Open xDarkNox opened 5 months ago
alexey-tikhonov
commented
5 months ago The cause of it may be in /etc/dconf/* generating users and folders with @domain.com part... should be use user only
I'm not sure I understand the issue, but did you try to remove default_domain_suffix and set use_fully_qualified_names = false?
xDarkNox
commented
5 months ago The cause of it may be in /etc/dconf/* generating users and folders with @domain.com part... should be use user only
I'm not sure I understand the issue, but did you try to remove
default_domain_suffixand setuse_fully_qualified_names = false?
This is not a logical option, what is the point to disable these, when you gonna get problem in others things.
I could disable, and use the ldap atribute to get the fqdn, but won't work because the other configurations like kerberos, won't get the tickets after logon. The correct scenario is with ad configs and fix this bug... that way the ubuntu system, will get the correct user, a workarround to fix this problem would be to create a ID in the local system, to make it understand. This is a problem between the SO/gnome and SSSD. This is why, using simbols in username isn't recommended, always has a system that isn't compatible...
For you to understand, try to install ubuntu 22.04.4, than install the packages: realmd, libnss-sss libpam-sss libnss-ldapd libpam-ldapd ldap-utils sssd sssd-ad sssd-tools sssd-krb5 krb5-user krb5-auth-dialog adcli adsys adsys-windows oddjob oddjob-mkhomedir packagekit samba-common-bin winbind smbclient.
configure the mkhome dir by: pam-auth-update --enable mkhomedir edit the /etc/pam.d/common-session set the umask.so from optional to required, also for mkhomedir, to this session optional pam_mkhomedir.so skel=/etc/skel change the configuration in /etc/login.defs, where UMASK should be set to 022, change it to 027 for security,
i already gave the sssd config, check it. the samba should be like this:
# Global parameters
[global]
log file = /var/log/samba/log.%m
logging = file
map to guest = Bad User
max log size = 1000
obey pam restrictions = Yes
pam password change = Yes
panic action = /usr/share/samba/panic-action %d
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
passwd program = /usr/bin/passwd %u
realm = AD.DOMAIN.COM.BR
server role = member server
server string = %h server (Samba, Ubuntu)
unix password sync = Yes
usershare allow guests = Yes
workgroup = AD
[printers]
browseable = No
comment = All Printers
create mask = 0700
path = /var/spool/samba
printable = Yes
[print$]
comment = Printer Drivers
path = /var/lib/samba/printersmake sure to edit the /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files systemd sss ldap
group: files systemd sss ldap
shadow: files sss ldap
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns ldap
networks: files ldap
protocols: db files ldap
services: db files sss ldap
ethers: db files ldap
rpc: db files ldap
netgroup: nis sss ldap
automount: sss
aliases: ldapHere the samba configuration also, for your help.
[logging]
default = FILE:/var/log/kerberos/krb5libs.log
[libdefaults]
default_realm = AD.DOMAIN.COM.BR
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
rdns = false
forwardable = false
udp_preference_limit = 0
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
# forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
AD.DOMAIN.COM.BR = {
kdc = server.ad.domain.com.br
admin_server = server.ad.domain.com.br
master_kdc = server.ad.domain.com.br
[domain_realm]
.ad.domain.com.br = AD.DOMAIN.COM.BR
ad.domain.com.br = AD.DOMAIN.COM.BR
Hello everyone.
Bug Report: Ubuntu 22.04.4 LTS Functionality Issues with SSSD Users
Description:
When using SSSD users on Ubuntu 22.04.4 LTS, there is a lack of permissions to make changes to the system via the GUI, such as the Settings application. This issue occurs after login, even though the permissions mask appears to be correctly set (027).
Based on the
sssd.conffile configuration, the user can authenticate with the Active Directory backend server without any issues with Kerberos or LDAP authentication.Details:
The problem lies within the "/etc/dconf/" directory. Inside the "profiles" and "db" subdirectories, users are being created with fully qualified domain names (FQDN), where it should be without the domain.
If the user is created using the LDAP provider, this issue does not occur, as it is possible to bypass this bug using the sAMAccountName. However, for those who wish to use LDAP, the best practice would indeed be to fix this bug.
Steps to Reproduce:
Expected Result:
The user should be able to make changes to the system via the GUI.
Actual Result:
The user lacks the necessary permissions to make changes to the system via the GUI. The cause of it may be in /etc/dconf/* generating users and folders with @domain.com part... should be use user only, like said in sssd.conf
System Information:
Additional Information:
Any additional information, configuration or data that might be necessary to reproduce the issue.
Workaround:
A temporary workaround is to create the user using the LDAP provider and authentication and use the sAMAccountName, this way you can avoid using the default domain suffix...
We look forward to a resolution for this issue. Thank you.