SSSD Authentication with Samba 4

I have recently upgraded to samba 4 from samba 3.5 on a RHEL 6.3 platform. It is pleasing that the new version can replace AD DC and has it’s own built it kdc and ldb database. Now my intention is to make linux boxes authenticate to samba4 by connecting through ldap as samba 4 works like a kerberized ldap server. I am able to connect using Apache directory studio using the administrator dn to the ldap database. However I am unable to properly configure sssd on RHEL 6 client machines to authenticate against the samba server via ldap. Here is my sssd configuration file-

[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = default

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[domain/default]
ldap_default_authtok_type = password
ldap_id_use_start_tls = False
cache_credentials = True
ldap_group_object_class = group
ldap_search_base = <My Domain dn>
chpass_provider = krb5
ldap_default_authtok = <Administrator Password>
id_provider = ldap
auth_provider = krb5
ldap_default_bind_dn = cn=Administrator,cn=Users,<My Domain dn>
ldap_user_gecos = displayName
debug_level = 0
ldap_uri = ldap://<samba_server_hostname>/
krb5_realm = <krb auth realm(same as domain name)>
krb5_kpasswd = <samba_server_hostname>
ldap_schema = rfc2307bis
ldap_force_upper_case_realm = True
ldap_user_object_class = person
ldap_tls_cacertdir = /etc/openldap/cacerts
krb5_kdcip = <samba_server_hostname>

[sssd]

config_file_version = 2

reconnection_retries = 3

sbus_timeout = 30

services = nss, pam

domains = default

​

[nss]

filter_groups = root

filter_users = root

reconnection_retries = 3

​

[pam]

reconnection_retries = 3

​

[domain/default]

ldap_default_authtok_type = password

ldap_id_use_start_tls = False

cache_credentials = True

ldap_group_object_class = group

ldap_search_base = <My Domain dn>

chpass_provider = krb5

ldap_default_authtok = <Administrator Password>

id_provider = ldap

auth_provider = krb5

ldap_default_bind_dn = cn=Administrator,cn=Users,<My Domain dn>

ldap_user_gecos = displayName

debug_level = 0

ldap_uri = ldap://<samba_server_hostname>/

krb5_realm = <krb auth realm(same as domain name)>

krb5_kpasswd = <samba_server_hostname>

ldap_schema = rfc2307bis

ldap_force_upper_case_realm = True

ldap_user_object_class = person

ldap_tls_cacertdir = /etc/openldap/cacerts

krb5_kdcip = <samba_server_hostname>

​

I can run kinit for Administrator on the client successfully, and I can run ldapsearch when binding as Administrator but id or getent passwd for any user is not working. Any ideas please ??

Answer

I have finally got it working. Turns out, the user entry in the ldb database did not have posixAccount objectclass and uidNumber/gidnumber attributes. After adding them, and recompiling samba4 with gnu-tls support, linux is able to authenticate against samba4 AD DC as if authenticating against an ldap databse via tls. Guess I’ll have to write a script to add the necessary objectclasses and attributes to every user entry immediately after adding them.