search for: ldap_user_shell

...False ldap_default_bind_dn = cn=lynn2,cn=Users,dc=hh3,dc=site ldap_default_authtok = xx ldap_default_authtok_type = password ldap_user_object_class = person ldap_user_name = samAccountName ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_group_object_class = group #ldap_user_search_filter =(&(objectCategory=User)(uidNumber=*)) I've tried enumerate = true and it works as expected but strangely, only for the first time after sssd is started. it then returns only local users. Any ideas? Cheers, Steve

...ap_krb5_init_creds = true ldap_uri = ldap://x.y.143.15, ldap://x.y.143.16 ldap_search_base = dc=samba,dc=merit,dc=unu,dc=edu ldap_user_object_class = user ldap_user_name = samAccountName ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_group_object_class = group ldap_group_name = cn ldap_group_member = member I hope this is enough info, and one of the sssd guru's here can assist. Again: everything worked while dc1 was online, things stopped working when it was taken offline. Kind regards, Mourik Jan

...;> "gidNumber" rather than "primaryGroup"? >> > > On a DC, no. On a member server this is not a problem. > No issue on system using SSSD as it comes with options to force usage of specific LDB attributes to fill getent answers (using sssd-ldap options as "ldap_user_shell = loginShell" even when using sssd-ad as SSSD engine, how long this would be possible, no idea). Why not insert into winbindd client such options? (ok the answer could be: because there is other work to be done first :) Best regards, mathias > Rowland > > Cheers, >> >&g...

...false > ldap_uri = ldap://serveur.radiodjiido.nc > ldap_search_base = dc=radiodjiido,dc=nc > ldap_user_object_class = user > ldap_user_name = samAccountName > ldap_user_uid_number = uidNumber > ldap_user_gid_number = gidNumber > ldap_user_home_directory = unixHomeDirectory > ldap_user_shell = loginShell > ldap_group_object_class = group > ldap_group_search_base = dc=radiodjiido,dc=nc > ldap_group_name = cn > ldap_group_member = member > ldap_sasl_mech = gssapi > #ldap_sasl_authid = serveur$ > ldap_sasl_authid = serveur$@RADIODJIIDO.NC > krb5_keytab = /etc/krb5....

...ng = False ldap_search_base = DC=EXAMPLE,DC=COM ldap_user_search_base = DC=EXAMPLE,DC=COM?subtree?&(objectclass=user)(uidnumber=*) ldap_user_search_scope = sub ldap_user_object_class = user ldap_user_name = cn ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_user_shell = loginShell ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_objectsid = objectSid ldap_user_member_of = memberOf ldap_user_gecos = cn ldap_group_search_base = DC=EXAMPLE,DC=COM?subtree?&(objectclass=group)(gidnumber=*) ldap_group_objectsid = objectSid ldap_group_me...

....DOMAIN.COM krb5_realm = AUTH.DOMAIN.COM krb5_server = dc01.auth.domain.com krb5_kpasswd = dc01.auth.domain.com ldap_krb5_keytab = /etc/krb5.sssd.keytab ldap_user_object_class = user ldap_user_name = samAccountName ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_user_shell = loginShell ldap_group_object_class = group ----------------------------------------------------------------------------------------------------------------- Here is the getfacl on my Folder that I'm trying to get to respect ACL's on for the Macs: getfacl /Groups/Digital\ Magazine...

...lse ldap_uri = ldap://bubba3-one.earth.local ldap_search_base = dc=earth,dc=local dyndns_update=false ldap_id_mapping=false ldap_user_object_class = user ldap_user_name = samAccountName ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_group_object_class = group ldap_group_name = cn ldap_group_member = member Any idea what I am missing? Can I enable some debugging somewhere to see what I am doing wrong? Many thanks in advance. regards, Kenneth P.S.: - OS is Debian Wheezy on a B3 - Samba is 4.1.4 compiled...

..." rather than "primaryGroup"? >>> >> On a DC, no. On a member server this is not a problem. >> > No issue on system using SSSD as it comes with options to force usage of > specific LDB attributes to fill getent answers (using sssd-ldap options as > "ldap_user_shell = loginShell" even when using sssd-ad as SSSD engine, how > long this would be possible, no idea). This is doing the same as 'template shell = loginShell' > > Why not insert into winbindd client such options? (ok the answer could be: > because there is other work to be do...

....DOMAIN.COM krb5_realm = AUTH.DOMAIN.COM krb5_server = dc01.auth.domain.com krb5_kpasswd = dc01.auth.domain.com ldap_krb5_keytab = /etc/krb5.sssd.keytab ldap_user_object_class = user ldap_user_name = samAccountName ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_user_shell = loginShell ldap_group_object_class = group > > > > ----------------------------------------------------------------------------------------------------------------- > > > Here is the getfacl on my Folder that I'm trying to get to respect ACL's on for the Macs: > &g...

Actually it isn't part of AD at all. We are using FreeIPA and Samba. We just finally figured this out with the help of some folks at Red Hat. It turned out there was a bug in one of the libraries that came along with sssd (sssd-libwbclient I believe). Their suggestion to use winbind and the version of the same library that came with it seems to have solved our problem instantly. It

...oup"? >>>> >>>> On a DC, no. On a member server this is not a problem. >>> >>> No issue on system using SSSD as it comes with options to force usage of >> specific LDB attributes to fill getent answers (using sssd-ldap options as >> "ldap_user_shell = loginShell" even when using sssd-ad as SSSD engine, how >> long this would be possible, no idea). >> > > This is doing the same as 'template shell = loginShell' > > >> Why not insert into winbindd client such options? (ok the answer could be: >> be...

....DOMAIN.COM krb5_realm = AUTH.DOMAIN.COM krb5_server = dc01.auth.domain.com krb5_kpasswd = dc01.auth.domain.com ldap_krb5_keytab = /etc/krb5.sssd.keytab ldap_user_object_class = user ldap_user_name = samAccountName ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_user_shell = loginShell ldap_group_object_class = g roup > > > > ----------------------------------------------------------------------------------------------------------------- > > > Here is the getfacl on my Folder that I'm trying to get to respect ACL's on for the...

...ANY.COM] enumerate = false cache_credentials = true id_provider = ldap #auth_provider = ldap ldap_schema = rfc2307bis ldap_user_principal = userPrincipalName ldap_user_fullname = displayName ldap_user_name = sAMAccountName ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_group_object_class = group ldap_force_upper_case_realm = True ldap_uri = ldap://192.168.192.50 ldap_search_base = dc=ad,dc=company,dc=com ldap_id_use_start_tls = false ldap_tls_reqcert = never ldap_tls_cacert = /etc/sssd/ca.company.com.crt access_provider = ldap ldap_access_fil...

@Andrew: I expect these lines came from RDP issue workaround which should be happening with previous Samba version. I removed all these lines as now, with 4.2.2 Samba version RDP and RSAT are working well without them. I removed also each and every idmap lines, commented most of winbind lines too and now my smb.conf is: ------------------------------------------------------------ [global]