It looks sssd-1.16.5_8 (latest requires LDB_2.3.4, which isn't available for FreeBSD 13 yet, the source exists: https://download.samba.org/pub/ldb/. One would see the following error in sssd_DOMAIn_NAME.log when facing this issue. Wed Jan 18 21:25:27 2023) [sssd[be[LAB.DOMAIN.COM]]] [dp_module_open_lib] (0x0010): Unable to load module [ad] with path [/usr/local/lib/sssd/libsss_ad.so]: /usr/local/lib/libldb.so.2: version LDB_2.3.4 required by /usr/local/lib/samba4/private/libsamdb-common-samba4.so not found (Wed Jan 18 21:25:27 2023) [sssd[be[LAB.DOMAIN.COM]]] [dp_target_init] (0x0010): Unable to load module ad (Wed Jan 18 21:25:27 2023) [sssd[be[LAB.DOMAIN.COM]]] [be_process_init] (0x0010): Unable to setup data provider [1432158209]: Internal Error (Wed Jan 18 21:25:27 2023) [sssd[be[LAB.DOMAIN.COM]]] [main] (0x0010): Could not initialize backend [1432158209] # file /usr/local/lib/sssd/libsss_ad.so /usr/local/lib/sssd/libsss_ad.so: ELF 64-bit LSB shared object, x86-64, version 1 (FreeBSD), dynamically linked, for FreeBSD 13.1, stripped # file /usr/local/lib/samba4/private/libsamdb-common-samba4.so /usr/local/lib/samba4/private/libsamdb-common-samba4.so: ELF 64-bit LSB shared object, x86-64, version 1 (FreeBSD), dynamically linked, for FreeBSD 13.1, stripped Related forum post https://forums.freebsd.org/threads/cannot-open-usr-local-lib-sssd-libsss_ad-so.87771/
<https://www.freshports.org/search.php?stype=name&method=prefix&query=ldb&format=html&branch=head> Should there be a separate port for 2.3.4? <https://download.samba.org/pub/ldb/> superior versions include 2.7.0.
(In reply to Graham Perrin from comment #1) Absolutely. The next question is that I'm not sure I want to keep a separate port of LDB for Samba, the hassle it creates to maintain all the Zoo of versions seems to be not worth it. So I may make ldb23(hm, I see ldb25 on my disk, I wonder now...). Overall, dependency on LDB doesn't scale with SSSD, as each particular version of Samba depends on its pretty own version of LDB, so usage of the same LDB version by SSSD and Samba could be only accidental. For 4.17 I want to encapsulate Samba with its satellite libs as private libraries, which, I hope, will make everybody's life easier.
Thank you Timur, I think that should be good. I can also say for sure once it's installed and working.
It looks the port was updated on 08 Feb 2023, however I'm not seeing SSSD related changes https://www.freshports.org/security/sssd/. In the upcoming weeks I should have some time to test it again.
I tried ldb22-2.3.4 with this sssd starts. However I get the following error and the server still can't lookup users/groups in AD. ==> sssd.log <== (Tue Mar 28 19:35:44:287957 2023) [sssd] [sss_ini_call_validators] (0x0020): [rule/allowed_sections]: Section [LAB.DOMAIN.COM] is not allowed. Check for typos. (Tue Mar 28 19:35:44:296524 2023) [sssd] [confdb_get_domain_internal] (0x0010): Unknown domain [lab.domain.com] (Tue Mar 28 19:35:44:296569 2023) [sssd] [confdb_get_domains] (0x0010): Error (2 [No such file or directory]) retrieving domain [lab.domain.com], skipping! (Tue Mar 28 19:35:44:296599 2023) [sssd] [confdb_get_domains] (0x0010): No properly configured domains, fatal error! (Tue Mar 28 19:35:44:296619 2023) [sssd] [get_monitor_config] (0x0010): No domains configured. (Tue Mar 28 19:35:44:296689 2023) [sssd] [main] (0x0020): SSSD couldn't load the configuration database.
Update: Dan Langille helped me compiling sssd-1.16.5_8 with ldb22-2.3.4. With this SSSD works as expected, it can be used to communicate with Active Directory for ssh auth with public key when the keys are stored in Active Directory. Probably kerberos auth also works, I didn't try yet. SSSD also works to provide sudo roles when they are stored in Active Directory.
Created attachment 241305 [details] Update to 2.3.4 We've used the attached patch to get ldb22-2.3.4 working with sssd-1.16.5_8
Maintainer timeout has been exceeded. I will proceed with this soon.
(In reply to Timur I. Bakeyev from comment #2) Sorry, I see you did reply. What's up? At present, we're maintaining this change in our local tree.
This works perfectly for me now. Would you be happy to commit it? If you're busy I'm more than happy to just stick in a new port ldb23. I'm trying to parse your words below exactly- are you saying Samba413 relies on exactly ldb22? I've been running it from package with ldb23 instead, but haven't tried compiling it together, but it does appear to all work.
FYI: installing samba419 followed by ldb22 will request to uninstall samba419, though samba416 is permitted. More reason for an ldb23 port?
This I Learned: samba-ldbedit may suffice. To Be Determined.
(In reply to Chris Rees from comment #10) Chris: please proceed, thank you.