We have integrated the SUSE Linux (version 11 Patch level 2) with the Microsoft Active Directory(AD) using the SSSD utility(version 1.5.11) for facilitating the AD
Users and Groups on Linux host. We have added the “sss” as the sources for “passwd”, “group”, “shadow” within the “/etc/nsswitch.conf” file.
We are facing some inconsistency issues from SSSD while fetching the User/Group information through “id” command. It appears that we are facing this inconsistency only
while SSSD interacts with Domain Controller with version Windows Server 2008 R2, and not while SSSD is interacting with Windows Server 2003 R2 based domain controller.
Please find the response/output from Linux host (terminal) as below:
- For Windows Server 2008 R2 based Domain Controller
controller@indelappvm02:~> id user_hadoop_3001
uid=2763510(user_hadoop_3001) gid=100513(Domain Users) groups=100513(Domain Users),2816151(Mygroups-hadoop-GED_KPI),2115887,2812298(Mygroups-hadoop-
DAS_ANALYST),2812208(Mygroups-hadoop-CV_US),2809985(Mygroups-hadoop-DB_TICKET),2816149(Mygroups-hadoop-TLM),2827118(Mygroups-hadoop-DAS_ALL),2819228(Mygroups-hadoop-
IMAGINE_GED_LON),2820642(Mygroups-hadoop-IMHOTEP),2812212(Mygroups-hadoop-
OPEX),2024985,2356240,2358411,2100126,2115932,2099968,2337579,1743308,1463380,2100236,1881724,1707456
- For Windows Server 2003 R2 based Domain Controller
controller@indelappvm02:~> id user_hadoop_3001
uid=2763510(user_hadoop_3001) gid=100513(Domain Users) groups=100513(Domain Users),2816151(Mygroups-hadoop-GED_KPI),2812208(Mygroups-hadoop-CV_US),2819228(Mygroups-
hadoop-IMAGINE_GED_LON),2827118(Mygroups-hadoop-DAS_ALL),2812298(Mygroups-hadoop-DAS_ANALYST),2809985(Mygroups-hadoop-DB_TICKET),2816149(Mygroups-hadoop-TLM),2820642
(Mygroups-hadoop-IMHOTEP),2812212(Mygroups-hadoop-OPEX)
Below is the configuration of /etc/sssd/sssd.conf
##############################################################
[sssd]
debug_level = 5
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 10
services = nss,pam
domains = mytest
[nss]
debug_level = 5
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75
[pam]
debug_level = 0
reconnection_retries = 3
offline_credentials_expiration = 0
offline_failed_login_attempts = 0
offline_failed_login_delay = 5
[domain/local]
id_provider = local
min_id = 1
max_id = 499
enumerate = False
[domain/mytest]
debug_level = 9
description = Kerberos 5 domain with Active Directory servers
id_provider = ldap
auth_provider = krb5
access_provider = ldap
min_id = 500
enumerate = False
timeout = 10
cache_credentials = True
entry_cache_timeout = 300
krb5_canonicalize = False
General -----------------------
LDAP
ldap_uri = ldap://inddelvm25.mytest.com
ldap_default_authtok_type = password
ldap_default_bind_dn = linux@mytest.com
ldap_default_authtok = *******
ldap_id_mapping = True
ldap_user_objectsid = objectSid
ldap_idmap_range_min = 100000
ldap_idmap_range_max = 2000100000
ldap_idmap_range_size = 2000000000
ldap_access_filter = (cn=)
ldap_user_search_base = DC=mytest,DC=com
ldap_group_search_base = DC=mytest,DC=com?subtree?(|(CN=Mygroups-hadoop-)(CN=Domain Users))
ldap_referrals = False
ldap_search_timeout = 20
ldap_network_timeout = 20
KRB5
chpass_provider = krb5
ldap_force_upper_case_realm = True
krb5_server = inddelvm25.mytest.com
krb5_realm = mytest.com
krb5_store_password_if_offline = True
krb5_auth_timeout = 15
Mapping --------------------
ldap_schema = ad
ldap_user_object_class = user
ldap_group_object_class = group
ldap_user_name = sAMAccountName
ldap_group_name = sAMAccountName
ldap_id_use_start_tls = False
krb5_kdcip = inddelvm25.mytest.com
##############################################################
Can somebody suggest for how do we make SSSD to work with Windows Server 2008 R2 based domain controller.