AD failover and Kerberos
by michael@hurts.ca
Hi,
I'm in an environment with several AD sites, each with a DC. When remote sites' DCs are unreachable because of a VPN outage, I'm not able to complete password authentication with sudo.
Does sssd_krb5_locator_plugin.so work with sssd-ad? Do I need to put anything in krb5.conf to activate it? I can see ldap_child is trying to connect on port 88 to all the wrong DCs when I enter a password in sudo. In the logs I see "[krb5_auth_done] (0x0100): Backend is marked offline, retry later!".
I'm using sss_ssh_authorizedkeys to log in, so password authentication isn't involved until I sudo. To get this far I had to set dns_resolver_timeout = 30 under [domain/mydomain] in sssd.conf. Before that, AD site discovery was failing; it would look up the DCs, time out after 6 seconds connecting to one of the remote DCs by LDAP, and mark the domain as offline.
I also had to set ad_gpo_access_control = disabled; gpo_child was trying to connect to the wrong DCs on port 88.
Thanks,
Mike
7 years, 1 month
SSSD does not show group members using "getent group"
by Douglas Duckworth
Hello
I am expericing the issue described in this article
https://access.redhat.com/solutions/49876 though we already
have ldap_group_member = uniqueMember defined in sssd.conf.
User's primary group membership is shown by using getent user though getent
group does not show group members. I though I was finished tuning
sssd.conf though this became an issue yesterday. Members of this listserv
have been extremely helpful and so I owe much of my progress to this great
community.
Anyway, I think the problem's with my schema.
In LDAP I see:
dn: ou=webgroups,base
objectClass: organizationalUnit
ou: webgroups
dn: cn=groups,ou=webgroups,base
objectClass: top
objectClass: groupOfUniqueNames
cn: blah
uniqueMember: uid=blah
This makes me think we're using rfc2307 though below this entry I see:
dn: cn=gaussrun,ou=Group,base
objectClass: posixGroup
objectClass: top
cn: blah
gidNumber: gid
memberUid: blah
How can SSSD work with both memberUid and uniqueMember as well as different
object classes for groups? I obviously inherited this LDAP server which we
are replacing soon.
Thanks,
Douglas Duckworth, MSc, LFCS
HPC System Administrator
Scientific Computing Unit
Physiology and Biophysics
Weill Cornell Medicine
E: doug(a)med.cornell.edu
O: 212-746-6305
F: 212-746-8690
7 years, 1 month