How do I run Docker containers as a Active Directory-domain user (SSSD)? (“unable to find user”)saslauthd and PAM: “Too many open files” error - saslauthd restart fixes this - what is wrong?SSSD for LDAP user authentication only (just bind) on Ubuntu, local databases for uid and groupsDomain User home directory upon first loginOpenLDAP client inside a docker containerSUDO Keeps promting for password, when using SSSD with ADHow to local user login(PAM) with MySQL?Linux Mint 18 - AD Users cannot login to GUISamba4 in AD Domain: getent shows only local accountsAuthenticated with SSSD (LDAP) but use /etc/passwd after loginuser pam.d configuration files to prevent updates overwriting them
How to add frame around section using titlesec?
Arrow those variables!
Can my sorcerer use a spellbook only to collect spells and scribe scrolls, not cast?
GFCI outlets - can they be repaired? Are they really needed at the end of a circuit?
Is "remove commented out code" correct English?
Madden-Julian Oscillation (MJO) - How to interpret the index?
Is it inappropriate for a student to attend their mentor's dissertation defense?
Do UK voters know if their MP will be the Speaker of the House?
Would Slavery Reparations be considered Bills of Attainder and hence Illegal?
Am I breaking OOP practice with this architecture?
iPad being using in wall mount battery swollen
Why do bosons tend to occupy the same state?
Why would the Red Woman birth a shadow if she worshipped the Lord of the Light?
How can I deal with my CEO asking me to hire someone with a higher salary than me, a co-founder?
What method can I use to design a dungeon difficult enough that the PCs can't make it through without killing them?
One verb to replace 'be a member of' a club
Unlock My Phone! February 2018
Can a virus destroy the BIOS of a modern computer?
Forming a German sentence with/without the verb at the end
Ambiguity in the definition of entropy
Determining Impedance With An Antenna Analyzer
Expand and Contract
How do I gain back my faith in my PhD degree?
Is this a hacking script in function.php?
How do I run Docker containers as a Active Directory-domain user (SSSD)? (“unable to find user”)
saslauthd and PAM: “Too many open files” error - saslauthd restart fixes this - what is wrong?SSSD for LDAP user authentication only (just bind) on Ubuntu, local databases for uid and groupsDomain User home directory upon first loginOpenLDAP client inside a docker containerSUDO Keeps promting for password, when using SSSD with ADHow to local user login(PAM) with MySQL?Linux Mint 18 - AD Users cannot login to GUISamba4 in AD Domain: getent shows only local accountsAuthenticated with SSSD (LDAP) but use /etc/passwd after loginuser pam.d configuration files to prevent updates overwriting them
I am running several Samba-shares on a dedicated Debian 9.6 machine joined to an AD-domain (Zentyal with SMB 4).
I am using a pretty straight-forward SSSD installation that has so far worked out perfectly for our needs.
I want to set Ambar up so that the various domain users could search documents on the aforementioned Samba-shares. However, I only want Ambar to crawl "public" documents, and nothing from private/"management" folders.
I've changed the docker-compose.yml file so that Docker will spawn the containers it needs as the user crawler, but when I run docker-compose up -d I get the following error:
ERROR: for Shared-folder Cannot start service Shared-folder: linux spec user: unable to find user crawler: no matching entries in passwd file
Editing the /etc/passwd file manually does not help here. I still get the same error.
This is how the relevant docker-compose.yml configuration looks like:
Shared-folder:
depends_on:
serviceapi:
condition: service_healthy
image: ambar/ambar-local-crawler
restart: always
networks:
- internal_network
expose:
- "8082"
environment:
- name=Shared-folder
- ignoreExtensions=.exe,dll,rar,s,so
- apiUrl=http://serviceapi:8081
user: crawler
volumes:
- /shared/Shared-folder:/usr/data
Please observe that if I remove the line user: crawler, everything works as expected (and root crawls all of my documents).
Here is my /etc/sssd/sssd.conf-file:
[sssd]
services = nss, pam
config_file_version = 2
domains = MY.COMPANY.COM
[domain/MY.COMPANY.COM]
id_provider = ad
access_provider = ad
ad_gpo_map_interactive = +cron
dyndns_update_ptr=false
# Use this if users are being logged in at /.
# This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so
override_homedir = /home/%u
ldap_idmap_autorid_compat = True
And here's my /etc/pam.d/common-session:
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0066
session optional pam_winbind.so
session optional pam_sss.so
session optional pam_systemd.so
# end of pam-auth-update config
Please let me know if any configs would be helpful! My guess is that smb.conf is not that relevant in this case, and that there might be some way to tell Docker to just trust PAM?
debian docker samba4 sssd
asked 2 days ago
OlegOleg
64
add a comment |
I am running several Samba-shares on a dedicated Debian 9.6 machine joined to an AD-domain (Zentyal with SMB 4).
I am using a pretty straight-forward SSSD installation that has so far worked out perfectly for our needs.
I want to set Ambar up so that the various domain users could search documents on the aforementioned Samba-shares. However, I only want Ambar to crawl "public" documents, and nothing from private/"management" folders.
I've changed the docker-compose.yml file so that Docker will spawn the containers it needs as the user crawler, but when I run docker-compose up -d I get the following error:
ERROR: for Shared-folder Cannot start service Shared-folder: linux spec user: unable to find user crawler: no matching entries in passwd file
Editing the /etc/passwd file manually does not help here. I still get the same error.
This is how the relevant docker-compose.yml configuration looks like:
Shared-folder:
depends_on:
serviceapi:
condition: service_healthy
image: ambar/ambar-local-crawler
restart: always
networks:
- internal_network
expose:
- "8082"
environment:
- name=Shared-folder
- ignoreExtensions=.exe,dll,rar,s,so
- apiUrl=http://serviceapi:8081
user: crawler
volumes:
- /shared/Shared-folder:/usr/data
Please observe that if I remove the line user: crawler, everything works as expected (and root crawls all of my documents).
Here is my /etc/sssd/sssd.conf-file:
[sssd]
services = nss, pam
config_file_version = 2
domains = MY.COMPANY.COM
[domain/MY.COMPANY.COM]
id_provider = ad
access_provider = ad
ad_gpo_map_interactive = +cron
dyndns_update_ptr=false
# Use this if users are being logged in at /.
# This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so
override_homedir = /home/%u
ldap_idmap_autorid_compat = True
And here's my /etc/pam.d/common-session:
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0066
session optional pam_winbind.so
session optional pam_sss.so
session optional pam_systemd.so
# end of pam-auth-update config
Please let me know if any configs would be helpful! My guess is that smb.conf is not that relevant in this case, and that there might be some way to tell Docker to just trust PAM?
debian docker samba4 sssd
asked 2 days ago
OlegOleg
64
add a comment |
I am running several Samba-shares on a dedicated Debian 9.6 machine joined to an AD-domain (Zentyal with SMB 4).
I am using a pretty straight-forward SSSD installation that has so far worked out perfectly for our needs.
I want to set Ambar up so that the various domain users could search documents on the aforementioned Samba-shares. However, I only want Ambar to crawl "public" documents, and nothing from private/"management" folders.
I've changed the docker-compose.yml file so that Docker will spawn the containers it needs as the user crawler, but when I run docker-compose up -d I get the following error:
ERROR: for Shared-folder Cannot start service Shared-folder: linux spec user: unable to find user crawler: no matching entries in passwd file
Editing the /etc/passwd file manually does not help here. I still get the same error.
This is how the relevant docker-compose.yml configuration looks like:
Shared-folder:
depends_on:
serviceapi:
condition: service_healthy
image: ambar/ambar-local-crawler
restart: always
networks:
- internal_network
expose:
- "8082"
environment:
- name=Shared-folder
- ignoreExtensions=.exe,dll,rar,s,so
- apiUrl=http://serviceapi:8081
user: crawler
volumes:
- /shared/Shared-folder:/usr/data
Please observe that if I remove the line user: crawler, everything works as expected (and root crawls all of my documents).
Here is my /etc/sssd/sssd.conf-file:
[sssd]
services = nss, pam
config_file_version = 2
domains = MY.COMPANY.COM
[domain/MY.COMPANY.COM]
id_provider = ad
access_provider = ad
ad_gpo_map_interactive = +cron
dyndns_update_ptr=false
# Use this if users are being logged in at /.
# This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so
override_homedir = /home/%u
ldap_idmap_autorid_compat = True
And here's my /etc/pam.d/common-session:
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0066
session optional pam_winbind.so
session optional pam_sss.so
session optional pam_systemd.so
# end of pam-auth-update config
Please let me know if any configs would be helpful! My guess is that smb.conf is not that relevant in this case, and that there might be some way to tell Docker to just trust PAM?
debian docker samba4 sssd
asked 2 days ago
OlegOleg
64
I am running several Samba-shares on a dedicated Debian 9.6 machine joined to an AD-domain (Zentyal with SMB 4).
I am using a pretty straight-forward SSSD installation that has so far worked out perfectly for our needs.
I want to set Ambar up so that the various domain users could search documents on the aforementioned Samba-shares. However, I only want Ambar to crawl "public" documents, and nothing from private/"management" folders.
I've changed the docker-compose.yml file so that Docker will spawn the containers it needs as the user crawler, but when I run docker-compose up -d I get the following error:
ERROR: for Shared-folder Cannot start service Shared-folder: linux spec user: unable to find user crawler: no matching entries in passwd file
Editing the /etc/passwd file manually does not help here. I still get the same error.
This is how the relevant docker-compose.yml configuration looks like:
Shared-folder:
depends_on:
serviceapi:
condition: service_healthy
image: ambar/ambar-local-crawler
restart: always
networks:
- internal_network
expose:
- "8082"
environment:
- name=Shared-folder
- ignoreExtensions=.exe,dll,rar,s,so
- apiUrl=http://serviceapi:8081
user: crawler
volumes:
- /shared/Shared-folder:/usr/data
Please observe that if I remove the line user: crawler, everything works as expected (and root crawls all of my documents).
Here is my /etc/sssd/sssd.conf-file:
[sssd]
services = nss, pam
config_file_version = 2
domains = MY.COMPANY.COM
[domain/MY.COMPANY.COM]
id_provider = ad
access_provider = ad
ad_gpo_map_interactive = +cron
dyndns_update_ptr=false
# Use this if users are being logged in at /.
# This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so
override_homedir = /home/%u
ldap_idmap_autorid_compat = True
And here's my /etc/pam.d/common-session:
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0066
session optional pam_winbind.so
session optional pam_sss.so
session optional pam_systemd.so
# end of pam-auth-update config
Please let me know if any configs would be helpful! My guess is that smb.conf is not that relevant in this case, and that there might be some way to tell Docker to just trust PAM?
debian docker samba4 sssd
debian docker samba4 sssd
asked 2 days ago
OlegOleg
64
asked 2 days ago
OlegOleg
64
asked 2 days ago
OlegOleg
64
asked 2 days ago
OlegOleg
64
asked 2 days ago
OlegOleg
64
64
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f960968%2fhow-do-i-run-docker-containers-as-a-active-directory-domain-user-sssd-unabl%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f960968%2fhow-do-i-run-docker-containers-as-a-active-directory-domain-user-sssd-unabl%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
