On Tue, Dec 21, 2010 at 04:02:14PM +1000, GOLLSCHEWSKY, Tim wrote:
Hi all.
I'm running sssd on RHEL6 and seem to have a problem seeing secondary/auxiliary
groups for logged in users.
I'm using SASL/Kerberos/LDAP authentication to an AD backend. I'm using this
config:
[domain/KRB5DOMAIN]
enumerate = true
cache_credentials = True
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_schema = rfc2307bis
ldap_user_object_class = user
ldap_group_object_class = group
ldap_user_member_of = msSFU30PosixMemberOf
ldap_group_member = msSFU30PosixMember
ldap_uri = ldap://xxx.xxx.xxx/
ldap_search_base = dc=xxx,dc=xxx,dc=xxx
ldap_group_search_base = ou=Groups,dc=xxx,dc=xxx,dc=xxx
ldap_sasl_mech = gssapi
ldap_sasl_authid = host/hostname.xxx.xxx.xxx(a)xxx.xxx.xxx
ldap_krb5_keytab = /etc/krb5.keytab
ldap_krb5_init_creds = true
krb5_realm = xxx.xxx.xxx
Logging in works fine, and I can specify an "ldap_access_filter" to limit the
people who can log into the machine by the AD groups they are in and it works a treat.
The problem I have is: when I log in I can not see the secondary groups that my userid
is in. When I run "id" or "groups", I only see my primary group:
[tim@rhel6 ~]$ groups
sysadm
If I run the "groups" command on a RHEL5 system (using ldap/krb5/pam_ldap), you
see many groups:
Can you send the sanitized ldap.conf you use for pam_ldap and the log
output of sssd during the 'groups' call with 'enumerate = false' (see
below) ?
[tim@rhel5 ~]$ groups
sysadm unixdef edc0002 midrange midora cifrs cifru yyyyy cdirt pdiru jbsrt cdir cdird
edcrt cdiri voiru voirs estrt pc4rt middlemr pc4ru insrd insrt insrs fess dplrt dplru
sdsdev sdsrd gwrrt mmsrt cbsrt hudru jirru sybau aimru aimrs svnr fshru oggat rmbat aairu
aairs pdirs ecors ecoru frirt esvru nexru xyzrt xxxrt kkrt dumrt tabrs tabrt
I've been through the red hat bugzilla and sssd trac and I don't see a solution.
I have set my schema to
"rfc2307bis"<https://bugzilla.redhat.com/show_bug.cgi?id=580402> and I
have enumerate =
true<https://bugzilla.redhat.com/show_bug.cgi?id=626775>.
I'm wondering if sssd only grabs the first 1000 users and 1000 groups and then
stops:
[root@rhel6 /]# grep 1000 /var/log/sssd/sssd_KRB5DOMAIN.log
(Tue Dec 21 14:50:11 2010) [sssd[be[KRB5DOMAIN]]] [sdap_get_users_process] (6): Search
for users, returned 1000 results.
(Tue Dec 21 14:50:17 2010) [sssd[be[KRB5DOMAIN]]] [sdap_get_users_done] (9): Saving 1000
Users - Done
(Tue Dec 21 14:50:21 2010) [sssd[be[KRB5DOMAIN]]] [sdap_get_groups_process] (6): Search
for groups, returned 1000 results.
(Tue Dec 21 14:50:36 2010) [sssd[be[KRB5DOMAIN]]] [sdap_get_groups_done] (9): Saving 1000
Groups - Done
[root@rhel6 ~]# getent group | wc -l
1049
[root@rhel6 ~]# wc -l /etc/group
49 /etc/group
Could it be because our AD has many more than 1000 users and 1000 groups? If so, if
there any way to increase this limit?
AD only sends 1000 entries at a time. This is called paging and we plan
to support paging with sssd 1.6 (see trac ticket #658). With this large
amount of users and groups I would recommend to set 'enumerate = false',
because for most of the typical uses cases this should be sufficient.
bye,
Sumit
Alternatively, if we there was a group search filter option that would also reduce the
number of groups to enumerate, but I see this feature has already been
requested<https://fedorahosted.org/sssd/ticket/647>.
I'm not convinced this 1000 record limit exists or is even the root cause of my
problem though. If there's anything you guys can suggest I'd be most
appreciative.
Many thanks,
Tim.
________________________________
This e-mail is sent by Suncorp-Metway Limited ABN 66 010 831 722 or one of its related
entities "Suncorp".
Suncorp may be contacted at Level 18, 36 Wickham Terrace, Brisbane or on 13 11 55 or at
suncorp.com.au.
The content of this e-mail is the view of the sender or stated author and does not
necessarily reflect the view of Suncorp. The content, including attachments, is a
confidential communication between Suncorp and the intended recipient. If you are not the
intended recipient, any use, interference with, disclosure or copying of this e-mail,
including attachments, is unauthorised and expressly prohibited. If you have received this
e-mail in error please contact the sender immediately and delete the e-mail and any
attachments from your system.
If this e-mail constitutes a commercial message of a type that you no longer wish to
receive please reply to this e-mail by typing Unsubscribe in the subject line.
_______________________________________________
sssd-devel mailing list
sssd-devel(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel