Problems migrating to using SSSD for ldap/krb against AD

[Justsomeguy]

Hey, I'm hoping someone can point me in the direction of a fix for the problem I am having switching to sssd. I am using AD on 2k8 to host LDAP and KRB. LDAP bind occurs with a name and password, over TLS, and KRB is KRB of course. I cannot seem to get LDAP to behave correctly using sssd, but it works fine with NSLCD.

Here are the relevant sections from my configs (with username, domain, and passwords changed of course).

NSLCD:

uri ldaps://server.example.com/
base dc=example,dc=com
binddn CN=linux bind,OU=servaccounts,DC=example,DC=com
bindpw password
scope sub
base group ou=Groups,dc=example,dc=com
base passwd ou=People,dc=example,dc=com
tls_cacertfile /etc/openldap/cacerts/cacerts.pem.0
filter passwd (&(objectClass=user)(!(objectClass=computer))(uidN umber=*)(unixHomeDirectory=*))
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
filter shadow (&(objectClass=user)(!(objectClass=computer))(uidN umber=*)(unixHomeDirectory=*))
map shadow uid sAMAccountName
map shadow userPassword msSFU30Password
filter group (objectClass=group)
map group uniqueMember member
uid nslcd
gid ldap

SSSD:
[domain/default]

ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = cn=example,cn=com
krb5_realm = example.com
krb5_server = server.example.com
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_uri = ldap://server.example.com/
krb5_kpasswd = server.example.com
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_default_bind_dn = CN=linux bind,OU=servaccounts,DC=example,DC=com
ldap_default_authtok_type = password
ldap_default_authtok = password
ldap_schema = rfc2307bis
ldap_user_principal = userPrincipalName
ldap_user_fullname = displayName
ldap_user_name = sAMAccountName
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = msSFU30LoginShell
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_force_upper_case_realm = True

[sssd]
services = nss, pam
config_file_version = 2
debug_level=9

domains = default
[nss]
debug_level = 9
[pam]
debug_level = 9

[sgallagh]

A good place to start would be to read the Active Directory installation guide on the SSSD Trac.

I'm apparently not allowed to post URLs, so I can't really give you directions. Just look for SSSD on fedorahosted and look in the index by date to find the Active Directory link.

[Justsomeguy]

Yeah, I've read through it, and I've tried configuring by hand-hacking the template, using authconfig, and even trying the fedora GUI. In every case I end up with kinit working fine to pull tokens via kerberos, but it is never able to look up usernames via ldap. The errors that SSSD are not very helpful even at debug level 9. Near as I can tell the ldap bind is a success but it gets a null response to its query from the server. That was why I posted my two configs to see if there was something that someone else could spot that I am not.