The problem you have is using rid
idmap.
This uses an algorithm to generate a random number for the UID between the limits that you set in the range, which will always be different between hosts.
What you need is the ads
idmap, however, this means that the id's need to exist in AD and ldap.
If you are only concerned about accessing the UNIX groups and basic attributes and not all the AD groups then winbind is not necessary.
Configure kerberos populating /etc/krb5.conf
and have an smb.conf
similar to the following:
[global]
workgroup = ADIRE
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
log file = /var/log/samba/%m.log
password server = adire.XXX.XX.uk
realm = ADIRE.XXX.XXX.UK
security = ads
client ldap sasl wrapping = sign
To make this easier, you could let sssd control it all, but get this working first!
A good general idea of what options you have is HERE.
To configure a CentOS host to use AD authentication with LDAP attributes, you can use the following authconfig command (substitute the domain details):
authconfig --update --disableldap --ldapbasedn="dc=adire,dc=domain,dc=co,dc=uk" --ldapserver="ldap://ad1.adire.domain.co.uk:ldap://ad2.adire.domain.co.uk" --enablerfc2307bis --disablekrb5 --enablekrb5kdcdns --krb5realm=ADIRE.DOMAIN.CO.UK --enablesssd --enablesssdauth --enablemkhomedir --enablepamaccess --enablelocauthorize --smbrealm=ADIRE.DOMAIN.CO.UK --smbservers="ad1.adire.domain.co.uk ad2.adire.domain.co.uk" --smbworkgroup=ADIRE --smbsecurity=ads
Then join the host to the domain and create a kerberos /etc/krb5.keytab
file:
net ads join createupn=host/`hostname -f`@ADIRE.DOMAIN.CO.UK -U priviledged_user
kinit @ADIRE.DOMAIN.CO.UK
net ads keytab create
net ads keytab add host/`hostname -f`@ADIRE.DOMAIN.CO.UK
This will enable sssd
which you can have all the mapping in (/etc/sssd/sssd.conf
):
[sssd]
config_file_version = 2
domains = adire.domain.co.uk
services = nss, pam
debug_level = 0
[nss]
[pam]
[domain/adire.domain.co.uk]
debug_level = 5
cache_credentials = false
enumerate = false
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/servername.domain.co.uk@ADIRE.DOMAIN.CO.UK
ldap_sasl_canonicalize = false
ldap_user_search_base = OU=User Accounts,DC=adire,DC=domain,DC=co,DC=uk
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_name = sAMAccountName
ldap_user_shell = loginShell
ldap_group_name = msSFU30Name
ldap_group_object_class = group
ldap_group_search_base = OU=Groups,DC=adire,DC=domain,DC=co,DC=uk
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_disable_referrals = true
ldap_id_mapping = false
ldap_schema = rfc2307bis
krb5_realm = ADIRE.DOMAIN.CO.UK
krb5_canonicalize = false
krb5_server = adire.domain.co.uk
Ensure the sssd
is set to start at boot and is restarted after running the authconfig command and joining the domain.
I first checked the shell settings and added the following line to my /etc/sss/sssd.conf:
[domain/example.org]
override_shell = /sbin/rbash
but this didn't solve the problem.
After commenting out the line
account [default=bad success=ok user_unknown=ignore] pam_sss.so
in /etc/pam.d/common-auth active directory users can login with their AD account.
But this setting affects more login services than just vsftpd. So I removed the comment from that line (going back to the original version) and changed vsftpd'd pam configuration instead:
/etc/pam.d/vsftpd:
# Standard behaviour for ftpd(8).
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
# Note: vsftpd handles anonymous logins on its own. Do not enable pam_ftp.so.
# Standard pam includes
##@include common-account
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
account sufficient pam_localuser.so
@include common-session
@include common-auth
auth required pam_shells.so
Best Answer
Yes, sssd can use the POSIX attributes from AD instead of doing its own ID mapping.
In the section for your AD domain in
/etc/sssd/sssd.conf
, simply setldap_id_mapping = false
.If you have already used sssd's automatic ID mapping on a computer, be sure to clear its cache before you restart sssd.
When using
realm join
to join a new computer to the domain, include the command line option--automatic-id-mapping=no
.