Skip to content
Advertisement

SSSD Authentication with Samba 4

I have recently upgraded to samba 4 from samba 3.5 on a RHEL 6.3 platform. It is pleasing that the new version can replace AD DC and has it’s own built it kdc and ldb database. Now my intention is to make linux boxes authenticate to samba4 by connecting through ldap as samba 4 works like a kerberized ldap server. I am able to connect using Apache directory studio using the administrator dn to the ldap database. However I am unable to properly configure sssd on RHEL 6 client machines to authenticate against the samba server via ldap. Here is my sssd configuration file-

[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = default

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[domain/default]
ldap_default_authtok_type = password
ldap_id_use_start_tls = False
cache_credentials = True
ldap_group_object_class = group
ldap_search_base = <My Domain dn>
chpass_provider = krb5
ldap_default_authtok = <Administrator Password>
id_provider = ldap
auth_provider = krb5
ldap_default_bind_dn = cn=Administrator,cn=Users,<My Domain dn>
ldap_user_gecos = displayName
debug_level = 0
ldap_uri = ldap://<samba_server_hostname>/
krb5_realm = <krb auth realm(same as domain name)>
krb5_kpasswd = <samba_server_hostname>
ldap_schema = rfc2307bis
ldap_force_upper_case_realm = True
ldap_user_object_class = person
ldap_tls_cacertdir = /etc/openldap/cacerts
krb5_kdcip = <samba_server_hostname>

I can run kinit for Administrator on the client successfully, and I can run ldapsearch when binding as Administrator but id or getent passwd for any user is not working. Any ideas please ??

Advertisement

Answer

I have finally got it working. Turns out, the user entry in the ldb database did not have posixAccount objectclass and uidNumber/gidnumber attributes. After adding them, and recompiling samba4 with gnu-tls support, linux is able to authenticate against samba4 AD DC as if authenticating against an ldap databse via tls. Guess I’ll have to write a script to add the necessary objectclasses and attributes to every user entry immediately after adding them.

User contributions licensed under: CC BY-SA
10 People found this is helpful
Advertisement