Background – stupidly large AD domain with 30,000 plus groups. It is a forest with a number of legacy domains that are not relevant to our authentication on Linux but the AD admins don’t want to allow us to mess with their schema so we still use group membership to manage sudo.

 

We’re also attempting to align with Windows through use of nested groups to fit in with enterprise preference for RBAC.

 

It’s complicated and there’s no resourcing to put in place an IPA service which would help.

 

Anyway these are the relevant config elements:

 

id_provider = ad

auth_provider = ad

access_provider = ad

subdomains_provider = none

enumerate = true

ignore_group_members = true

cache_credentials = true

ldap_id_mapping = true

ldap_schema = ad

 

( I can provide full config if requested). We had gone to full enumeration and ignore_group_members to ensure that the groups that provide sudo access are available without ridiculous cpu utilisation and it was working but hit this apparent issue:

 

[sssd[be[ourdomain.xxx.xxx]]] [ad_enum_cross_dom_members] (0x0080): Failed to add [CN=RG-Ourcompany-Ops-3rd Party-Data\#3-G,OU=CenITex,OU=Operations Roles,OU=Delegated Groups,OU=

Infrastructure Security,DC=ourcompany,DC=xxx,DC=xxx,,DC=xx]: Input/output error

 

Can raise a bug report if it’s clear that this is the issue.

 

Symptom is that group enumeration that was comprehensive, now seems to stop abruptly.

 

Cheers

 

Craig Silva

_________

Craig Silva | Specialist Engineer – Unix Services – Servers, Storage and IDAM
Cenitex | Level 15, 80 Collins Street, Melbourne 3000

ph: 03-8688-1297 mob: 0429 365 609 | www.cenitex.vic.gov.au

This office is located on the land of the Traditional Owners of the Kulin Nation.

 

cenitex logo          cid:image004.jpg@01D36DDE.27450B80  cid:image006.jpg@01D36DDE.27450B80  cid:image010.jpg@01D36DDE.27450B80

Accountability, Collaboration, Respect, Initiative and Courage

 

 


Notice:

This email and any attachments may contain information that is personal,
confidential, legally privileged and/or copyright. No part of it should be
reproduced, adapted or communicated without the prior written consent of the
copyright owner.

It is the responsibility of the recipient to check for and remove viruses.

If you have received this email in error, please notify the sender by return
email, delete it from your system and destroy any copies. You are not authorised
to use, communicate or rely on the information contained in this email.

Please consider the environment before printing this email.