On (10/11/14 17:18), Sergey Urushkin wrote:
I have sssd (1.12.2 on archlinux, 1.11.5 on ubuntu 14.04, 1.11.7 on
ubuntu
14.10, i386) configured against samba4 (4.1.11, ubuntu 14.04, amd64) using AD
provider:
I am not sure from rest of your mail which version of sssd is
problematic?
sssd-1.11.5 has some known issues.
BTW: log files from sssd-1-11.7 would be the best for troubeshooting.
LS
[sssd]
config_file_version = 2
reconnection_retries = 2
services = nss, pam
domains =
DOMAIN.COM
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 2
[pam]
reconnection_retries = 2
[
domain/DOMAIN.COM]
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
ldap_schema = ad
ldap_user_gecos = displayName
ldap_tls_reqcert = allow
ldap_sasl_mech = gssapi
ldap_sasl_authid = nix$(a)DOMAIN.COM
krb5_use_enterprise_principal = false
krb5_keytab = /etc/sssd/sssd.keytab
ldap_id_mapping = false
dyndns_update = false
cache_credentials = true
enumerate = false
min_id = 1
I have sudo and sshd configured to use groups:
# grep group1 /etc/ssh/sshd_config
AllowGroups root group1
# grep group1 /etc/sudoers
%group1 ALL=(ALL) ALL
User 'user4' is a member of several domain posix not nested groups, including
'group1'. No local group membership.
After starting sssd (with empty /var/lib/sss). Authentication and local logon
works fine. 'getent group' shows correct group members:
# getent group group1
group1:*:1013:user1,user2,user3,user4,user5
... but 'id' shows primary group only:
# id user4
uid=1104(user4) gid=513(domain users) groups=513(domain users)
Now, trying to use sudo (local):
$ sudo -s
[sudo] password for user4:
user4 is not in the sudoers file. This incident will be reported.
... or login remotely via ssh (sshd log message):
User user4 from
host.domain.com not allowed because none of user's groups are
listed in AllowGroups
After this, 'id' output stays the same:
# id user4
uid=1104(user4) gid=513(domain users) groups=513(domain users)
But 'user4' dissapears from 'getent group' output:
# getent group group1
group1:*:1013:user1,user2,user3,user5
Restarting sssd doesn't fix the issue. User appears in group list again only
after removing 'db/cache_DOMAIN.COM.ldb' file and restarting sssd. But
disappears again after the same actions (ssh/sudo). Next options doesn't help
too:
ldap_id_mapping = true
enumerate = true
winbind 4.1 works absolutely fine against the same AD server. So, I think the
problem is about sssd...
Summary:
* sssd group membership ACL checks don't work. User disappears from 'getent
group' output after such check.
* 'id' shows primary group only
Should I file a bug report?
Thanks!
--
Best regards,
Sergey Urushkin
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users