On Wed, Oct 29, 2014 at 08:13:05PM +0000, Karich, Michael wrote:
I have found the issue, and it seems that the ldap id mapping was
truncating the remaining user ID’s. after increasing the slice range to 1,000,000 I was
able to get the newer id’s to map. Below is the config I used.
Glad it's working now!
>
> Thank you all for your help.
>
> ldap_idmap_default_domain = DOMAIN
> ldap_idmap_range_min = 100000
> ldap_idmap_range_max = 1000000000
> ldap_idmap_range_size = 1000000
>
>
> Mike Karich
> IT Manager
> Center for Vital Longevity
> 1600 Viceroy Rd
> Dallas, TX 75235
>
> mkarich@utdallas.edu<mailto:mkarich@utdallas.edu>
> P: 972-883-3745 C: 972-757-3299
>
> CVL IT Assistance: CVLTech(a)utdallas.edu
>
>
>
> On Oct 29, 2014, at 4:22 AM, Jakub Hrozek <jhrozek(a)redhat.com> wrote:
>
> On Tue, Oct 28, 2014 at 01:54:56PM +0000, Karich, Michael wrote:
> Some more information on my ongoing issue based on the ideas suggested by Jakub.
>
> I did use realmd to initiate the keytab and join the system to the domain.
>
> When first performing the ldapsearch. I received an error that the
> keytab was not initialized. I tried to initialize via the command you
> provided, but was given an error " kinit: Keytab contains no suitable keys
> for V-REPO-OP-02$@AD_DOMAIN"
>
> Ah, sorry, I pretty much only read your sssd logs, maybe the principal
> is different.
>
> Can you show what does "klist -k" say?
>
>
> I was able to initialize the keytab by using kinit -n UserID.
>
> kinit acquires a Kerberos ticket, it doesn't touch the keytab. Normally,
> the keytab is only accessible to the root user.
>
>
> Then I was able to perform an ldap search and pull all group membership as well as
userid that are members of that group.
>
> Yes, but SSSD uses the principal from the keytab to authenticate, not UserID.
>
>
> Getent group "NWgroupname" still does not work.
>
> Mike Karich
>
> -----Original Message-----
> From: Karich, Michael
> Sent: Friday, October 24, 2014 8:10 AM
> To: 'sssd-users(a)lists.fedorahosted.org'
> Subject: RE: [SSSD-users] Getent group not fully working
>
> Could you test with sssd-1.11.7?
> Here is a link to yum repo
>
https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-11/
>
> Same results after installing 1.11.7 and rebooting. Version was confirmed via sssd
--version.
>
>
>
> Mike Karich
>
> -----Original Message-----
> From: sssd-users-bounces(a)lists.fedorahosted.org
[mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of
sssd-users-request(a)lists.fedorahosted.org
> Sent: Friday, October 24, 2014 7:00 AM
> To: sssd-users(a)lists.fedorahosted.org
> Subject: sssd-users Digest, Vol 30, Issue 16
>
> Send sssd-users mailing list submissions to
> sssd-users(a)lists.fedorahosted.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
> or, via email, send a message with subject or body 'help' to
> sssd-users-request(a)lists.fedorahosted.org
>
> You can reach the person managing the list at
> sssd-users-owner(a)lists.fedorahosted.org
>
> When replying, please edit your Subject line so it is more specific than "Re:
Contents of sssd-users digest..."
>
>
> Today's Topics:
>
> 1. Re: sssd-users Digest, Vol 30, Issue 15 (Karich, Michael)
> 2. Re: sssd-users Digest, Vol 30, Issue 15 (steve)
> 3. Re: sssd-users Digest, Vol 30, Issue 15 (Lukas Slebodnik)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 23 Oct 2014 20:39:55 +0000
> From: "Karich, Michael" <mkarich(a)utdallas.edu>
> To: "sssd-users(a)lists.fedorahosted.org"
> <sssd-users(a)lists.fedorahosted.org>
> Subject: Re: [SSSD-users] sssd-users Digest, Vol 30, Issue 15
> Message-ID:
> <E8485E913DD2CB46BC9E4A14AA1E65C2376046BB(a)UTDEX32.campus.ad.utdallas.edu>
>
> Content-Type: text/plain; charset="utf-8"
>
> Yes I do have access to my sssd.conf
>
> I have replaced the domain with case equivalent domain
>
> [sssd]
> config_file_version = 2
> domains = domain
> services = nss, pam
> debug_level = 10
> default_domain_suffix = domain
>
> [nss]
>
> [pam]
>
> [domain/"domain"]
> ad_domain = domain
> krb5_realm = DOMAIN
> realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider =
ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True
use_fully_qualified_names = True fallback_homedir = /dir/%u access_provider = ad
>
>
>
> I am using 1.11.2. Which repo will have the latest version for centos 7?
>
> When running groups as an AD user, the same groups are printed as when running ID
username. Both listings are incomplete and missing the same groups.
>
>
> Mike Karich
>
> -----Original Message-----
> From: sssd-users-bounces(a)lists.fedorahosted.org
[mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of
sssd-users-request(a)lists.fedorahosted.org
> Sent: Thursday, October 23, 2014 3:11 PM
> To: sssd-users(a)lists.fedorahosted.org
> Subject: sssd-users Digest, Vol 30, Issue 15
>
> Send sssd-users mailing list submissions to
> sssd-users(a)lists.fedorahosted.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
> or, via email, send a message with subject or body 'help' to
> sssd-users-request(a)lists.fedorahosted.org
>
> You can reach the person managing the list at
> sssd-users-owner(a)lists.fedorahosted.org
>
> When replying, please edit your Subject line so it is more specific than "Re:
Contents of sssd-users digest..."
>
>
> Today's Topics:
>
> 1. Getent group not fully working (Karich, Michael)
> 2. Re: Getent group not fully working (steve)
> 3. Re: Getent group not fully working (Dmitri Pal)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 23 Oct 2014 18:36:27 +0000
> From: "Karich, Michael" <mkarich(a)utdallas.edu>
> To: "sssd-users(a)lists.fedorahosted.org"
> <sssd-users(a)lists.fedorahosted.org>
> Subject: [SSSD-users] Getent group not fully working
> Message-ID:
> <E8485E913DD2CB46BC9E4A14AA1E65C237603A8E(a)UTDEX32.campus.ad.utdallas.edu>
>
> Content-Type: text/plain; charset="utf-8"
>
> Good afternoon,
>
> I have run into an issue on Cent 7 with sssd configured for AD auth. I am able to
auth via AD usernames and passwords without issue and can "getent group
MOSTGROUPS". But I have run into an issue where there are some groups that are not
being seen / discovered / enumerated etc.
>
> ID of a validated username will display most of the groups, but there are some groups
that are not listed which are also those are also the ones that fail getent group. I
cannot find a pattern in what groups fail to enumerate. At first I thought it was length,
but there are group names over 20 characters that succeed.
>
> EX. ID of user1:
>
> Group1, group 2, group 5
>
> Getent group group1
> Username list!
>
> Getent group "Group 2"
> Username list!
>
> Getent group group3 (user is a long time member of group in AD) Blank output
>
> Strace reveals that the command exited with status 2. Nothing is logged in
sssd_DOMAIN.log
>
> Please let me know where to look next, thank you.
>
>
> Mike Karich
> IT Manager
> Center for Vital Longevity
> 1600 Viceroy Rd
> Dallas, TX 75235
>
> mkarich@utdallas.edu<mailto:mkarich@utdallas.edu>
> P: 972-883-3745 C: 972-757-3299
>
> CVL IT Assistance: CVLTech@utdallas.edu<mailto:CVLTech@utdallas.edu>
>
>