> ldap_schema = rfc2307bisPlease don't set ldap_schema to anything else than 'ad' (the default) with id_provider=ad.
On Mon, Jul 09, 2018 at 03:11:38PM -0500, Spike White wrote:
> All,
>
> Below is a writeup of missing AD groups for accounts when using
> tokengroups. When not using tokengroups, sssd is rock solid.
>
> Yes, most of the missing AD groups are universal or global groups -- but
> not all! For some accounts, even domain-local AD groups are missed from
> their group memberships. (when using tokengroups).
[...]
> tokengroups-disabled SSSD:
>
> uid=2604370(admpatrick_wheeler) gid=2604370(admpatrick_wheeler)
> groups=2604370(admpatrick_wheeler),1033(amer_server_mgmt),1010(amerunixusers),1003(amerlinuxsup),1156(gbl_server_support),2284161(amerserveradministrator),2283573(dfs_gil_sit_auth),2283577(delta_bd_create_emea),2283643(gebs_read_prd),2283611(xxgl0370_prod),2283578(delta_bd_create),2283256(infa_developer),2283623(xxgl0363_prod),2283615(xxgl0503_prod),2283607(xxpa2891_prod),2283869(cowcprodsupport)
>
>
>
> vas:
>
> uid=2604370(admpatrick_wheeler) gid=2604370(admpatrick_wheeler)
> groups=2604370(admpatrick_wheeler),
> 1033(amer_server_mgmt),1003(amerlinuxsup),1010(amerunixusers)
>
>
>
> diff is:
>
> 1033(amer_server_mgmt)
>
> 1003(amerlinuxsup)
>
>
>
> amer_server_mgmt is an AMER global group with GID 1033. <--- why is sssd
> not reporting this?!?
Can you send logs for a single lookup of "id username" with tokengroups
enabled?
>
> amerlinuxsup is an AMER universal group with GID 1003.
>
>
>
>
>
>
>
> Here is my /etc/sssd/sssd.conf file:
>
> [nss]
> debug_level = 9
> filter_groups = root
> filter_users = root
> #entry_cache_timeout = 300
> entry_cache_nowait_percentage = 75
>
> [sssd]
> debug_level = 6
> #domains = amer.dell.com,apac.dell.com,emea.dell.com,japn.dell.com,dell.com
> domains = amer.dell.com,apac.dell.com,emea.dell.com,japn.dell.com
> # Unnecessary. If missing, will search in order specified in "domains"
> lines above.
> #domain_resolution_order = amer.dell.com, emea.dell.com, apac.dell.com,
> japn.dell.com, dell.com
> config_file_version = 2
> services = nss,pam
> reconnection_retries = 3
> #ldap_user_member_of = member
>
> [pam]
> pam_verbosity = 3
> debug_level = 9
>
> [domain/amer.dell.com]
> debug_level = 9
> id_provider = ad
> access_provider = simple
> #access_provider = ad
> auth_provider = ad
> ad_domain = amer.dell.com
> krb5_realm = AMER.DELL.COM
> default_shell = /bin/bash
> #use_fully_qualified_names = False
> ldap_id_mapping = False
> subdomains_provider = none
Why do you disable the subdomains provider? Isn't it easier to just list
the domains you want to enable using the ad_enabled_domains option?
btw this can actually cause issues because the subdomains provider is
needed to fetch the joined domain SID at least, among other things.
I would change this to:
ad_enabled_domains = amer.dell.com
>
> auto_private_groups = True
> realmd_tags = joined-with-adcli
> cache_credentials = True
> krb5_store_password_if_offline = True
> fallback_homedir = /home/%u
> ldap_schema = rfc2307bis
Please don't set ldap_schema to anything else than 'ad' (the default)
with id_provider=ad. We should probably just disallow changing the
schema in the code completely.
> ldap_sasl_authid = host/spikerealmd02.us.dell.com@AMER.DELL.COM
> #ldap_sasl_authid = SPIKEREALMD02$@AMER.DELL.COM
> #ldap_sasl_authid = spikerealmd02@AMER.DELL.COM
> #TEST REMOVAL. July 4 2018. SW
> #ad_enabled_domains = amer.dell.com,apac.dell.com,emea.dell.com,
> japn.dell.com,dell.com
> dyndns_update = False
> # TEST -- commented out July 4 to not use tokengroups.
> ldap_use_tokengroups = False
> simple_allow_groups = amerlinuxsup@AMER.DELL.COM, amerlinuxeng@AMER.DELL.COM,
> emealinuxsup@EMEA.DELL.COM, AMER.DELL.COM, emealinuxeng@EMEA.DELL.COM,
> apaclinuxsup@EMEA.DELL.COM, apaclinuxeng@EMEA.DELL.COM
>
> # also look at
> https://lists.fedorahosted.org/pipermail/sssd-users/2015-February/002648.html
>
> [domain/apac.dell.com]
> debug_level = 9
> auto_private_groups = True
> #use_fully_qualified_names = False
> ad_domain = apac.dell.com
> krb5_realm = APAC.DELL.COM
> cache_credentials = True
> id_provider = ad
> auth_provider = ad
> krb5_store_password_if_offline = True
> default_shell = /bin/bash
> ldap_id_mapping = False
> fallback_homedir = /home/%u
> access_provider = simple
> ldap_schema = rfc2307bis
> ldap_sasl_authid = host/spikerealmd02.us.dell.com@AMER.DELL.COM
> #ldap_sasl_authid = SPIKEREALMD02$@AMER.DELL.COM
> #ldap_sasl_authid = spikerealmd02@AMER.DELL.COM
> #TEST REMOVAL. July 4 2018. SW
> #ad_enabled_domains = amer.dell.com, apac.dell.com, apac.dell.com,
> japn.dell.com, dell.com
> dyndns_update = False
> subdomains_provider = none
> # TEST -- commented out July 4 to not use tokengroups.
> ldap_use_tokengroups = False
> simple_allow_groups = apaclinuxsup@APAC.DELL.COM, apaclinuxeng@APAC.DELL.COM
>
> [domain/emea.dell.com]
> debug_level = 9
> auto_private_groups = True
> #use_fully_qualified_names = False
> ad_domain = emea.dell.com
> krb5_realm = EMEA.DELL.COM
> cache_credentials = True
> id_provider = ad
> auth_provider = ad
> krb5_store_password_if_offline = True
> default_shell = /bin/bash
> ldap_id_mapping = False
> fallback_homedir = /home/%u
> access_provider = simple
> ldap_schema = rfc2307bis
> ldap_sasl_authid = host/spikerealmd02.us.dell.com@AMER.DELL.COM
> #ldap_sasl_authid = SPIKEREALMD02$@AMER.DELL.COM
> #ldap_sasl_authid = spikerealmd02@AMER.DELL.COM
> #TEST REMOVAL. July 4 2018. SW
> #ad_enabled_domains = amer.dell.com, apac.dell.com, emea.dell.com,
> japn.dell.com, dell.com
> dyndns_update = False
> subdomains_provider = none
> # TEST -- commented out July 4 to not use tokengroups.
> ldap_use_tokengroups = False
> simple_allow_groups = emealinuxsup@EMEA.DELL.COM, emealinuxeng@EMEA.DELL.COM
>
> [domain/japn.dell.com]
> debug_level = 9
> auto_private_groups = True
> #use_fully_qualified_names = False
> ad_domain = japn.dell.com
> krb5_realm = JAPN.DELL.COM
> cache_credentials = True
> id_provider = ad
> auth_provider = ad
> krb5_store_password_if_offline = True
> default_shell = /bin/bash
> ldap_id_mapping = False
> fallback_homedir = /home/%u
> access_provider = simple
> ldap_schema = rfc2307bis
> ldap_sasl_authid = host/spikerealmd02.us.dell.com@AMER.DELL.COM
> #ldap_sasl_authid = SPIKEREALMD02$@AMER.DELL.COM
> #ldap_sasl_authid = spikerealmd02@AMER.DELL.COM
> #TEST REMOVAL. July 4 2018. SW
> #ad_enabled_domains = amer.dell.com, apac.dell.com, japn.dell.com,
> japn.dell.com, dell.com
> dyndns_update = False
> subdomains_provider = none
> # TEST -- commented out July 4 to not use tokengroups.
> ldap_use_tokengroups = False
> simple_allow_groups = japnlinuxsup@JAPN.DELL.COM, japnlinuxeng@JAPN.DELL.COM
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/HKWYWX7MR57HRIPWJW25FK35CZMHZEJQ/
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/VJFDAHDRDQPRW6WXT5MZA5KQHSW4KMEQ/