Jakub,
Thank you to answering so promptly.
We are currently testing this in a lab before full deployment, so I have
some degree of time before we deploy sssd in a bigger context. If you
would prefer for me to work with you directly off-line, please advise. As
an example, the attached sssd_amer.dell.com.log file was originally 40 MB.
(I presume because of debugging level). Out of respect for others on the
mailing list, I severely trimmed the log file to only the lines of interest
(I hope). But it's entirely possible I may have over-trimmed.
You asked:
Can you send logs for a single lookup of "id username" with tokengroups
enabled?
Attached are the logs. sssd_amer.dell.com.log and sssd_nss.log, for this
lookup:
[root@spikerealmd02 sssd]# id admpatrick_wheeler
uid=2604370(admpatrick_wheeler) gid=2604370(admpatrick_wheeler)
groups=2604370(admpatrick_wheeler),1010(amerunixusers)
This is with ldap_use_tokengroups = True, so the above lookup is incorrect.
What it should show is:
id admpatrick_wheeler
uid=2604370(admpatrick_wheeler) gid=2604370(admpatrick_wheeler)
groups=2604370(admpatrick_wheeler),1033(amer_server_mgmt),1003(amerlinuxsup),1010(amerunixusers)
You asked:
Why do you disable the subdomains provider? Isn't it easier to just list
the domains you want to enable using the ad_enabled_domains option?
btw this can actually cause issues because the subdomains provider is
needed to fetch the joined domain SID at least, among other things.
When I ran with:
ad_enabled_domains =
amer.dell.com,
apac.dell.com,
emea.dell.com,
japn.dell.com,
dell.com
it broke cross-subdomain authentication. that is, I could resolve accounts
from the local domain (AMER), but not from any other domain (like apac).
When I reviewed the logs, I saw the sssd_nss.log would do a dispatch to the
apac.dell.com child, but the dispatch would always fail.
In sssd_apac.dell.com.log -- the dispatch was never picked up.
I also noticed that sssctl domain-list gave me this:
amer.dell.com
apac.dell.com
emea.dell.com
japn.dell.com
dell.com
amer.dell.com
apac.dell.com
emea.dell.com
japn.dell.com
I suspect that sssd_nss was attempting to dispatch into this
apac.dell.com
"ghost" domain and failing. When I removed ad_enabled_domains (& commented
out
dell.com as a domain), I noticed sssctl domain-list gave me the
expected:
amer.dell.com
apac.dell.com
emea.dell.com
japn.dell.com
And cross-subdomain authentication worked (modulo this tokengroups problem
where not all groups show up when tokengroups == True).
You stated:
ldap_schema = rfc2307bis
Please don't set ldap_schema to anything else than 'ad' (the default) with
id_provider=ad.
Unfortunately, our erstwhile AD administrators when they extended our AD
schema years ago did not use an rfc2307 schema extension. They used a
rfc2307bis schema extension instead.
I had fits with even basic sssd AD integration until I realized this. (I
thought I was going to have to manually set up ldap_filters for the few
quirky LDAP attributes associated with an account, but then I realized this
conformed 100% to rfc2307bis.) When I set ldap_schema to rfc2307bis, the
basic (same domain) authentication worked (without tokengroups).
Spike
On Tue, Jul 10, 2018 at 9:59 AM Jakub Hrozek <jhrozek(a)redhat.com> wrote:
> On Mon, Jul 09, 2018 at 03:11:38PM -0500, Spike White wrote:
> > All,
> >
> > Below is a writeup of missing AD groups for accounts when using
> > tokengroups. When not using tokengroups, sssd is rock solid.
> >
> > Yes, most of the missing AD groups are universal or global groups -- but
> > not all! For some accounts, even domain-local AD groups are missed from
> > their group memberships. (when using tokengroups).
>
> [...]
>
> > tokengroups-disabled SSSD:
> >
> > uid=2604370(admpatrick_wheeler) gid=2604370(admpatrick_wheeler)
> >
>
groups=2604370(admpatrick_wheeler),1033(amer_server_mgmt),1010(amerunixusers),1003(amerlinuxsup),1156(gbl_server_support),2284161(amerserveradministrator),2283573(dfs_gil_sit_auth),2283577(delta_bd_create_emea),2283643(gebs_read_prd),2283611(xxgl0370_prod),2283578(delta_bd_create),2283256(infa_developer),2283623(xxgl0363_prod),2283615(xxgl0503_prod),2283607(xxpa2891_prod),2283869(cowcprodsupport)
> >
> >
> >
> > vas:
> >
> > uid=2604370(admpatrick_wheeler) gid=2604370(admpatrick_wheeler)
> > groups=2604370(admpatrick_wheeler),
> > 1033(amer_server_mgmt),1003(amerlinuxsup),1010(amerunixusers)
> >
> >
> >
> > diff is:
> >
> > 1033(amer_server_mgmt)
> >
> > 1003(amerlinuxsup)
> >
> >
> >
> > amer_server_mgmt is an AMER global group with GID 1033. <--- why is sssd
> > not reporting this?!?
>
> Can you send logs for a single lookup of "id username" with tokengroups
> enabled?
>
> >
> > amerlinuxsup is an AMER universal group with GID 1003.
> >
> >
> >
> >
> >
> >
> >
> > Here is my /etc/sssd/sssd.conf file:
> >
> > [nss]
> > debug_level = 9
> > filter_groups = root
> > filter_users = root
> > #entry_cache_timeout = 300
> > entry_cache_nowait_percentage = 75
> >
> > [sssd]
> > debug_level = 6
> > #domains =
amer.dell.com,apac.dell.com,emea.dell.com,japn.dell.com,
>
dell.com
> > domains =
amer.dell.com,apac.dell.com,emea.dell.com,japn.dell.com
> > # Unnecessary. If missing, will search in order specified in
"domains"
> > lines above.
> > #domain_resolution_order =
amer.dell.com,
emea.dell.com,
apac.dell.com,
> >
japn.dell.com,
dell.com
> > config_file_version = 2
> > services = nss,pam
> > reconnection_retries = 3
> > #ldap_user_member_of = member
> >
> > [pam]
> > pam_verbosity = 3
> > debug_level = 9
> >
> > [
domain/amer.dell.com]
> > debug_level = 9
> > id_provider = ad
> > access_provider = simple
> > #access_provider = ad
> > auth_provider = ad
> > ad_domain =
amer.dell.com
> > krb5_realm =
AMER.DELL.COM
> > default_shell = /bin/bash
> > #use_fully_qualified_names = False
> > ldap_id_mapping = False
> > subdomains_provider = none
>
> Why do you disable the subdomains provider? Isn't it easier to just list
> the domains you want to enable using the ad_enabled_domains option?
>
> btw this can actually cause issues because the subdomains provider is
> needed to fetch the joined domain SID at least, among other things.
>
> I would change this to:
> ad_enabled_domains =
amer.dell.com
>
> >
> > auto_private_groups = True
> > realmd_tags = joined-with-adcli
> > cache_credentials = True
> > krb5_store_password_if_offline = True
> > fallback_homedir = /home/%u
>
ldap_schema = rfc2307bis
>
> Please don't set ldap_schema to anything else than 'ad' (the default)
> with id_provider=ad. We should probably just disallow changing the
> schema in the code completely.
>
> > ldap_sasl_authid = host/spikerealmd02.us.dell.com(a)AMER.DELL.COM
> > #ldap_sasl_authid = SPIKEREALMD02$(a)AMER.DELL.COM
> > #ldap_sasl_authid = spikerealmd02(a)AMER.DELL.COM
> > #TEST REMOVAL. July 4 2018. SW
> > #ad_enabled_domains =
amer.dell.com,apac.dell.com,emea.dell.com,
> >
japn.dell.com,dell.com
> > dyndns_update = False
> > # TEST -- commented out July 4 to not use tokengroups.
> > ldap_use_tokengroups = False
> > simple_allow_groups = amerlinuxsup(a)AMER.DELL.COM,
> amerlinuxeng(a)AMER.DELL.COM,
> > emealinuxsup(a)EMEA.DELL.COM,
AMER.DELL.COM, emealinuxeng(a)EMEA.DELL.COM,
> > apaclinuxsup(a)EMEA.DELL.COM, apaclinuxeng(a)EMEA.DELL.COM
> >
> > # also look at
> >
>
https://lists.fedorahosted.org/pipermail/sssd-users/2015-February/002648....
> >
> > [
domain/apac.dell.com]
> > debug_level = 9
> > auto_private_groups = True
> > #use_fully_qualified_names = False
> > ad_domain =
apac.dell.com
> > krb5_realm =
APAC.DELL.COM
> > cache_credentials = True
> > id_provider = ad
> > auth_provider = ad
> > krb5_store_password_if_offline = True
> > default_shell = /bin/bash
> > ldap_id_mapping = False
> > fallback_homedir = /home/%u
> > access_provider = simple
>
ldap_schema = rfc2307bis
> > ldap_sasl_authid =
host/spikerealmd02.us.dell.com(a)AMER.DELL.COM
> > #ldap_sasl_authid = SPIKEREALMD02$(a)AMER.DELL.COM
> > #ldap_sasl_authid = spikerealmd02(a)AMER.DELL.COM
> > #TEST REMOVAL. July 4 2018. SW
> > #ad_enabled_domains =
amer.dell.com,
apac.dell.com,
apac.dell.com,
> >
japn.dell.com,
dell.com
> > dyndns_update = False
> > subdomains_provider = none
> > # TEST -- commented out July 4 to not use tokengroups.
> > ldap_use_tokengroups = False
> > simple_allow_groups = apaclinuxsup(a)APAC.DELL.COM,
> apaclinuxeng(a)APAC.DELL.COM
> >
> > [
domain/emea.dell.com]
> > debug_level = 9
> > auto_private_groups = True
> > #use_fully_qualified_names = False
> > ad_domain =
emea.dell.com
> > krb5_realm =
EMEA.DELL.COM
> > cache_credentials = True
> > id_provider = ad
> > auth_provider = ad
> > krb5_store_password_if_offline = True
> > default_shell = /bin/bash
> > ldap_id_mapping = False
> > fallback_homedir = /home/%u
> > access_provider = simple
>
ldap_schema = rfc2307bis
> > ldap_sasl_authid =
host/spikerealmd02.us.dell.com(a)AMER.DELL.COM
> > #ldap_sasl_authid = SPIKEREALMD02$(a)AMER.DELL.COM
> > #ldap_sasl_authid = spikerealmd02(a)AMER.DELL.COM
> > #TEST REMOVAL. July 4 2018. SW
> > #ad_enabled_domains =
amer.dell.com,
apac.dell.com,
emea.dell.com,
> >
japn.dell.com,
dell.com
> > dyndns_update = False
> > subdomains_provider = none
> > # TEST -- commented out July 4 to not use tokengroups.
> > ldap_use_tokengroups = False
> > simple_allow_groups = emealinuxsup(a)EMEA.DELL.COM,
> emealinuxeng(a)EMEA.DELL.COM
> >
> > [
domain/japn.dell.com]
> > debug_level = 9
> > auto_private_groups = True
> > #use_fully_qualified_names = False
> > ad_domain =
japn.dell.com
> > krb5_realm =
JAPN.DELL.COM
> > cache_credentials = True
> > id_provider = ad
> > auth_provider = ad
> > krb5_store_password_if_offline = True
> > default_shell = /bin/bash
> > ldap_id_mapping = False
> > fallback_homedir = /home/%u
> > access_provider = simple
>
ldap_schema = rfc2307bis
> > ldap_sasl_authid =
host/spikerealmd02.us.dell.com(a)AMER.DELL.COM
> > #ldap_sasl_authid = SPIKEREALMD02$(a)AMER.DELL.COM
> > #ldap_sasl_authid = spikerealmd02(a)AMER.DELL.COM
> > #TEST REMOVAL. July 4 2018. SW
> > #ad_enabled_domains =
amer.dell.com,
apac.dell.com,
japn.dell.com,
> >
japn.dell.com,
dell.com
> > dyndns_update = False
> > subdomains_provider = none
> > # TEST -- commented out July 4 to not use tokengroups.
> > ldap_use_tokengroups = False
> > simple_allow_groups = japnlinuxsup(a)JAPN.DELL.COM,
> japnlinuxeng(a)JAPN.DELL.COM
>
> > _______________________________________________
> > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
>
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahost...
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahost...
>