Monday, December 6, 2021

[389-users] Re: Help - Missing nsAccount objectClass for WinSync users from AD

Hi William,
the pam, for users created manually is working fine to me.
The only problem is related to synced users from AD whch seems doesn't have all the necessary objectClasses.

However, this is ldapserver pam service:
# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] nullok
auth [success=1 default=ignore] use_first_pass debug
# here's the fallback if no module succeeds
auth requisite
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

and this is sssd.con file:
domains = lab.local
config_file_version = 2
services = nss, pam
debug_level = 10

default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = LAB.LOCAL
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = lab.local
use_fully_qualified_names = False
ldap_id_mapping = True
access_provider = ad
#enumerate = true

auth_provider = ad
chpass_provider = ad
ldap_schema = ad

dyndns_update = true
dyndns_refresh_interval = 43200
dyndns_update_ptr = true
dyndns_ttl = 3600

Hope to have a soonest reply from you.

Best Regards
389-users mailing list --
To unsubscribe send an email to
Fedora Code of Conduct:
List Guidelines:
List Archives:
Do not reply to spam on the list, report it:

No comments:

Post a Comment