Hi Just following up again to see if they are known issue or I need to open a new ticket for them. 
Thanks

Sanjay Agrawal


On Tuesday, January 12, 2021, 08:38:22 PM EST, Sanjay Agrawal <sanjayagrawal@yahoo.com> wrote:


following is our sssd.conf 
[sssd]
debug_level = 6
debug_microseconds = true
config_file_version = 2
domains = mydomain
services = nss, pam

[nss]
debug_level = 6
debug_microseconds = true
filter_groups = root
filter_users = root
timeout = 20

[domain/mydomain]
debug_level = 6
debug_microseconds = true
id_provider = ad
ldap_id_mapping = False
ad_domain = mydomain.com
ad_site = igm
ad_enable_gc = False
ldap_group_name = msSFU30Name
enumerate = True
krb5_use_kdcinfo = False
ldap_sasl_authid = %S$
timeout = 20
offline_timeout = 10

ldap_purge_cache_timeout = 604800
ldap_use_tokengroups = False


Sanjay Agrawal


On Tuesday, January 12, 2021, 11:48:54 AM EST, Spike White <spikewhitetx@gmail.com> wrote:


Sanjay,

We had the opposite problem.  with ldap_use_tokengroups = True, we were getting incorrect group memberships.  It's been a couple of years, but I seem to recall it was either universal group membership, or else memberships in non-local AD domains that weren't being show.  (global groups).

Spike

On Tue, Jan 12, 2021 at 4:13 AM Sumit Bose <sbose@redhat.com> wrote:
On Fri, Jan 08, 2021 at 09:57:12PM +0000, Sanjay Agrawal wrote:
> We are noticing that with ldap_use_tokengroups=False is not returning same results as with tokengroups. We think, it is due to two issues show below. Can you please confirm if they are a known issues. 
>
> Thanks,
>
> Issue 1: It is not checking nested membership of gidNumber group, so missing group "group1498" from the list
> $ ldapsearch -Q -h ad_server -LLL -b 'CN=user3901,OU=Service Accounts,DC=mydomain,DC=com' -s base 'objectclass=*' | grep -E "primaryGroupID|gidNumber|memberOf"
> memberOf: CN=group548,OU=Groups,DC=mydomain,DC=com
> memberOf: CN=group1414,OU=Groups,DC=mydomain,DC=com
> primaryGroupID: 513
> gidNumber: 32771
>  
> $ ldapsearch -Q -h ad_server -LLL -b 'OU=Groups,DC=mydomain,DC=com' '(msSFU30Name=group1191)' | grep -E "gidNumber|memberOf"
> memberOf: CN=group1498,CN=Builtin,DC=mydomain,DC=com
> gidNumber: 32771
>  
> testhost4:0# tail -1 /etc/sssd/sssd.conf
> ldap_use_tokengroups = False

Hi,

can you send your full sssd.conf so that I can better understand which
provider, schema etc are used?

bye,
Sumit

>  
> testhost4:0# groups  user3901
> user3901 : group1191 group548 group1414
>
>
>
> Issue 2: without tokengroups, It's not considering primaryGroupID as group of the user, so this is missing from group list
> All tokengroups for this user
>
> $ ldapsearch -Q -h ad_server -LLL -b 'CN=user5305,CN=Users,DC=mydomain,DC=com' -s base 'objectclass=*' tokenGroups
> dn: CN=user5305,CN=Users,DC=mydomain,DC=com
> tokenGroups:: AQIAAAAAAAUgAAAAIQIAAA==
> tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9gBwCAA==
> tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I95d4AAA==
> tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9FwQBAA==
> tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9YB0BAA==
> tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I91uIAAA==
> tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9kQQAAA==
> tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9vBwCAA==
> tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9594AAA==
> tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9gHABAA==
> tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9KAYBAA==
> tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9C4gBAA==
> tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9xgQBAA==
> tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9fOIAAA==
> tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9K14AAA==
> tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I97BwBAA==
> tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I98j4BAA==
> tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9sQUBAA==
> tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9Zt8AAA==
> tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9s7sAAA==
> tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I95aoAAA==
> tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9tOIAAA==
> tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I98M4AAA==
> tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9AQIAAA==
>
> All memberof/PrimaryGid and gidNumber for the user
> ldapsearch -Q -h ad_server -LLL -b 'DC=mydomain,DC=com' '(ldap_group=user5305)' | egrep "name|gidNumber|memberOf|primary|AccountName"
> memberOf: CN=group136,OU=Groups,DC=mydomain,DC=com
> memberOf: CN=group404,OU=Groups,DC=mydomain,DC=com
> memberOf: CN=group938,OU=Groups,DC=mydomain,DC=com
> memberOf: CN=group717,OU=Groups,DC=mydomain,DC=com
> memberOf: CN=group655,OU=Groups,DC=mydomain,DC=com
> memberOf: CN=group714,OU=Groups,DC=mydomain,DC=com
> memberOf: CN=group1015,OU=Groups,DC=mydomain,DC=com
> memberOf: CN=group715,OU=Groups,DC=mydomain,DC=com
> memberOf: CN=group945,OU=Groups,DC=mydomain,DC=com
> memberOf: CN=group863,OU=Groups,DC=mydomain,DC=com
> memberOf: CN=group1243,OU=Groups,DC=mydomain,DC=com
> memberOf: CN=group721,OU=Groups,DC=mydomain,DC=com
> memberOf: CN=group588,OU=Groups,DC=mydomain,DC=com
> memberOf: CN=group869,OU=Groups,DC=mydomain,DC=com
> memberOf: CN=group1110,OU=Groups,DC=mydomain,DC=com
> memberOf: CN=group934,OU=Groups,DC=mydomain,DC=com
> memberOf: CN=group1099,OU=Groups,DC=mydomain,DC=com
> memberOf: CN=group669,OU=Groups,DC=mydomain,DC=com
> memberOf: CN=group1520,OU=Groups,DC=mydomain,DC=com
> memberOf: CN=group768,OU=Groups,DC=mydomain,DC=com
> memberOf: CN=group1375,OU=Groups,DC=mydomain,DC=com
> memberOf: CN=group226,OU=Groups,DC=mydomain,DC=com
> name: user5305
> primaryGroupID: 513
> sAMAccountName: user5305
> gidNumber: 33040
>
> check group with objectSid  AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9AQIAAA==
> $ ldapsearch -Q -h ad_server -LLL -b 'DC=mydomain,DC=com' '(ldap_group=group1191)' objectSid name
> dn: CN=Domain Users,OU=Groups,DC=mydomain,DC=com
> name: Domain Users
> objectSid:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9AQIAAA==
> ldap_group: group1191
>
> base64 of this objectSid  AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9AQIAAA==
>     S-1-5-21-79843086-108998794-1039276024-513
>     - this is the primaryGroupID, which is missing from group list
>
>
> From box using tokenGroup=False, see group1191 (primaryGroupID) is missing from the group list
> testhost4:130# tail -1 /etc/sssd/sssd.conf
> ldap_use_tokengroups = False
> testhost4:0# groups user5305
> user5305 : group1520 group226 group1375 group768 group136 group1243 group669 group1099 group934 group1110 group869 group588 group721 group863 group945 group715 group1015 group714 group655 group717 group938 group404
>
> Sanjay Agrawal

> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org