Re: [SSSD-users] Problem with user group enumeration

Ok, I know the answer of the 2nd question. I had subdomains_provider set to “none”. Still wandering about the first one, though… O. From: sssd-users-bounces(a)lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Ondrej Valousek Sent: 16 September 2015 14:49 To: End-user discussions about the System Security Services Daemon <sssd-users(a)lists.fedorahosted.org&gt; Subject: Re: [SSSD-users] Problem with user group enumeration Hmmmmm, Seems like (from the source code): 1. the 1st machine is using old-fashioned rfc2307bis calls to obtain user group membership. Slow, but works 2. the second machine is using tokenGroups. It gets the SID’s fine from tokengroups attribute, but can not convert those to group names & GIDs. Error is “Domain not found for SID….” The only obvious difference is that 1st machine is connected to the Windows 2012 server whereas the 2nd one to server running Windows 2008. Both are in the same domain, functional level Windows server 2003. Tokengroups attribute is present on both – just checked. So my question is: - how does sssd decide whether to use tokenGroups or not? I was unable to figure out from the C sources. - Why is group SID lookup failing when using tokenGroups? Does anyone know? I would be interested… Thanks, Ondrej From: sssd-users-bounces@lists.fedorahosted.org<mailto:sssd-users-bounces@lists.fedorahosted.org> [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Ondrej Valousek Sent: 16 September 2015 10:11 To: End-user discussions about the System Security Services Daemon <sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahosted.org>> Subject: [SSSD-users] Problem with user group enumeration Hi List, I have a strange problem. I have 2 machines on different locations, but running a same sssd version and configuration. First one works fine, enumerates (via “id –a” command) all groups user belongs to. Second does not enumerate groups for the same user, only shows the primary group. Comparing the logs (same debug level): 1st machine (working one): [sssd[be[default]]] [sdap_get_initgr_user] (0x4000): Process user's groups [sssd[be[default]]] [sdap_initgr_rfc2307bis_next_base] (0x0400): Searching for parent groups for user [CN=Jan Kovalsky…. [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with …(ldap search filter here) 2nd machine (not working): [sssd[be[default]]] [sdap_get_initgr_user] (0x4000): Process user's groups [sssd[be[default]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no filter][CN=Jan Kovalsky….. [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [tokenGroups] Both machines starts with clear cache – seems like there must be some difference in AD servers they connect to? Could you clarify? Thanks, Ondrej ----- The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com<mailto:communications@s3group.com>. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. ----- The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com<mailto:communications@s3group.com>. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. ----- The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.