Ok, I know the answer of the 2nd question. I had subdomains_provider set to “none”.
Still wandering about the first one, though…
O.
From: sssd-users-bounces(a)lists.fedorahosted.org
[mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Ondrej Valousek
Sent: 16 September 2015 14:49
To: End-user discussions about the System Security Services Daemon
<sssd-users(a)lists.fedorahosted.org>
Subject: Re: [SSSD-users] Problem with user group enumeration
Hmmmmm,
Seems like (from the source code):
1. the 1st machine is using old-fashioned rfc2307bis calls to obtain user group
membership. Slow, but works
2. the second machine is using tokenGroups. It gets the SID’s fine from tokengroups
attribute, but can not convert those to group names & GIDs. Error is “Domain not found
for SID….”
The only obvious difference is that 1st machine is connected to the Windows 2012 server
whereas the 2nd one to server running Windows 2008. Both are in the same domain,
functional level Windows server 2003.
Tokengroups attribute is present on both – just checked.
So my question is:
- how does sssd decide whether to use tokenGroups or not? I was unable to figure
out from the C sources.
- Why is group SID lookup failing when using tokenGroups?
Does anyone know?
I would be interested…
Thanks,
Ondrej
From:
sssd-users-bounces@lists.fedorahosted.org<mailto:sssd-users-bounces@lists.fedorahosted.org>
[mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Ondrej Valousek
Sent: 16 September 2015 10:11
To: End-user discussions about the System Security Services Daemon
<sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahosted.org>>
Subject: [SSSD-users] Problem with user group enumeration
Hi List,
I have a strange problem. I have 2 machines on different locations, but running a same
sssd version and configuration.
First one works fine, enumerates (via “id –a” command) all groups user belongs to.
Second does not enumerate groups for the same user, only shows the primary group.
Comparing the logs (same debug level):
1st machine (working one):
[sssd[be[default]]] [sdap_get_initgr_user] (0x4000): Process user's groups
[sssd[be[default]]] [sdap_initgr_rfc2307bis_next_base] (0x0400): Searching for parent
groups for user [CN=Jan Kovalsky….
[sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
…(ldap search filter here)
2nd machine (not working):
[sssd[be[default]]] [sdap_get_initgr_user] (0x4000): Process user's groups
[sssd[be[default]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection
[sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no
filter][CN=Jan Kovalsky…..
[sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[tokenGroups]
Both machines starts with clear cache – seems like there must be some difference in AD
servers they connect to?
Could you clarify?
Thanks,
Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is
designated solely for the attention of the intended recipient(s). If you are not an
intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or
any part thereof. If you have received this e-mail in error, please notify the sender by
return e-mail and delete all copies of this e-mail from your computer system(s). Please
direct any additional queries to:
communications@s3group.com<mailto:communications@s3group.com>. Thank You. Silicon
and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered
Office: South County Business Park, Leopardstown, Dublin 18.
-----
The information contained in this e-mail and in any attachments is confidential and is
designated solely for the attention of the intended recipient(s). If you are not an
intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or
any part thereof. If you have received this e-mail in error, please notify the sender by
return e-mail and delete all copies of this e-mail from your computer system(s). Please
direct any additional queries to:
communications@s3group.com<mailto:communications@s3group.com>. Thank You. Silicon
and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered
Office: South County Business Park, Leopardstown, Dublin 18.
-----
The information contained in this e-mail and in any attachments is confidential and is
designated solely for the attention of the intended recipient(s). If you are not an
intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or
any part thereof. If you have received this e-mail in error, please notify the sender by
return e-mail and delete all copies of this e-mail from your computer system(s). Please
direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and
Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office:
South County Business Park, Leopardstown, Dublin 18.