Here's the scenario:
I have two machine:
Ubuntu, running ldap to authencticate users
CentOs, uses winbind to authenticate users
to mount homedirs I use fstab and nfs shares.
The problem is this:
on Ubuntu, in getent passwd a user look like this:
john:x:3000052:1901:John Doe:/home/john:/bin/bash
but on CentOs the same user use like this in getent passwd:
john:*:16777228:16777218:John Doe:/home/john:/bin/bash
as you can see the UID and GID aren't matching which resolves to permissions are denied when a user try to access there homefoler on CentOS.
I want CentOS to have the exact same UID and GID as Ubuntu has, for the AD users.
I managed to find out something about idmap in smb.conf, but I haven't got it working.
[global]
idmap workgroup = MOSEK
idmap config MOSEK:backend = rid
idmap config MOSEK:base_rid = 0
idmap config MOSEK:range = 3000040 - 4999999
#--authconfig--start-line--
# Generated by authconfig on 2014/09/30 08:26:52
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future
workgroup = MOSEK
...autogenerated stuff
#--authconfig--end-line--
But this isn't working.
I hope I am clear in what I'm trying to do
EDIT:
okay so here's what authconfig has generated for me. Because of your answer, I think this could be relevant.
#--authconfig--start-line--
# Generated by authconfig on 2014/09/30 08:26:52
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future
workgroup = MOSEK
password server = nyborg.mosek.zentyal
realm = MOSEK.ZENTYAL
security = ads
idmap config * : range = 1000-999999
template homedir = /home/%U
template shell = /bin/bash
kerberos method = secrets only
winbind use default domain = true
winbind offline logon = false
winbind enum users = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind enum users = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind enum users = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind enum users = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind enum users = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
#--authconfig--end-line--
EDIT2:
when i tried giving sssd.conf the right permissions, it got me a new error:
[root@centosy sssd]# journalctl -xn
-- Logs begin at Mon 2014-10-06 10:14:59 CEST, end at Tue 2014-10-07 10:28:42 CEST. --
Oct 07 10:28:36 centosy.mosek.zentyal sssd[be[5567]: Starting up
Oct 07 10:28:38 centosy.mosek.zentyal sssd[be[5568]: Starting up
Oct 07 10:28:41 centosy.mosek.zentyal sssd[5570]: Starting up
Oct 07 10:28:41 centosy.mosek.zentyal sssd[5569]: Starting up
Oct 07 10:28:41 centosy.mosek.zentyal sssd[5571]: Starting up
Oct 07 10:28:41 centosy.mosek.zentyal sssd[5572]: Starting up
Oct 07 10:28:42 centosy.mosek.zentyal sssd[be[5573]: Starting up
Oct 07 10:28:42 centosy.mosek.zentyal systemd[1]: sssd.service: control process exited, code=exited status=1
Oct 07 10:28:42 centosy.mosek.zentyal systemd[1]: Failed to start System Security Services Daemon.
-- Subject: Unit sssd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit sssd.service has failed.
--
-- The result is failed.
Oct 07 10:28:42 centosy.mosek.zentyal systemd[1]: Unit sssd.service entered failed state.
EDIT3:
okay i followed your guide and here's what i did from start to finish:
[root@centosy sssd]# authconfig --update --disableldap --ldapbasedn="dc=mosek,dc=zentyal" --ldapserver="ldap://172.16.0.5" --enablerfc2307bis --disablekrb5 --enablekrb5kdcdns --krb5realm=mosek.zentyal --enablesssd --enablesssdauth --enablemkhomedir --enablepamaccess --enablelocauthorize --smbrealm=mosek.zentyal --smbservers=nyborg.mosek.zentyal --smbworkgroup=MOSEK --smbsecurity=ads
getsebool: SELinux is disabled
[root@centosy sssd]# net ads join createupn=host/`hostname -f`@MOSEK.ZENTYAL -U tomas
Ignoring unknown parameter "idmap workgroup"
Ignoring unknown parameter "idmap workgroup"
Enter tomas's password:
Using short domain name -- MOSEK
Joined 'CENTOSY' to dns domain 'mosek.zentyal'
and here's my sssd.conf:
[sssd]
config_file_version = 2
domains = mosek.zentyal
services = nss, pam
debug_level = 0
[nss]
[pam]
[domain/mosek.zentyal]
debug_level = 5
cache_credentials = false
enumerate = false
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/nyborg.mosek.zentyal@MOSEK.ZENTYAL
ldap_sasl_canonicalize = false
ldap_user_search_base = ou=Users,dc=mosek,dc=zentyal
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_name = sAMAccountName
ldap_user_shell = loginShell
ldap_group_name = msSFU30Name
ldap_group_object_class = group
ldap_group_search_base = ou=Groups,dc=mosek,dc=zentyal
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_disable_referrals = true
ldap_id_mapping = false
ldap_schema = rfc2307bis
krb5_realm = MOSEK.ZENTYAL
krb5_canonicalize = false
krb5_server = mosek.zentyal
so now I restart sssd:
[root@centosy sssd]# service sssd restart
Redirecting to /bin/systemctl restart sssd.service
EDIT 4:
this is my nsswitch.conf:
passwd: files sss
shadow: files sss
group: files sss
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: files sss
aliases: files nisplus
Best Answer
The problem you have is using
rid
idmap.This uses an algorithm to generate a random number for the UID between the limits that you set in the range, which will always be different between hosts.
What you need is the
ads
idmap, however, this means that the id's need to exist in AD and ldap.If you are only concerned about accessing the UNIX groups and basic attributes and not all the AD groups then winbind is not necessary.
Configure kerberos populating
/etc/krb5.conf
and have ansmb.conf
similar to the following:[global] workgroup = ADIRE client signing = yes client use spnego = yes kerberos method = secrets and keytab log file = /var/log/samba/%m.log password server = adire.XXX.XX.uk realm = ADIRE.XXX.XXX.UK security = ads client ldap sasl wrapping = sign
To make this easier, you could let sssd control it all, but get this working first!
A good general idea of what options you have is HERE.
To configure a CentOS host to use AD authentication with LDAP attributes, you can use the following authconfig command (substitute the domain details):
Then join the host to the domain and create a kerberos
/etc/krb5.keytab
file:This will enable
sssd
which you can have all the mapping in (/etc/sssd/sssd.conf
):Ensure the
sssd
is set to start at boot and is restarted after running the authconfig command and joining the domain.