On 04/02/2015 04:49 PM, Orion Poplawski wrote:
On 03/31/2015 12:09 PM, Jakub Hrozek wrote:
On Tue, Mar 31, 2015 at 11:20:50AM -0600, Orion Poplawski wrote:
On 03/31/2015 08:16 AM, Jakub Hrozek wrote:
On Mon, Mar 30, 2015 at 03:47:01PM -0600, Orion Poplawski wrote:
Running IPA with an AD trust. Users are in AD. Trying to use full_name_format = %1$s to strip the domain from user names. This appears to break supplemental groups in strange ways.
On the IPA server:
Without full_name_format:
# id orion@ad.nwra.com uid=470202603(orion@ad.nwra.com) gid=470202603(orion@ad.nwra.com) groups=470202603(orion@ad.nwra.com),470200513(domain users@ad.nwra.com),470204703(pirep rd users@ad.nwra.com),470204714(wireless access@ad.nwra.com),470204715(nwra-users@ad.nwra.com),470204701(boulder@ad.nwra.com),470207608(heimdall users@ad.nwra.com),470200512(domain admins@ad.nwra.com),470207124(andreas admins@ad.nwra.com)
With:
# id orion@ad.nwra.com uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
If I add:
default_domain_suffix = ad.nwra.com
# id orion uid=470202603(orion) gid=470202603(orion) groups=470202603(orion),470200512(domain admins),470207608(heimdall users),470204714(wireless access),470204715(nwra-users),470204701(boulder),470204703(pirep rd users),470207124(andreas admins),470200513(domain users)
Which I guess makes some sense as you'd need to add the domain suffix back on to find the groups.
But this appears to completely break IPA clients (with full_name_format = %1$s and default_domain_suffix = ad.nwra.com):
# id orion@ad.nwra.com id: orion@ad.nwra.com: no such user # id orion id: orion: no such user
From looking at the server logs, it looks like only the IPA domain is searched
If I reset the server back to normal (drop full_name_format and default_domain_suffix):
# id orion uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
I don't get any supplemental groups. I see sssd errors like:
(Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_update_members_ex] (0x0020): Could not add member [orion] to group [name=domain admins,cn=groups,cn=nwra.com,cn=sysdb]. Skipping.
Is t trying "cn=groups,cn=nwra.com,cn=sysdb" instead of "cn=groups,cn=ad.nwra.com,cn=sysdb"
I just tried a similar setup and it worked OK for me. I only changed the settings on the client. There's two gotchas, maybe they'll help: 1) if you change the full_name_format, you need to purge the cache. We realize it's suboptimal and won't be required for 1.13, hopefully.
Yeah, I've gotten into the habit of doing:
systemctl stop sssd;rm -rf /var/lib/sss/db/* /var/log/sssd/*;systemctl start sssd
for each change. I'm still not having any luck though.
I see you disabled the full name format on the server. I think that's the right thing to do because IIRC some IPA code relies on the FQDN being default on the server. Did you clean the cache even on the server?
Server sssd.conf:
[domain/nwra.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = nwra.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = europa.nwra.com chpass_provider = ipa ipa_server = europa.nwra.com ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt subdomains_provider = ipa subdomain_homedir = /home/%u #full_name_format = %1$s ldap_autofs_search_base = cn=boulder,cn=automount,dc=nwra,dc=com
Not too important, but as long as boulder is an IPA automounter "location", I think you could just set: ipa_automount_location = boulder instead of the full search base.
debug_level = 10
[sssd] services = nss, pam, ssh, pac, autofs config_file_version = 2 domains = nwra.com #default_domain_suffix = ad.nwra.com debug_level = 10
[nss] default_shell = /bin/bash
ipa-server-4.1.0-18.sl7_1.3.x86_64 sssd-1.12.2-58.el7.x86_64
Client sssd.conf:
[domain/nwra.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = nwra.com id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = ipaclient.cora.nwra.com chpass_provider = ipa ipa_server = _srv_, europa.nwra.com dns_discovery_domain = nwra.com subdomain_homedir = /home/%u debug_level = 0xfff0 full_name_format = %1$s ldap_autofs_search_base = cn=boulder,cn=automount,dc=nwra,dc=com use_fully_qualified_names = True
[sssd] services = nss, pam, autofs, pac config_file_version = 2 domains = nwra.com default_domain_suffix = ad.nwra.com
[nss] homedir_substring = /home default_shell = /bin/bash
sssd-1.12.4-1.fc21.x86_64
2) Depending in your version, you might need to set use_fully_qualified_names=True in the domain section so that the IPA users work.
Thanks for the heads up. Although setting in on the client make "id orion" fail, even with the default_domain_suffix set.
If it's an AD user, then unfortunately we need to see the client and server logs..
This seems like the most relevant from the client:
(Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [ldb] (0x4000): Entry not found (name=domain admins,cn=groups,cn=nwra.com,cn=sysdb) (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sysdb_update_members_ex] (0x0020): Could not add member [orion] to group [name=domain admins,cn=groups,cn=nwra.com,cn=sysdb]. Skipping.
and it appears to be looking in cn=nwra.com rather than cn=ad.nwra.com?
The server seems to be processing the groups in the AD domain:
Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_get_primary_name] (0x0400): Processing object Domain Admins@ad.nwra.com (Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_save_group] (0x0400): Processing group Domain Admins@ad.nwra.com (Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_save_group] (0x4000): AD group [Domain Admins@ad.nwra.com] has type flags 0x80000002. (Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_save_group] (0x1000): Mapping group [Domain Admins@ad.nwra.com] objectSID [S-1-5-21-89655523-1570529619-2103694531-512] to unix ID (Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original DN [CN=Domain Admins,CN=Users,DC=ad,DC=nwra,DC=com] to attributes of [Domain Admins@ad.nwra.com]. (Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20140314191543.0Z] to attributes of [Domain Admins@ad.nwra.com]. (Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_process_ghost_members] (0x0400): The group has 5 members (Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_process_ghost_members] (0x0400): Group has 5 members
(Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_save_group] (0x0400): Storing info for group Domain Admins@ad.nwra.com (Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_save_groups] (0x4000): Group 0 processed! (Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_get_primary_name] (0x0400): Processing object Domain Admins@ad.nwra.com (Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_save_grpmem] (0x0400): Processing group Domain Admins@ad.nwra.com (Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_save_grpmem] (0x0400): Adding member users to group [Domain Admins@ad.nwra.com] (Tue Mar 31 13:55:11 2015) [sssd[be[nwra.com]]] [sdap_fill_memberships] (0x1000): member #3 (CN=Domain Admins,CN=Users,DC=ad,DC=nwra,DC=com): [name=Domain Admins@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb]
I guess this is when the server sees the group request, but it seems to be searching for a user not a group:
(Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=domain admins] (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [be_req_set_domain] (0x0400): Changing request domain from [nwra.com] to [ad.nwra.com] (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in view [Default Trust View] with filter [(&(objectClass=ipaUserOverride)(uid=domain admins))]. (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sdap_print_server] (0x2000): Searching X.X.X.X (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=domain admins))][cn=Default Trust View,cn=views,cn=accounts,dc=nwra,dc=com]. (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 31 (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7fe6dc7066b0], connected[1], ops[0x7fe6dc741810], ldap[0x7fe6dc700170] (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [ipa_get_ad_override_done] (0x4000): No override found with filter [(&(objectClass=ipaUserOverride)(uid=domain admins))]. (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [dc=ad,dc=nwra,dc=com]
(Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=domain\20admins)(objectclass=user)(sAMAccountName=*)(objectSID=*))][dc=ad,dc=nwra,dc=com].
here's the group search:
(Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=domain\20admins)) (Tue Mar 31 13:55:12 2015) [sssd[be[nwra.com]]] [sysdb_search_groups] (0x2000): No such entry
Is that improper quoting of the space character? \20? Not changing request domain to ad.nwra.com?
Finally getting back to this, and still having the same trouble.