Background - stupidly large AD domain with 30,000 plus groups. It is a forest with a
number of legacy domains that are not relevant to our authentication on Linux but the AD
admins don't want to allow us to mess with their schema so we still use group
membership to manage sudo.
We're also attempting to align with Windows through use of nested groups to fit in
with enterprise preference for RBAC.
It's complicated and there's no resourcing to put in place an IPA service which
would help.
Anyway these are the relevant config elements:
id_provider = ad
auth_provider = ad
access_provider = ad
subdomains_provider = none
enumerate = true
ignore_group_members = true
cache_credentials = true
ldap_id_mapping = true
ldap_schema = ad
( I can provide full config if requested). We had gone to full enumeration and
ignore_group_members to ensure that the groups that provide sudo access are available
without ridiculous cpu utilisation and it was working but hit this apparent issue:
[sssd[be[ourdomain.xxx.xxx]]] [ad_enum_cross_dom_members] (0x0080): Failed to add
[CN=RG-Ourcompany-Ops-3rd Party-Data\#3-G,OU=CenITex,OU=Operations Roles,OU=Delegated
Groups,OU=
Infrastructure Security,DC=ourcompany,DC=xxx,DC=xxx,,DC=xx]: Input/output error
Can raise a bug report if it's clear that this is the issue.
Symptom is that group enumeration that was comprehensive, now seems to stop abruptly.
Cheers
Craig Silva
_________
Craig Silva | Specialist Engineer - Unix Services - Servers, Storage and IDAM
Cenitex | Level 15, 80 Collins Street, Melbourne 3000
ph: 03-8688-1297 mob: 0429 365 609 |
www.cenitex.vic.gov.au<http://www.cenitex.vic.gov.au/>
This office is located on the land of the Traditional Owners of the Kulin Nation.
[cenitex logo]<http://www.cenitex.vic.gov.au/>
[cid:image004.jpg@01D36DDE.27450B80] <
https://www.facebook.com/CenITex.vic.gov.au/>
[cid:image006.jpg@01D36DDE.27450B80] <
https://twitter.com/cenitex>
[cid:image010.jpg@01D36DDE.27450B80] <
https://www.linkedin.com/company/314749/>
Accountability, Collaboration, Respect, Initiative and Courage
----------------------------------------------------------------------
Notice:
This email and any attachments may contain information that is personal,
confidential, legally privileged and/or copyright. No part of it should be
reproduced, adapted or communicated without the prior written consent of the
copyright owner.
It is the responsibility of the recipient to check for and remove viruses.
If you have received this email in error, please notify the sender by return
email, delete it from your system and destroy any copies. You are not authorised
to use, communicate or rely on the information contained in this email.
Please consider the environment before printing this email.