Hi,
This is likely a newbie issue and I apologize in advance. I've only been
working with sssd for a matter of weeks and until I hardened Active
Directory (as a result of an internal penetration test) sssd had been
reliable and robust.
Over the past few days I've been harding an Active Directory in a testing
environment. It seems as though removing "Authenticated Users" from
"Pre-Windows 2000 Compatible Access" (as is recommended best practice)
breaks sssd's ability to perform group enumeration.
With "Authenticated Users" in "Pre-Windows 2000 Compatible Access" group
# id firstname.lastname
uid=XXXXX01148(firstname.lastname) gid= XXXXX00513(domain users)
groups=XXXXX01605(redactedgroup1),XXXXX01267(redactedgroup2),XXXXX02621(redactedgroup3),XXXXX01230(redactedgroup4),XXXXX00513(domain
users),XXXXX01154(redactedgroup5),XXXXX01257(redactedgroup6),XXXXXX01307(redactedgroup7),XXXXX01156(redactedgroup8),XXXXX01111(redactedgroup9)
With "Authenticated Users" removed from the "Pre-Windows 2000 Compatible
Access" group
# id firstname.lastname
uid=XXXXX01148(firstname.lastname) gid=XXXXX00513(domain users)
groups=XXXXX00513(domain users)
I've had a good rummage around the internet, but not found a solution, or
even anyone else reporting this issue before.
Any help gratefully received!
Active Directory is Windows Server 2022 based.
Test client machines
Debian 12 - sssd v2.8.2-4
Ubuntu 22 - sssd v2.6.3-1ubuntu3.3
# cat /etc/sssd/sssd.conf
[sssd]
domains = redacted.co.uk
config_file_version = 2
services = nss, pam
default_domain_suffix = redacted.co.uk
full_name_format = %1$s
[domain/redacted.co.uk]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = REDACTED.CO.UK
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u
override_homedir = /home/%u
ad_domain = redacted.co.uk
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = ad
# So that ssh public keys works when a users key is stored in
altSecurityIdentities
ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities
ldap_user_ssh_public_key = altSecurityIdentities
# Removes requirement for host to communicate with DC's over port 445
ad_gpo_access_control = disabled
# Removes requirement for host to communicate with DC's over port 3268
ad_enable_gc = false
Kind Regards
Steve