On Tue, Mar 31, 2015 at 11:20:50AM -0600, Orion Poplawski wrote:
On 03/31/2015 08:16 AM, Jakub Hrozek wrote:
On Mon, Mar 30, 2015 at 03:47:01PM -0600, Orion Poplawski wrote:
Running IPA with an AD trust. Users are in AD. Trying to use full_name_format = %1$s to strip the domain from user names. This appears to break supplemental groups in strange ways.
On the IPA server:
Without full_name_format:
# id orion@ad.nwra.com uid=470202603(orion@ad.nwra.com) gid=470202603(orion@ad.nwra.com) groups=470202603(orion@ad.nwra.com),470200513(domain users@ad.nwra.com),470204703(pirep rd users@ad.nwra.com),470204714(wireless access@ad.nwra.com),470204715(nwra-users@ad.nwra.com),470204701(boulder@ad.nwra.com),470207608(heimdall users@ad.nwra.com),470200512(domain admins@ad.nwra.com),470207124(andreas admins@ad.nwra.com)
With:
# id orion@ad.nwra.com uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
If I add:
default_domain_suffix = ad.nwra.com
# id orion uid=470202603(orion) gid=470202603(orion) groups=470202603(orion),470200512(domain admins),470207608(heimdall users),470204714(wireless access),470204715(nwra-users),470204701(boulder),470204703(pirep rd users),470207124(andreas admins),470200513(domain users)
Which I guess makes some sense as you'd need to add the domain suffix back on to find the groups.
But this appears to completely break IPA clients (with full_name_format = %1$s and default_domain_suffix = ad.nwra.com):
# id orion@ad.nwra.com id: orion@ad.nwra.com: no such user # id orion id: orion: no such user
From looking at the server logs, it looks like only the IPA domain is searched
If I reset the server back to normal (drop full_name_format and default_domain_suffix):
# id orion uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
I don't get any supplemental groups. I see sssd errors like:
(Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_update_members_ex] (0x0020): Could not add member [orion] to group [name=domain admins,cn=groups,cn=nwra.com,cn=sysdb]. Skipping.
Is t trying "cn=groups,cn=nwra.com,cn=sysdb" instead of "cn=groups,cn=ad.nwra.com,cn=sysdb"
I just tried a similar setup and it worked OK for me. I only changed the settings on the client. There's two gotchas, maybe they'll help: 1) if you change the full_name_format, you need to purge the cache. We realize it's suboptimal and won't be required for 1.13, hopefully.
Yeah, I've gotten into the habit of doing:
systemctl stop sssd;rm -rf /var/lib/sss/db/* /var/log/sssd/*;systemctl start sssd
for each change. I'm still not having any luck though.
I see you disabled the full name format on the server. I think that's the right thing to do because IIRC some IPA code relies on the FQDN being default on the server. Did you clean the cache even on the server?
Server sssd.conf:
[domain/nwra.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = nwra.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = europa.nwra.com chpass_provider = ipa ipa_server = europa.nwra.com ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt subdomains_provider = ipa subdomain_homedir = /home/%u #full_name_format = %1$s ldap_autofs_search_base = cn=boulder,cn=automount,dc=nwra,dc=com
Not too important, but as long as boulder is an IPA automounter "location", I think you could just set: ipa_automount_location = boulder instead of the full search base.
debug_level = 10
[sssd] services = nss, pam, ssh, pac, autofs config_file_version = 2 domains = nwra.com #default_domain_suffix = ad.nwra.com debug_level = 10
[nss] default_shell = /bin/bash
ipa-server-4.1.0-18.sl7_1.3.x86_64 sssd-1.12.2-58.el7.x86_64
Client sssd.conf:
[domain/nwra.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = nwra.com id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = ipaclient.cora.nwra.com chpass_provider = ipa ipa_server = _srv_, europa.nwra.com dns_discovery_domain = nwra.com subdomain_homedir = /home/%u debug_level = 0xfff0 full_name_format = %1$s ldap_autofs_search_base = cn=boulder,cn=automount,dc=nwra,dc=com use_fully_qualified_names = True
[sssd] services = nss, pam, autofs, pac config_file_version = 2 domains = nwra.com default_domain_suffix = ad.nwra.com
[nss] homedir_substring = /home default_shell = /bin/bash
sssd-1.12.4-1.fc21.x86_64
2) Depending in your version, you might need to set use_fully_qualified_names=True in the domain section so that the IPA users work.
Thanks for the heads up. Although setting in on the client make "id orion" fail, even with the default_domain_suffix set.
Is 'orion' an IPA user or an AD user? If it's an IPA user, then you need to call: id orion@nwra.com (Remember, fully qualified names) If it's an AD user, then unfortunately we need to see the client and server logs..
btw there is a relatively new page https://fedorahosted.org/sssd/wiki/Troubleshooting that contains some tips on SSSD debugging.
Out of curiosity, why do you want to disable the fully qualified names?
Simplicity. We're going to have all of the users in AD anyway, so it's just annoyingly long to have @ad.nwra.com added to everything.
OK, this is exactly the reason we added default_domain_suffix. Please note https://fedorahosted.org/sssd/ticket/2609. There is a patch on the -devel list that was acked just today.
I'm also trying to see if I can get away with something that allows NFSv4 to treat our existing LDAP users and the new AD users (with the same names) as identical, but that may be folly.
I would guess you'd need the IDs to be identical and then it should just work, right?