Am Mon, May 01, 2023 at 11:16:00AM -0000 schrieb David Serrano Amarelle:
First, I would like to appreciate all the help you could provide me. I have an issue with sssd and nss that I don't still understand quite well...
The point is that I have configured some servers with 2 active domains. The first domain is a freeipa managed environment and the second one is an AD domain.
But I recently noticed that if I try to obtain the uids and gids for several users, the groupnames have the right gid, but groupnames are wrong. I mean, what I detected is even all gids an uids retrieved by the id command are right, the names of the groups shown, sometimes are from the other domain. I think it always retrieve the name of the group of the first domain (domain1.com) if the gid exists there, but if don't, it will look for it in the sencond domain (addomain2.com). It seems this is a problem with the NSS, not exactly with the SSSD, event they are very linked. So, please, If this is not the better place to ask for this, I will appreciate help to look for help in another forum.
For instance:
[root@lab6 ~]# id user1 uid=105806(user1) gid=106520(group1) groups=106520(group1),104446(group2),104870(group3),102242(group5),100327(group6)
where:
- user1 is an user from the AD domain (addomain2.com)
- gis are perfectly obtained
- group1, group2 and group3 are from the AD domain (addomain2.com)
- group5 and group6 are groups OR USERS form the FREEIPA domain (domain1.com)
I could understand that it is normal that it happens if I use the sortname way "id user1", but I think that not should happen with the long-user way: "ia user1@addomain2.com". I mean, this also happens if I do:
[root@lab6 ~]# id user1@addomain2.com uid=105806(user1) gid=106520(group1) groups=106520(group1),104446(group2),104870(group3),102242(group5),100327(group6)
Hi,
if I understand it correctly there are groups in AD with GIDs 102242 and 100327 and there are objects (users or groups) in IPA with are using the same number as UID/GID.
This setup, collisions of GIDs, is not recommended and will cause the issue you see. The reason is that the commands which return the groups the user is a member of always only return the GIDs of the groups and since the GIDs have no domain components the first group found with the GID will be returned (since IPA uses autogenerated user private groups it looks like IPA users are returned as well).
HTH
bye, Sumit
This is my sssd.conf:
[root@lab6 ~]# cat /etc/sssd/sssd.conf [domain/domain1.com] id_provider = ipa ipa_server = _srv_, freeipa01.domain1.com ipa_domain = domain1.com ipa_hostname = lab6.domain1.com auth_provider = ipa chpass_provider = ipa access_provider = ipa cache_credentials = True ldap_tls_cacert = /etc/ipa/ca.crt krb5_store_password_if_offline = True
[domain/addomain2.com] ad_domain = addomain2.com krb5_realm = addomain2.com realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash use_fully_qualified_names = False fallback_homedir = /home/%u@%d access_provider = ad krb5_keytab = /etc/krb5.keytab.ad ldap_krb5_keytab = /etc/krb5.keytab.ad ldap_id_mapping = false ad_enabled_domains = addomain2.com ad_gpo_access_control = disabled dyndns_update = false dns_resolver_timeout = 10 dns_resolver_op_timeout = 10 krb5_auth_timeout = 30 timeout = 30
[sssd] services = nss, pam, ssh, sudo domains = domain1.com,addomain2.com
[nss] homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[session_recording]
[root@lab6 ~]# realm list domain1.com type: kerberos realm-name: domain1.com domain-name: domain1.com configured: kerberos-member server-software: ipa client-software: sssd required-package: ipa-client required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd login-formats: %U login-policy: allow-realm-logins addomain2.com type: kerberos realm-name: addomain2.com domain-name: addomain2.com configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools login-formats: %U login-policy: allow-realm-logins
Does I have any sense for you? Did I miss something in my configuration? Is there any way to tell NSS what domain should use in SSSD configuration?
Thanks a lot for your help.
Regards, david _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue