search for: ldap_sasl_authid

...; ldap_user_gid_number = gidNumber > ldap_user_home_directory = unixHomeDirectory > ldap_user_shell = loginShell > ldap_group_object_class = group > ldap_group_search_base = dc=radiodjiido,dc=nc > ldap_group_name = cn > ldap_group_member = member > ldap_sasl_mech = gssapi > #ldap_sasl_authid = serveur$ > ldap_sasl_authid = serveur$@RADIODJIIDO.NC > krb5_keytab = /etc/krb5.sssd.keytab > ldap_krb5_init_creds = true > cat /usr/local/samba/etc/smb.conf > # Global parameters > [global] > workgroup = RADIODJIIDO > realm = RADIODJIIDO.NC > netbios name...

...dap_schema = rfc2307bis id_provider = ldap access_provider = simple ldap_referrals = false ldap_force_upper_case_realm = true # on large directories, you may want to disable enumeration for performance reasons # enumerate = true auth_provider = krb5 chpass_provider = krb5 ldap_sasl_mech = gssapi ldap_sasl_authid = EPO$@SAMBA.COMPANY.COM krb5_realm = SAMBA.COMPANY.COM #krb5_server = dc2.samba.company.com, dc3.samba.company.com krb5_server = x.y.143.15, x.y.143.16 #krb5_kpasswd = dc2.samba.company.com, dc3.samba.company.com krb5_kpasswd = x.y.143.15, x.y.143.16 ldap_krb5_keytab = /etc/krb5.sssd.keytab ldap_k...

...ss_provider = simple # Uncomment to check for account expiration in DC # access_provider = ldap # ldap_access_order = expire # ldap_account_expire_policy = ad # Enumeration is discouraged for performance reasons. # enumerate = true auth_provider = krb5 chpass_provider = krb5 ldap_sasl_mech = gssapi ldap_sasl_authid = dc01$@AUTH.DOMAIN.COM krb5_realm = AUTH.DOMAIN.COM krb5_server = dc01.auth.domain.com krb5_kpasswd = dc01.auth.domain.com ldap_krb5_keytab = /etc/krb5.sssd.keytab ldap_user_object_class = user ldap_user_name = samAccountName ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userP...

...ad_server = bubba3-one.earth.local ad_domain = earth.local ldap_schema = rfc2307bis id_provider = ldap access_provider = simple # on large directories, you may want to disable enumeration for performance reasons enumerate = true auth_provider = krb5 chpass_provider = krb5 ldap_sasl_mech = gssapi ldap_sasl_authid = bubba3-one$@EARTH.LOCAL krb5_realm = EARTH.LOCAL krb5_server = bubba3-one.earth.local krb5_kpasswd = bubba3-one.earth.local ldap_krb5_keytab = /etc/krb5.sssd.keytab ldap_krb5_init_creds = true ldap_referrals = false ldap_uri = ldap://bubba3-one.earth.local ldap_search_base = dc=earth,dc=local d...

...O Principal -------------------------------------------------------------------------- 1 host/<client>@<REALM> 1 host/<client>@<REALM> 1 host/<client>@<REALM> * On the client, change the three ldap_default_ lines to: ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/<client>@<REALM> and restart sssd. The result: nothing. I can no longer (getent passwd user) see any users or groups; basically nothing works. I get this in /var/log/messages: Aug 10 15:58:47 <client> sssd_be: GSSAPI Error: Unspecified GSS failure. Minor code may p...

...ap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = 192-168-0-110.local chpass_provider = ipa ipa_server = _srv_, 192-168-0-100.local dns_discovery_domain = 192-168-0-100.local sudo_provider = ldap ldap_uri = ldap://192-168-0-100.local ldap_sudo_search_base = ou=sudoers,dc=local ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/192-168-0-100.local at LOCAL ldap_sasl_realm = local krb5_server = 192-168-0-100.local [sssd] services = nss, pam, ssh, sudo config_file_version = 2 domains = 192-168-0-100.local [nss] [pam] [sudo] [autofs] [ssh] [pac] ## /etc/nsswitch.conf on client # # An example Name Service Swi...

...ss_provider = simple # Uncomment to check for account expiration in DC # access_provider = ldap # ldap_access_order = expire # ldap_account_expire_policy = ad # Enumeration is discouraged for performance reasons. # enumerate = true auth_provider = krb5 chpass_provider = krb5 ldap_sasl_mech = gssapi ldap_sasl_authid = dc01$@AUTH.DOMAIN.COM krb5_realm = AUTH.DOMAIN.COM krb5_server = dc01.auth.domain.com krb5_kpasswd = dc01.auth.domain.com ldap_krb5_keytab = /etc/krb5.sssd.keytab ldap_user_object_class = user ldap_user_name = samAccountName ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userP...

Actually it isn't part of AD at all. We are using FreeIPA and Samba. We just finally figured this out with the help of some folks at Red Hat. It turned out there was a bug in one of the libraries that came along with sssd (sssd-libwbclient I believe). Their suggestion to use winbind and the version of the same library that came with it seems to have solved our problem instantly. It

...ss_provider = simple # Uncomment to check for account expiration in DC # access_provider = ldap # ldap_access_order = expire # ldap_account_expire_policy = ad # Enumeration is discouraged for performance reasons. # enumerate = true auth_provider = krb5 chpass_provider = krb5 ldap_sasl_mech = gssapi ldap_sasl_authid = dc01$@AUTH.DOMAIN.COM krb5_realm = AUTH.DOMAIN.COM krb5_server = dc01.auth.domain.com krb5_kpasswd = dc01.auth.domain.com ldap_krb5_keytab = /etc/krb5.sssd.keytab ldap_user_object_class = user ldap_user_name = samAccountName ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userP...