On Fri, Aug 09, 2013 at 12:31:01PM -0400, Chris Hartman wrote:
On Fri, Aug 9, 2013 at 11:47 AM, Lukas Slebodnik
<lslebodn(a)redhat.com>wrote:
> Could you try to do same query with ldapsearch? (the first part is filster
> and
> the second one is search base.
>
Sure can:
> root@smarty:/etc/puppet/modules/sssd/files# kinit -k -t /etc/krb5.keytab
> host/$(hostname -f)
> root@smarty:/etc/puppet/modules/sssd/files# ldapsearch -H
> ldap://milkdud.TESTDOMAIN.local/ -Y GSSAPI -N -b "dc=testdomain,dc=local"
>
"(&(objectSID=S-1-5-21-1779125721-235263668-3792523542-3663)(objectclass=group)(name=*))"
> SASL/GSSAPI authentication started
> SASL username: host/smarty.testdomain.local(a)TESTDOMAIN.LOCAL
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <dc=testdomain,dc=local> with scope subtree
> # filter:
>
(&(objectSID=S-1-5-21-1779125721-235263668-3792523542-3663)(objectclass=group)(name=*))
> # requesting: ALL
> #
> # search reference
> ref:
> ldap://ForestDnsZones.testdomain.local/DC=ForestDnsZones,DC=testdomain,DC=local
> # search reference
> ref:
> ldap://DomainDnsZones.testdomain.local/DC=DomainDnsZones,DC=testdomain,DC=local
> # search reference
> ref: ldap://testdomain.local/CN=Configuration,DC=testdomain,DC=local
> # search result
> search: 4
> result: 0 Success
> # numResponses: 4
> # numReferences: 3
It's also interesting that some of the GIDs that are returned are not
actually groups but user objects in AD.
-Chris
Do you run AD server in a trusted setup? Is it possible this group comes
from another AD domain?
Can you check if searching the SID in the Global Catalog works (just
search port 3268)?
# ldapsearch -H ldap://milkdud.TESTDOMAIN.local:3268 -Y GSSAPI -N -b
"dc=testdomain,dc=local" \
"(&(objectSID=S-1-5-21-1779125721-235263668-3792523542-3663)(objectclass=group)(name=*))"