gidNumber '182275' is the gidNumber in my LDAP entry only.
There is no actual group corresponding to this gidNumber. I have zero control over how our
AD is configured, so I couldn't change this if I wanted to.
And there is your problem, whilst you can add a gidNumber to a users
object in AD, it is meaningless unless it is also the gidNumber of an
actual group in AD. I think you are trying to set up a personal
usergroup with the same name as your user, this is not allowed in AD.
Rowland
dn: CN=neilt,OU=People,DC=ad,DC=mydomain,DC=edu
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
givenName: Neil
distinguishedName: CN=neilt,OU=People,DC=ad,DC=mydomain,DC=edu
instanceType: 4
uidNumber: 182275
gidNumber: 182275
extensionAttribute2: O365
SAMAccountType: 805306368
-----Original Message-----
From: sssd-users-bounces(a)lists.fedorahosted.org
[mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Rowland Penny
Sent: Monday, July 13, 2015 1:06 PM
To: sssd-users(a)lists.fedorahosted.org
Subject: Re: [SSSD-users] gidNumber resolution problem
On 13/07/15 18:42, Thackeray, Neil L wrote:
> I've upgraded to 1.12.5, but the result is still the same. I don't understand
why sssd is treating my gidNumber as a group when it resides in the users entry in
objectclass user.
>
> This ldap search doesn't work: ldapsearch -LLL -x -H
ldaps://ldaps.ad.mydomain.edu:636/ -b dc=ad,dc=mydomain,dc=edu -D
bi-svc-ems(a)ad.mydomain.edu -W -s sub
"(&(gidNumber=182275)(objectClass=group)(name=*)(&(gidNumber=*)(!(gidNumber=0))))"
>
> This ldap search does work: ldapsearch -LLL -x -H ldaps://ldaps.ad.mydomain.edu:636/
-b dc=ad,dc=mydomain,dc=edu -D bi-svc-ems(a)ad.mydomain.edu -W -s sub
"(&(gidNumber=182275)(objectClass=user)(name=*)(&(gidNumber=*)(!(gidNumber=0))))"
Hi, does the gidNumber '182275' have a corresponding group to go with it ?
Rowland
>
> This is part of what the debug for nss looks like. It seems that it's
> connecting (Mon Jul 13 11:40:22 2015) [sssd[nss]]
> [sss_dp_issue_request] (0x0400): Issuing request for
> [0x41b210:2:182275@ad.mydomain.edu]
> (Mon Jul 13 11:40:22 2015) [sssd[nss]] [sss_dp_get_account_msg]
> (0x0400): Creating request for
> [ad.mydomain.edu][4098][1][idnumber=182\
> 275]
> (Mon Jul 13 11:40:22 2015) [sssd[nss]] [sbus_add_timeout] (0x2000):
> 0x175ef80 (Mon Jul 13 11:40:22 2015) [sssd[nss]]
> [sss_dp_internal_get_send] (0x0400): Entering request
> [0x41b210:2:182275@ad.mydomain.edu]
> (Mon Jul 13 11:40:22 2015) [sssd[nss]] [nss_cmd_getgrgid_search]
> (0x0080): No matching domain found for [182275] (Mon Jul 13 11:40:22
> 2015) [sssd[nss]] [sbus_remove_timeout] (0x2000): 0x175ef80 (Mon Jul
> 13 11:40:22 2015) [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0x175a650 (Mon Jul
13 11:40:22 2015) [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching.
> (Mon Jul 13 11:40:22 2015) [sssd[nss]] [sss_dp_get_reply] (0x1000):
> Got reply from Data Provider - DP error code: 1 errno: 11 error mes\
> sage: Fast reply - offline
> (Mon Jul 13 11:40:22 2015) [sssd[nss]] [nss_cmd_getby_dp_callback]
> (0x0040): Unable to get information from Data Provider
> Error: 1, 11, Fast reply - offline
>
> -----Original Message-----
> From: sssd-users-bounces(a)lists.fedorahosted.org
> [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Lukas
> Slebodnik
> Sent: Friday, July 10, 2015 2:45 AM
> To: End-user discussions about the System Security Services Daemon
> Subject: Re: [SSSD-users] gidNumber resolution problem
>
> On (09/07/15 22:36), Thackeray, Neil L wrote:
>> I'm new to sssd, so I'm not sure I have everything set up correctly, but
from what I've seen setting up authentication against AD should be fairly easy.
>>
>> I'm able to authenticate, and group lookups seem to work during
authentication. When I look through the sssd domain log I see it going through my groups
and enumerating users.
>>
>> Unfortunately, it's not able to resolve my gidNumber which is in my personal
LDAP entry in the user objectclass not in the group objectclass.
>>
>> This log entry happens when I into ssh into the server or run 'groups'
from the command line.
>> (Thu Jul 9 13:56:24 2015) [sssd[be[ad.mydomain.edu]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(gidNumber=182275)(objectclass=group)(name=*)(&(gidNumber=*)(!(gidNumber=0))))][DC=ad,DC=mydomain,DC=edu].
>>
>> Output of running 'groups' while my account is logged in:
>> groups: cannot find name for group ID 182275
>> 182275
>>
>> I'm in a lot of groups, so I can only assume that it tries to resolve my
gidNumber, can't and gives up.
>>
>> sssd version 1.11.5
> 1.11.5 may contain some bugs. So please test with latest 1.11 version
> or latest 1.12 version
>
>> sssd.conf
>> [sssd]
>> domains =
ad.mydomain.edu
>> config_file_version = 2
>> services = nss, pam, pac
>>
>> [
domain/ad.mydomain.edu]
>> debug_level = 9
>> ad_domain =
ad.mydomain.edu
>>
>> id_provider = ad
>> auth_provider = ad
>> access_provider = ad
>> chpass_provider = ad
>>
>> realmd_tags = manages-system joined-with-samba cache_credentials =
>> True krb5_store_password_if_offline = True default_shell = /bin/bash
>> ldap_id_mapping = False use_fully_qualified_names = False
>> fallback_homedir = /home/%u ignore_group_members = False
>> ipa_hbac_support_srchost = True
> This option will be ingored because it is an ipa related option and you are using ad
provider.
>
>> ad_access_filter = memberOf=CN=MyOU IT FT,OU=Groups -
>> DLs,OU=ITS,OU=MyOU,OU=City,DC=ad,DC=mydomain,DC=ed
> Does it work if you remove this line?
>
> BTW you can use simple access provider instead of such filter.
> @see man sssd-simple
>
> I would also recomment to read our wiki page
>
https://fedorahosted.org/sssd/wiki/Troubleshooting
>
> LS
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users