Winbind Centos wrong UID/GID
The problem you have is using rid
idmap.
This uses an algorithm to generate a random number for the UID between the limits that you set in the range, which will always be different between hosts.
What you need is the ads
idmap, however, this means that the id's need to exist in AD and ldap.
If you are only concerned about accessing the UNIX groups and basic attributes and not all the AD groups then winbind is not necessary.
Configure kerberos populating /etc/krb5.conf
and have an smb.conf
similar to the following:
[global]
workgroup = ADIRE
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
log file = /var/log/samba/%m.log
password server = adire.XXX.XX.uk
realm = ADIRE.XXX.XXX.UK
security = ads
client ldap sasl wrapping = sign
To make this easier, you could let sssd control it all, but get this working first!
A good general idea of what options you have is HERE.
To configure a CentOS host to use AD authentication with LDAP attributes, you can use the following authconfig command (substitute the domain details):
authconfig --update --disableldap --ldapbasedn="dc=adire,dc=domain,dc=co,dc=uk" --ldapserver="ldap://ad1.adire.domain.co.uk:ldap://ad2.adire.domain.co.uk" --enablerfc2307bis --disablekrb5 --enablekrb5kdcdns --krb5realm=ADIRE.DOMAIN.CO.UK --enablesssd --enablesssdauth --enablemkhomedir --enablepamaccess --enablelocauthorize --smbrealm=ADIRE.DOMAIN.CO.UK --smbservers="ad1.adire.domain.co.uk ad2.adire.domain.co.uk" --smbworkgroup=ADIRE --smbsecurity=ads
Then join the host to the domain and create a kerberos /etc/krb5.keytab
file:
net ads join createupn=host/`hostname -f`@ADIRE.DOMAIN.CO.UK -U priviledged_user
kinit @ADIRE.DOMAIN.CO.UK
net ads keytab create
net ads keytab add host/`hostname -f`@ADIRE.DOMAIN.CO.UK
This will enable sssd
which you can have all the mapping in (/etc/sssd/sssd.conf
):
[sssd]
config_file_version = 2
domains = adire.domain.co.uk
services = nss, pam
debug_level = 0
[nss]
[pam]
[domain/adire.domain.co.uk]
debug_level = 5
cache_credentials = false
enumerate = false
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/[email protected]
ldap_sasl_canonicalize = false
ldap_user_search_base = OU=User Accounts,DC=adire,DC=domain,DC=co,DC=uk
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_name = sAMAccountName
ldap_user_shell = loginShell
ldap_group_name = msSFU30Name
ldap_group_object_class = group
ldap_group_search_base = OU=Groups,DC=adire,DC=domain,DC=co,DC=uk
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_disable_referrals = true
ldap_id_mapping = false
ldap_schema = rfc2307bis
krb5_realm = ADIRE.DOMAIN.CO.UK
krb5_canonicalize = false
krb5_server = adire.domain.co.uk
Ensure the sssd
is set to start at boot and is restarted after running the authconfig command and joining the domain.
Related videos on Youtube
Tomas
Updated on September 18, 2022Comments
-
Tomas over 1 year
Here's the scenario:
I have two machine:
Ubuntu, running ldap to authencticate users
CentOs, uses winbind to authenticate users
to mount homedirs I use fstab and nfs shares.
The problem is this:
on Ubuntu, in getent passwd a user look like this:
john:x:3000052:1901:John Doe:/home/john:/bin/bash
but on CentOs the same user use like this in getent passwd:
john:*:16777228:16777218:John Doe:/home/john:/bin/bash
as you can see the UID and GID aren't matching which resolves to permissions are denied when a user try to access there homefoler on CentOS. I want CentOS to have the exact same UID and GID as Ubuntu has, for the AD users.
I managed to find out something about idmap in smb.conf, but I haven't got it working.
[global] idmap workgroup = MOSEK idmap config MOSEK:backend = rid idmap config MOSEK:base_rid = 0 idmap config MOSEK:range = 3000040 - 4999999 #--authconfig--start-line-- # Generated by authconfig on 2014/09/30 08:26:52 # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--) # Any modification may be deleted or altered by authconfig in future workgroup = MOSEK ...autogenerated stuff #--authconfig--end-line--
But this isn't working.
I hope I am clear in what I'm trying to do
EDIT:
okay so here's what authconfig has generated for me. Because of your answer, I think this could be relevant.
#--authconfig--start-line-- # Generated by authconfig on 2014/09/30 08:26:52 # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--) # Any modification may be deleted or altered by authconfig in future workgroup = MOSEK password server = nyborg.mosek.zentyal realm = MOSEK.ZENTYAL security = ads idmap config * : range = 1000-999999 template homedir = /home/%U template shell = /bin/bash kerberos method = secrets only winbind use default domain = true winbind offline logon = false winbind enum users = true winbind enum groups = true winbind cache time = 5 winbind nested groups = true winbind enum users = true winbind enum groups = true winbind cache time = 5 winbind nested groups = true winbind enum groups = true winbind cache time = 5 winbind nested groups = true winbind cache time = 5 winbind nested groups = true winbind nested groups = true winbind enum users = true winbind enum groups = true winbind cache time = 5 winbind nested groups = true winbind enum groups = true winbind cache time = 5 winbind nested groups = true winbind cache time = 5 winbind nested groups = true winbind nested groups = true winbind enum groups = true winbind cache time = 5 winbind nested groups = true winbind cache time = 5 winbind nested groups = true winbind nested groups = true winbind cache time = 5 winbind nested groups = true winbind nested groups = true winbind nested groups = true winbind enum users = true winbind enum groups = true winbind cache time = 5 winbind nested groups = true winbind enum groups = true winbind cache time = 5 winbind nested groups = true winbind cache time = 5 winbind nested groups = true winbind nested groups = true winbind enum groups = true winbind cache time = 5 winbind nested groups = true winbind cache time = 5 winbind nested groups = true winbind nested groups = true winbind cache time = 5 winbind nested groups = true winbind nested groups = true winbind nested groups = true winbind enum groups = true winbind cache time = 5 winbind nested groups = true winbind cache time = 5 winbind nested groups = true winbind nested groups = true winbind cache time = 5 winbind nested groups = true winbind nested groups = true winbind nested groups = true winbind cache time = 5 winbind nested groups = true winbind nested groups = true winbind nested groups = true winbind nested groups = true winbind enum users = true winbind enum groups = true winbind cache time = 5 winbind nested groups = true winbind enum groups = true winbind cache time = 5 winbind nested groups = true winbind cache time = 5 winbind nested groups = true winbind nested groups = true winbind enum groups = true winbind cache time = 5 winbind nested groups = true winbind cache time = 5 winbind nested groups = true winbind nested groups = true winbind cache time = 5 winbind nested groups = true winbind nested groups = true winbind nested groups = true winbind enum groups = true winbind cache time = 5 winbind nested groups = true winbind cache time = 5 winbind nested groups = true winbind nested groups = true winbind cache time = 5 winbind nested groups = true winbind nested groups = true winbind nested groups = true winbind cache time = 5 winbind nested groups = true winbind nested groups = true winbind nested groups = true winbind nested groups = true winbind enum groups = true winbind cache time = 5 winbind nested groups = true winbind cache time = 5 winbind nested groups = true winbind nested groups = true winbind cache time = 5 winbind nested groups = true winbind nested groups = true winbind nested groups = true winbind cache time = 5 winbind nested groups = true winbind nested groups = true winbind nested groups = true winbind nested groups = true winbind cache time = 5 winbind nested groups = true winbind nested groups = true winbind nested groups = true winbind nested groups = true winbind nested groups = true #--authconfig--end-line--
EDIT2: when i tried giving sssd.conf the right permissions, it got me a new error:
[root@centosy sssd]# journalctl -xn -- Logs begin at Mon 2014-10-06 10:14:59 CEST, end at Tue 2014-10-07 10:28:42 CEST. -- Oct 07 10:28:36 centosy.mosek.zentyal sssd[be[5567]: Starting up Oct 07 10:28:38 centosy.mosek.zentyal sssd[be[5568]: Starting up Oct 07 10:28:41 centosy.mosek.zentyal sssd[5570]: Starting up Oct 07 10:28:41 centosy.mosek.zentyal sssd[5569]: Starting up Oct 07 10:28:41 centosy.mosek.zentyal sssd[5571]: Starting up Oct 07 10:28:41 centosy.mosek.zentyal sssd[5572]: Starting up Oct 07 10:28:42 centosy.mosek.zentyal sssd[be[5573]: Starting up Oct 07 10:28:42 centosy.mosek.zentyal systemd[1]: sssd.service: control process exited, code=exited status=1 Oct 07 10:28:42 centosy.mosek.zentyal systemd[1]: Failed to start System Security Services Daemon. -- Subject: Unit sssd.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit sssd.service has failed. -- -- The result is failed. Oct 07 10:28:42 centosy.mosek.zentyal systemd[1]: Unit sssd.service entered failed state.
EDIT3:
okay i followed your guide and here's what i did from start to finish:
[root@centosy sssd]# authconfig --update --disableldap --ldapbasedn="dc=mosek,dc=zentyal" --ldapserver="ldap://172.16.0.5" --enablerfc2307bis --disablekrb5 --enablekrb5kdcdns --krb5realm=mosek.zentyal --enablesssd --enablesssdauth --enablemkhomedir --enablepamaccess --enablelocauthorize --smbrealm=mosek.zentyal --smbservers=nyborg.mosek.zentyal --smbworkgroup=MOSEK --smbsecurity=ads getsebool: SELinux is disabled [root@centosy sssd]# net ads join createupn=host/`hostname -f`@MOSEK.ZENTYAL -U tomas Ignoring unknown parameter "idmap workgroup" Ignoring unknown parameter "idmap workgroup" Enter tomas's password: Using short domain name -- MOSEK Joined 'CENTOSY' to dns domain 'mosek.zentyal'
and here's my sssd.conf:
[sssd] config_file_version = 2 domains = mosek.zentyal services = nss, pam debug_level = 0 [nss] [pam] [domain/mosek.zentyal] debug_level = 5 cache_credentials = false enumerate = false id_provider = ldap auth_provider = krb5 chpass_provider = krb5 access_provider = ldap ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/[email protected] ldap_sasl_canonicalize = false ldap_user_search_base = ou=Users,dc=mosek,dc=zentyal ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_name = sAMAccountName ldap_user_shell = loginShell ldap_group_name = msSFU30Name ldap_group_object_class = group ldap_group_search_base = ou=Groups,dc=mosek,dc=zentyal ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ldap_disable_referrals = true ldap_id_mapping = false ldap_schema = rfc2307bis krb5_realm = MOSEK.ZENTYAL krb5_canonicalize = false krb5_server = mosek.zentyal
so now I restart sssd:
[root@centosy sssd]# service sssd restart Redirecting to /bin/systemctl restart sssd.service
EDIT 4:
this is my nsswitch.conf:
passwd: files sss shadow: files sss group: files sss hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: files sss publickey: nisplus automount: files sss aliases: files nisplus
-
geedoubleya over 9 yearsI have added the
authconfig
steps andsssd
configuration. -
geedoubleya over 9 yearsMissed the creation of the
keytab
file, so added it in after the domainjoin
command. See if that helps.
-
-
Tomas over 9 yearsI just edited the question so you can see the autogenerated code. It seems that it is already using ads idmap. Also I'm trying to use ads because I'm pretty sure that th AD and ldap uses the same UID and GID.
-
Tomas over 9 yearsI investigated a bit further, and ldap uses the UNIX basic attributes only. how will I be able to make centos do the same? I need to configure krb5.conf and smb.conf, but how?
-
geedoubleya over 9 yearsI have added the
authconfig
steps andsssd
configuration. -
Tomas over 9 yearsWhen trying to run the authconfig command I get: authconfig: Authentication module /lib64/security/pam_sss.so is missing. Authentication process might not work correctly.
-
Tomas over 9 yearsI installed the sssd package and the error disappeared although the sssd.conf doesn't exist in /etc/sssd/ and when i try to create it and start SSSD service: [root@centosy sssd]# service sssd start Redirecting to /bin/systemctl start sssd.service Job for sssd.service failed. See 'systemctl status sssd.service' and 'journalctl -xn' for details. [root@centosy sssd]# /etc/init.d/ iprdump iprinit iprupdate netconsole network [root@centosy sssd]# systemctl status ssd.service ssd.service Loaded: not-found (Reason: No such file or directory) Active: inactive (dead)
-
Tomas over 9 yearsI looked in journalctl as the error suggested and i found this: -- Unit sssd.service has begun starting up. Oct 07 10:13:45 centosy.mosek.zentyal sssd[5526]: NSCD socket was detected and seems to be configured to cache some of the data Oct 07 10:13:45 centosy.mosek.zentyal sssd[5526]: Cannot read config file /etc/sssd/sssd.conf. Please check if permissions are Oct 07 10:13:45 centosy.mosek.zentyal systemd[1]: sssd.service: control process exited, code=exited status=4 Oct 07 10:13:45 centosy.mosek.zentyal systemd[1]: Failed to start System Security Services Daemon.
-
geedoubleya over 9 years
/etc/sssd/sssd.conf
should be mode 600 (rw-------). -
Tomas over 9 yearsI editted my question with a new error
-
Tomas over 9 yearsI tried deleting and remaking the sssd.conf and I got it running, but even though i followed your guide, now when i look at getent passwd, non of the AD users are there.
-
geedoubleya over 9 yearsDid it joing the domain ok? Check the sssd logs (
/var/log/sssd/*
). -
Tomas over 9 yearsI added all the configs and sssd log in my question
-
geedoubleya over 9 yearsMissed the creation of the
keytab
file, so added it in after the domainjoin
command. See if that helps. -
Tomas over 9 yearskinit throws this error: [root@centosy ~]# kinit @MOSEK.ZENTYAL kinit: Client not found in Kerberos database while getting initial credentials I had to install krb5-workstation to get kinit installed, and when i install the workstation package I ran the authconfig and join commands again to be sure.
-
geedoubleya over 9 years@Tomas - Leave that command out and go ahead and create the keytab file (assuming you have just run the
net ads join
command)? -
Tomas over 9 yearsokay I tried the command kinit [email protected] and it got me trough, now when I try to create a keytab it ask for root's password, and then say that [email protected] doesn't exist. how can I get it to ask for the Domain Admin Tomas's password?
-
Tomas over 9 yearsI fixed my keytab problems with adding the U flag to both commands. but although i made the keytab, and added the host. although i got a kerberos ticket form the AD, it still doesn't have any of the users in getent passwd
-
Tomas over 9 yearsI change
/etc/sssd/sssd.conf
to haveldap_sasl_authid = host/[email protected]
. What should/etc/nsswitch.conf
look like when correctly populated? -
Tomas over 9 yearsI added my nsswitch.conf, so you can see, if something's wrong with it
-
geedoubleya over 9 years@Tomas
nsswitch.conf
is fine. Try kinit -k host/[email protected], then rungetent ...
while checking the logs:/var/log/sssd/*.logs
Failing that then install ldapsearch and run a query against your LDAP server. -
Tomas over 9 yearsI try running the kinit command, and get the error:
kinit: Keytab contains no suitable keys for host/[email protected] while getting initial credentials
-
Tomas over 9 yearsAlso in
/var/log/sssd/ldap_child.log
i keep getting these:(Thu Oct 16 07:01:01 2014) [[sssd[ldap_child[6554]]]] [sss_krb5_verify_keytab_ex] (0x0010): Principal [host/[email protected]] not found in keytab [default] (Thu Oct 16 07:01:01 2014) [[sssd[ldap_child[6554]]]] [ldap_child_get_tgt_sync] (0x0040): Unable to verify principal is present in the keytab (Thu Oct 16 07:01:01 2014) [[sssd[ldap_child[6554]]]] [main] (0x0020): ldap_child_get_tgt_sync failed.
-
Tomas over 9 yearsokay I found out, that although the user isn't in
getent passwd
they can stil log in, which is great, but the UID still seems to be incorrect -
geedoubleya over 9 yearsGood news, what is the AD UID and the currently assigned UID?
-
Tomas over 9 yearsbad news again. it was some other configurations i tried that made it possible to log in. configurations with winbind. I tried reinstalling and run through your configurations again, and I was unable to log in, unfurtunately :( I really appreciate you helping me by thew way
-
Tomas over 9 yearsalso when I try the command
kinit tomas
i get to right the password, and then it returns the errorkinit: KDC reply did not match expectations while getting initial credentials
-
geedoubleya over 9 yearsThat is the
SFU
attribute for Windows AD that maps the unix LDAP equivalent for uid. So in LDAP, does the UID just have the windows username? -
Tomas over 9 yearsMy AD server is not windows. It is something called zentyal, which runs on top of ubuntu, and works as a windows AD server
-
geedoubleya over 9 yearsSo in LDAP, is the UID attribute the same as the zentyal AD username?
-
Tomas over 9 yearsI'm unclear on what you mean? you can see on my ubuntu client that uses purely ldap authentication that the UID is the right one, which means that the UID that ldap retrieves is the same as on the zentyal AD
-
frymaster about 9 years"This uses an algorithm to generate a random number for the UID between the limits that you set in the range, which will always be different between hosts." rid should, if set up identically on both machines (same range and base_rid), always give you the same UID for the same user. I suspect one server using winbind and the other using LDAP might be a problem though