First, I would like to appreciate all the help you could provide me. I have an issue with sssd and nss that I don't still understand quite well...
The point is that I have configured some servers with 2 active domains. The first domain is a freeipa managed environment and the second one is an AD domain.
But I recently noticed that if I try to obtain the uids and gids for several users, the groupnames have the right gid, but groupnames are wrong. I mean, what I detected is even all gids an uids retrieved by the id command are right, the names of the groups shown, sometimes are from the other domain. I think it always retrieve the name of the group of the first domain (domain1.com) if the gid exists there, but if don't, it will look for it in the sencond domain (addomain2.com). It seems this is a problem with the NSS, not exactly with the SSSD, event they are very linked. So, please, If this is not the better place to ask for this, I will appreciate help to look for help in another forum.
For instance:
[root@lab6 ~]# id user1 uid=105806(user1) gid=106520(group1) groups=106520(group1),104446(group2),104870(group3),102242(group5),100327(group6)
where: * user1 is an user from the AD domain (addomain2.com) * gis are perfectly obtained * group1, group2 and group3 are from the AD domain (addomain2.com) * group5 and group6 are groups OR USERS form the FREEIPA domain (domain1.com)
I could understand that it is normal that it happens if I use the sortname way "id user1", but I think that not should happen with the long-user way: "ia user1@addomain2.com". I mean, this also happens if I do:
[root@lab6 ~]# id user1@addomain2.com uid=105806(user1) gid=106520(group1) groups=106520(group1),104446(group2),104870(group3),102242(group5),100327(group6)
This is my sssd.conf:
[root@lab6 ~]# cat /etc/sssd/sssd.conf [domain/domain1.com] id_provider = ipa ipa_server = _srv_, freeipa01.domain1.com ipa_domain = domain1.com ipa_hostname = lab6.domain1.com auth_provider = ipa chpass_provider = ipa access_provider = ipa cache_credentials = True ldap_tls_cacert = /etc/ipa/ca.crt krb5_store_password_if_offline = True
[domain/addomain2.com] ad_domain = addomain2.com krb5_realm = addomain2.com realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash use_fully_qualified_names = False fallback_homedir = /home/%u@%d access_provider = ad krb5_keytab = /etc/krb5.keytab.ad ldap_krb5_keytab = /etc/krb5.keytab.ad ldap_id_mapping = false ad_enabled_domains = addomain2.com ad_gpo_access_control = disabled dyndns_update = false dns_resolver_timeout = 10 dns_resolver_op_timeout = 10 krb5_auth_timeout = 30 timeout = 30
[sssd] services = nss, pam, ssh, sudo domains = domain1.com,addomain2.com
[nss] homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[session_recording]
[root@lab6 ~]# realm list domain1.com type: kerberos realm-name: domain1.com domain-name: domain1.com configured: kerberos-member server-software: ipa client-software: sssd required-package: ipa-client required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd login-formats: %U login-policy: allow-realm-logins addomain2.com type: kerberos realm-name: addomain2.com domain-name: addomain2.com configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools login-formats: %U login-policy: allow-realm-logins
Does I have any sense for you? Did I miss something in my configuration? Is there any way to tell NSS what domain should use in SSSD configuration?
Thanks a lot for your help.
Regards, david