Hi,
This is likely a newbie issue and I apologize in advance. I've only been working with sssd for a matter of weeks and until I hardened Active Directory (as a result of an internal penetration test) sssd had been reliable and robust.
Over the past few days I've been harding an Active Directory in a testing environment. It seems as though removing "Authenticated Users" from "Pre-Windows 2000 Compatible Access" (as is recommended best practice) breaks sssd's ability to perform group enumeration.
With "Authenticated Users" in "Pre-Windows 2000 Compatible Access" group
# id firstname.lastname uid=XXXXX01148(firstname.lastname) gid= XXXXX00513(domain users) groups=XXXXX01605(redactedgroup1),XXXXX01267(redactedgroup2),XXXXX02621(redactedgroup3),XXXXX01230(redactedgroup4),XXXXX00513(domain users),XXXXX01154(redactedgroup5),XXXXX01257(redactedgroup6),XXXXXX01307(redactedgroup7),XXXXX01156(redactedgroup8),XXXXX01111(redactedgroup9)
With "Authenticated Users" removed from the "Pre-Windows 2000 Compatible Access" group
# id firstname.lastname uid=XXXXX01148(firstname.lastname) gid=XXXXX00513(domain users) groups=XXXXX00513(domain users)
I've had a good rummage around the internet, but not found a solution, or even anyone else reporting this issue before.
Any help gratefully received!
Active Directory is Windows Server 2022 based.
Test client machines Debian 12 - sssd v2.8.2-4 Ubuntu 22 - sssd v2.6.3-1ubuntu3.3
# cat /etc/sssd/sssd.conf
[sssd] domains = redacted.co.uk config_file_version = 2 services = nss, pam default_domain_suffix = redacted.co.uk full_name_format = %1$s
[domain/redacted.co.uk] default_shell = /bin/bash krb5_store_password_if_offline = True cache_credentials = True krb5_realm = REDACTED.CO.UK realmd_tags = manages-system joined-with-adcli id_provider = ad fallback_homedir = /home/%u override_homedir = /home/%u ad_domain = redacted.co.uk use_fully_qualified_names = True ldap_id_mapping = True access_provider = ad # So that ssh public keys works when a users key is stored in altSecurityIdentities ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities ldap_user_ssh_public_key = altSecurityIdentities # Removes requirement for host to communicate with DC's over port 445 ad_gpo_access_control = disabled # Removes requirement for host to communicate with DC's over port 3268 ad_enable_gc = false
Kind Regards
Steve