0

SSSD 1.16.5, centos 7

For domain joined Linux systems, I have to manually set their uidNumber or uid AD attribute to their Linux UID so that users can write on world-writable NFS shares.

uid/uidNumber empty, domain users cant write.

Something is missing from the sssd.conf but I thought this was supposed to take care of this UID mapping that I need:

ldap_id_mapping = True

sssd.conf

[sssd]
domains = <NAME.COM>
config_file_version = 2
services = nss, pam

[domain/<NAME.COM>]
ad_domain = <NAME.COM>
krb5_realm = <NAME.COM>
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
auth_provider = ad
access_provider = simple
chpass_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
ldap_idmap_autorid_compat = true
ldap_idmap_default_domain_sid = <SID of Domain here>
use_fully_qualified_names = false
fallback_homedir = /home/%u
bluesquare
  • 37
  • 1
  • 8

1 Answers1

0

It sounds like you have users in AD and the same username in /etc/passwd. If so, then that is what you are missing, you do not need the same username in AD and in /etc/passwd, they are actually different users with the same username. I would delete any usernames in /etc/passwd that are also in AD. You will probably still need the uidNumber & gidNumber attributes though, mainly because you set it up incorrectly in the first place and will now have files belonging to the old IDs.

Rowland Penny
  • 36
  • 1
  • Also need to set "ldap_id_mapping" to false, which will use the values specified in the AD object to take precedence over the sssd auto-generated uid/gid – Semicolon Jun 13 '22 at 13:59