I have recently upgraded to samba 4 from samba 3.5 on a RHEL 6.3 platform. It is pleasing that the new version can replace AD DC and has it’s own built it kdc and ldb database. Now my intention is to make linux boxes authenticate to samba4 by connecting through ldap as samba 4 works like a kerberized ldap server. I am able to connect using Apache directory studio using the administrator dn to the ldap database. However I am unable to properly configure sssd on RHEL 6 client machines to authenticate against the samba server via ldap. Here is my sssd configuration file-
[sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = default [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 [domain/default] ldap_default_authtok_type = password ldap_id_use_start_tls = False cache_credentials = True ldap_group_object_class = group ldap_search_base = <My Domain dn> chpass_provider = krb5 ldap_default_authtok = <Administrator Password> id_provider = ldap auth_provider = krb5 ldap_default_bind_dn = cn=Administrator,cn=Users,<My Domain dn> ldap_user_gecos = displayName debug_level = 0 ldap_uri = ldap://<samba_server_hostname>/ krb5_realm = <krb auth realm(same as domain name)> krb5_kpasswd = <samba_server_hostname> ldap_schema = rfc2307bis ldap_force_upper_case_realm = True ldap_user_object_class = person ldap_tls_cacertdir = /etc/openldap/cacerts krb5_kdcip = <samba_server_hostname>
I can run kinit for Administrator on the client successfully, and I can run ldapsearch when binding as Administrator but id or getent passwd for any user is not working. Any ideas please ??
Advertisement
Answer
I have finally got it working. Turns out, the user entry in the ldb database did not have posixAccount objectclass and uidNumber/gidnumber attributes. After adding them, and recompiling samba4 with gnu-tls support, linux is able to authenticate against samba4 AD DC as if authenticating against an ldap databse via tls. Guess I’ll have to write a script to add the necessary objectclasses and attributes to every user entry immediately after adding them.