enumeration is discouraged for performance reasons. > enumerate = true > > ----------------------------------------------------- > > With "ldap_id_mapping = true" everything works, getent passwd / group > gets the user and group entries from our AD. > > But we want to use the sfu attributes from the AD, therefore I tried > to switch to "ldap_id_mapping = true". After this sssd refuses to > start. The logfile says: > > (Wed Aug 27 10:18:11 2014) [sssd[be[invis-ad.loc]]] > [load_backend_module] (0x0010): Error (5) in module (ad) > initialization (sssm_ad_id_init)! > (Wed Aug 27 10:18:11 2014) [sssd[be[invis-ad.loc]]] [be_process_init] > (0x0010): fatal error initializing data providers > (Wed Aug 27 10:18:11 2014) [sssd[be[invis-ad.loc]]] [main] (0x0010): > Could not initialize backend [5] > > Our smb.conf: > > -------------------------------------------------------- > > [global] > workgroup = INVIS-AD > realm = invis-ad.loc > netbios name = INVISAD > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbind, ntp_signd, kcc, dnsupdate > idmap_ldb:use rfc2307 = yes > > ..... > > ------------------------------------------------------------ > > Any Ideas why sssd crashes? > > > Stefan > >-- www.invis-server.org Stefan Sch?fer Ludwigstr. 1-3 63679 Schotten
Stefan Schäfer
2014-Aug-28 11:24 UTC
[Samba] sssd with ad backend and "ldap_id_mapping = false" refuse to start
Problem solved. Switching from "ldap_id_mapping = true" to "false" forces to delete the whole database /var/lib/sssd/db/domain.ldb. sss_cache -UG isn't enough. Stefan Am 27.08.2014 10:34, schrieb Stefan Sch?fer:> Hello, > > we are using sssd version 1.12 on openSUSE 13.1 with Sernet-Samba > Packages 4.1.11. Samba runs as a single AD DC > > We have removed the complete openSUSE samba stuff before testing. sssd > runs on the same machine as samba. > > Our sssd config: > > -------------------------------------------------------------------------------- > > > [sssd] > services = nss, pam > config_file_version = 2 > domains = invis-ad.loc > debug_level = 0x0370 > > # globale Cache Steuerung > # alle Angaben in Sekunden > # default = 120 > enum_cache_timeout = 10 > > # default = 15 > entry_negative_timeout = 5 > > [nss] > > [pam] > > [domain/invis-ad.loc] > # Domain bezogene Cache Steuerung > # Alle Angaben in Sekunden > # Default = entry_cache_timeout = 5400 > entry_cache_user_timeout = 10 > entry_cache_group_timeout = 10 > > # Using id_provider=ad sets the best defaults on its own > id_provider = ad > # In sssd, the default access provider is always 'permit'. The AD access > # provider by default checks for account expiration > access_provider = ad > > # Uncomment to use POSIX attributes on the server > ldap_id_mapping = true > > # Uncomment if the client machine hostname doesn't match the computer > object on the DC. > #ad_hostname = invisad.invis-ad.loc > > # Uncomment if DNS SRV resolution is not working > #ad_server = invisad.invis-ad.loc > > # Uncomment if the domain section is named differently than your Samba > domain > #ad_domain = invis-ad.loc > > # Enumeration is discouraged for performance reasons. > enumerate = true > > ----------------------------------------------------- > > With "ldap_id_mapping = true" everything works, getent passwd / group > gets the user and group entries from our AD. > > But we want to use the sfu attributes from the AD, therefore I tried > to switch to "ldap_id_mapping = true". After this sssd refuses to > start. The logfile says: > > (Wed Aug 27 10:18:11 2014) [sssd[be[invis-ad.loc]]] > [load_backend_module] (0x0010): Error (5) in module (ad) > initialization (sssm_ad_id_init)! > (Wed Aug 27 10:18:11 2014) [sssd[be[invis-ad.loc]]] [be_process_init] > (0x0010): fatal error initializing data providers > (Wed Aug 27 10:18:11 2014) [sssd[be[invis-ad.loc]]] [main] (0x0010): > Could not initialize backend [5] > > Our smb.conf: > > -------------------------------------------------------- > > [global] > workgroup = INVIS-AD > realm = invis-ad.loc > netbios name = INVISAD > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbind, ntp_signd, kcc, dnsupdate > idmap_ldb:use rfc2307 = yes > > ..... > > ------------------------------------------------------------ > > Any Ideas why sssd crashes? > > > Stefan > >-- www.invis-server.org Stefan Sch?fer Ludwigstr. 1-3 63679 Schotten