With sssd-ad 1.12.0 we have the problem that all additional group
memberships of a user are missing:
-------------
# id ga57joh
uid=3298478(ga57joh) gid=3000000(tu00000gv-0defprim)
groups=3000000(tu00000gv-0defprim)
-------------
Only the main groups shows, all additional groups like
3394681(tueilntgv-0all),3393702(tueilntgv-0staff) are missing.
We have the following /etc/sssd/sssd.conf:
-------------
[sssd]
config_file_version = 2
services = nss,pam
domains = default
[nss]
filter_groups = root
filter_users = root
[pam]
[domain/default]
id_provider = ad
auth_provider = ad
access_provider = simple
chpass_provider = ad
ad_domain = ads.mwn.de
#ad_enable_gc = False <-- even this does not help!
# Disable sssd-ad ID mapping, as we want to use posix data from AD
ldap_id_mapping = False
# Disable user enumeration for speed
enumerate = False
# Set base DNs and scope for faster search
ldap_search_base = DC=ads,DC=mwn,DC=de
ldap_user_search_base = ou=Users,OU=TU,OU=IAM,DC=ads,DC=mwn,DC=de
ldap_group_search_base = ou=Groups,OU=TU,OU=IAM,DC=ads,DC=mwn,DC=de
-------------
Using sssd-ad 1.9.6, we get all groups successfully with the identical
config!
We see the following message in /var/log/sssd/sssd_default.log:
-------------
[sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call
[sdap_get_initgr_user] (0x4000): Process user's groups
[sdap_ad_tokengroups_initgr_posix_tg_done] (0x1000): Processing
membership SID [S-1-5-32-545]
[sdap_ad_tokengroups_initgr_posix_tg_done] (0x0080): Domain not found
for SID S-1-5-32-545
[sdap_ad_tokengroups_initgr_posix_tg_done] (0x1000): Processing
membership SID [S-1-5-21-1499261727-55176102-3529509929-420311]
[sdap_ad_tokengroups_initgr_posix_tg_done] (0x0400): Missing SID
S-1-5-21-1499261727-55176102-3529509929-420311 will be downloaded
[sdap_ad_tokengroups_initgr_posix_tg_done] (0x1000): Processing
membership SID [S-1-5-21-1499261727-55176102-3529509929-571]
[sdap_ad_tokengroups_initgr_posix_tg_done] (0x0400): Missing SID
S-1-5-21-1499261727-55176102-3529509929-571 will be downloaded
...
[sdap_ad_tokengroups_update_members] (0x1000): Updating memberships for
[ne96soh]
[sdap_get_groups_next_base] (0x0400): Searching for groups with base
[ou=Groups,OU=TU,OU=IAM,DC=ads,DC=mwn,DC=de]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(objectSID=S-1-5-21-1499261727-55176102-3529509929-420311)(objectclass=group)(name=*))][ou=Groups,OU=TU,OU=IAM,DC=ads,DC=mwn,DC=de].
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [groupType]
[sdap_get_groups_process] (0x0400): Search for groups, returned 0 results.
[sdap_get_initgr_done] (0x4000): Initgroups done
-------------
It looks like all the missing user groups are mentioned in the "Missing
SID ... will be downloaded" messages, but are still missing in the end!
Any ideas?
Best regards,
Joschi
--
Dipl.-Ing. Joschi Brauchle, M.S.
Institute for Communications Engineering (LNT)
Technische Universitaet Muenchen (TUM)
80290 Munich, Germany
Tel (work): +49 89 289-23474
Fax (work): +49 89 289-23490
E-mail: joschi.brauchle(a)tum.de
Web:
http://www.lnt.ei.tum.de/