Questions[domain-server](ubuntu)

Why does altering ldap_id_mapping present different group memberships on the same AD user?

I was hoping to have my UID/GID be the same as AD with IDMU: SSSD with AD: use UID/GID specified on domain server instead of something random?

I have achieved this by setting /etc/sssd/sssd.conf ldap_id_mapping = False, but now some of my AD groups are 'missing'.

The previous AD user with ldap_id_mapping = True reflected all the AD groups of which the user is a member, while the ldap_id_mapping = False user does not.

e.g:

% sssd --version
2.3.1

% cat /etc/sssd/sssd.conf | grep id_mapping

ldap_id_mapping = True

% su [email protected]                                        
Password: 
[email protected]@myhostname:~/$ id

uid=397401108([email protected])
gid=397400512(domain [email protected])
groups=397400512(domain [email protected]),
397400513(domain [email protected]),
397400518(schema [email protected]),
397400519(enterprise [email protected]),
397400572(denied rodc password replication [email protected]),
397401109([email protected]),
397401112(vcsa [email protected]),
397404603([email protected]),
397407607([email protected])

% exit

Above, you can see there are several AD-specific groups represented

% su -

# sed -i 's/ldap_id_mapping = True/ldap_id_mapping = False/g' /etc/sssd/sssd.conf 

# cat /etc/sssd/sssd.conf | grep id_mapping

ldap_id_mapping = False

# exit

% su [email protected]                                        
Password: 
[email protected]@myhostname:~/$ id

uid=10000(auser)
gid=10001(administrators)
groups=10001(administrators),
3109([email protected]),
10000(domain [email protected])

Now you can see the AD-specific groups are not represented on the SSSD client.

Anyone have an idea why all these groups are not present on my domain user after changing this setting? Aren't all existing AD groups and users mapped to an ldap equivalent?

Is it because the groups presented when ldap_id_mapping = True are not being mapped with ldap_id_mapping = False?

How can I ensure these groups are not 'missing' on SSSD clients when ldap_id_mapping = False?

I have an AD environment with IDMU and specified UID/GID for my domain users. SSSD-connected domain user does not share the same UID/GID on Ubuntu as AD.

Here's the default unedited sssd.conf in Ubuntu 20.10:

% sssd --version
2.3.1

# cat /etc/sssd/sssd.conf 

[sssd]
domains = webtool.space
config_file_version = 2

[domain/webtool.space]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = MYDOMAIN.SPACE
realmd_tags = manages-system joined-with-adcli 
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = mydomain.space
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = ad

If username Auser has a UID of 10001 and a GID of 10001 I would expect that these numbers would persist across other platforms, correct?

But SSSD seems to allocate arbitrary UID/GID with no correspondence with AD numbers. Here's a real-world example:

% su [email protected]                                        
Password: 
[email protected]@myhostname:~/$ id

uid=397401108([email protected])
gid=397400512(domain [email protected])
groups=397400512(domain [email protected]),
397400513(domain [email protected]),
397400518(schema [email protected]),
397400519(enterprise [email protected]),
397400572(denied rodc password replication [email protected]),
397401109([email protected]),
397401112(vcsa [email protected]),
397404603([email protected]),
397407607([email protected])

Is there any way to prevent this behavior? I would like my UID/GID to correspond with the values assigned on the domain controllers.

Update:

Thanks to stellar first answer, all that was required to make mapping 1-1 was stop SSSD service, delete the cache, change ldap_id_mapping from True to False.

Now the UID/GID are the same as AD:

% id
uid=10000(auser) gid=10001(administrators) groups=10001(administrators),3109([email protected]),10000(domain [email protected])

Now to figure out why I am missing some of the groups my user belongs to...

I'm using a Raspberry Pi 3 with Ubuntu 18.04. At my company we have a DNS server and a couple of domains with ".local". I know technically this isn't correct and it should be ".lan" instead, because .local is reserved for multicast dns. But that's the way it is and it can't easily be changed. So on my windows machine I can ping and browse to those domain names without trouble. On my Ubuntu however I can not.

I can not use IPs because some domains are on the same machine and the IIS webserver sorts things out what goes where.

I have searched and it comes up quite often:

• https://smallbusiness.chron.com/resolving-local-ubuntu-38861.html
• Why do none of my local servers resolve?
• ubuntu server not resolving LAN hostnames

However changing /etc/nsswitch.conf doesn't do the trick for me. I tried

• hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname # default
• hosts: files dns
• hosts: files mdns4_minimal [NOTFOUND=continue] dns myhostname
• hosts: files mdns4 [NOTFOUND=return] dns myhostname
• hosts: files mdns4 [NOTFOUND=continue] dns myhostname
• hosts: files dns mdsn4_minimal myhostname
• hosts: dns
• a few others

None of which worked. I tried rebooting after a change too. I tried to tell avahi that the domain-name=alocal in /etc/avahi/avahi-daemon.conf, didn't work after service restart, didn't work after reboot. After this not working, I tried disabling the avahi-daemon service entirely.

sudo systemctl disable avahi-daemon

After a reboot I tried a couple of permutations in /etc/nsswitch.conf again, with no effect.

with my current settings in hosts (files dns) I get this response:

dig login.name.local # not the actual name

; <<>> Dig 9.11.3-1ubuntu1.1-Ubuntu <<>> login.name.local
;; global options: +cmd
;; Got answer:
;; WARNING .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33538
;; flags: qr rd ra; QUERY: 1, ANSWER:0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;login.name.local. 0     IN     A

;; Query time: 2msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Thu Aug 23 10:51:50 CEST 2018
;; MSG SIZE  rcvd: 56

However when I instruct dig to query the server directly I get the correct answer:

dig @dnsIP login.name.local
; <<>> Dig 9.11.3-1ubuntu1.1-Ubuntu <<>> login.name.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; WARNING .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57866
;; flags: qr aa rd ra; QUERY: 1, ANSWER:1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;login.name.local. 0     IN     A

;; ANSWER SECTION:
login.name.local. 3600 IN    A        serverIP

;; Query time: 2msec
;; SERVER: dnsIP#53(dnsIP)
;; WHEN: Thu Aug 23 10:51:50 CEST 2018
;; MSG SIZE  rcvd: 56

This version of Ubuntu uses netplan with the network manager. The correct DNS IP is definitely in the list. (in fact it's the primary DNS.) Also the dnsIp is the same as serverIP, but that shouldn't be an issue.

Ping or connecting via browser and such don't work of course. None use the dns query.

I'm at a loss at what to do. Certainly we can't switch to a different domain name. I put the servername into /etc/hosts but that's just a temporary solution.

I have a Django/Apache server that runs in my home, and currently I can only access it by using the IP address.

I'm sorry if this sounds novice but, how would one go about configuring an Apache/Ubuntu home server so all devices on that network can visit the server from a more memorable/cheerful domain name (eg. "http://MyHomeServer.com/")?

Would this require any router settings to be modified or is there a way I could do this purely from within the Linux server?

Thanks.

First off, yes I have read all the related topics and those fixes are either out of date or don't work.

I am running 12.04 and I would like to add it to the Windows 2008 Server network. After I get that done I would like to mount the F:\ drive of the server somewhere on my Linux machine where it can be identified as drive F:\ by Wine or Dosemu.

If I can achieve all of that, I need to find out how to run a MS-Dos 16-bit Point-of-sales Graphic program in Ubuntu.

whether that be through Wine, Dosemu, or DosBox, it does not matter, it just has to be able to read and write to the servers F:\ drive, operate the DOS app, and support LPt1 (I think) for printing receipts and loading tickets.

I am a decently knowledgeable Windows tech, at least thats what my job description says. But this is my first encounter with Linux in a work environment, it could prove to very experience changing if I can just prove it as a practical theory and a reasonable solution, and get it to work.

The first step is to get it joined to the domain. I have likewise-open CLI and GUI versions, samba, and GADMIN-SAMBA installed in attempts to get any of them to work.

Any help in any area is greatly appreciated, especially with the domain joining since it is the first step and what I thought would be the easiest step.