On Mon, Jul 09, 2018 at 03:11:38PM -0500, Spike White wrote:
All,
Below is a writeup of missing AD groups for accounts when using
tokengroups. When not using tokengroups, sssd is rock solid.
Yes, most of the missing AD groups are universal or global groups -- but
not all! For some accounts, even domain-local AD groups are missed from
their group memberships. (when using tokengroups).
[...]
tokengroups-disabled SSSD:
uid=2604370(admpatrick_wheeler) gid=2604370(admpatrick_wheeler)
groups=2604370(admpatrick_wheeler),1033(amer_server_mgmt),1010(amerunixusers),1003(amerlinuxsup),1156(gbl_server_support),2284161(amerserveradministrator),2283573(dfs_gil_sit_auth),2283577(delta_bd_create_emea),2283643(gebs_read_prd),2283611(xxgl0370_prod),2283578(delta_bd_create),2283256(infa_developer),2283623(xxgl0363_prod),2283615(xxgl0503_prod),2283607(xxpa2891_prod),2283869(cowcprodsupport)
vas:
uid=2604370(admpatrick_wheeler) gid=2604370(admpatrick_wheeler)
groups=2604370(admpatrick_wheeler),
1033(amer_server_mgmt),1003(amerlinuxsup),1010(amerunixusers)
diff is:
1033(amer_server_mgmt)
1003(amerlinuxsup)
amer_server_mgmt is an AMER global group with GID 1033. <--- why is sssd
not reporting this?!?
Can you send logs for a single lookup of "id username" with tokengroups
enabled?
amerlinuxsup is an AMER universal group with GID 1003.
Here is my /etc/sssd/sssd.conf file:
[nss]
debug_level = 9
filter_groups = root
filter_users = root
#entry_cache_timeout = 300
entry_cache_nowait_percentage = 75
[sssd]
debug_level = 6
#domains =
amer.dell.com,apac.dell.com,emea.dell.com,japn.dell.com,dell.com
domains =
amer.dell.com,apac.dell.com,emea.dell.com,japn.dell.com
# Unnecessary. If missing, will search in order specified in "domains"
lines above.
#domain_resolution_order =
amer.dell.com,
emea.dell.com,
apac.dell.com,
japn.dell.com,
dell.com
config_file_version = 2
services = nss,pam
reconnection_retries = 3
#ldap_user_member_of = member
[pam]
pam_verbosity = 3
debug_level = 9
[
domain/amer.dell.com]
debug_level = 9
id_provider = ad
access_provider = simple
#access_provider = ad
auth_provider = ad
ad_domain =
amer.dell.com
krb5_realm =
AMER.DELL.COM
default_shell = /bin/bash
#use_fully_qualified_names = False
ldap_id_mapping = False
subdomains_provider = none
Why do you disable the subdomains provider? Isn't it easier to just list
the domains you want to enable using the ad_enabled_domains option?
btw this can actually cause issues because the subdomains provider is
needed to fetch the joined domain SID at least, among other things.
I would change this to:
ad_enabled_domains =
amer.dell.com
auto_private_groups = True
realmd_tags = joined-with-adcli
cache_credentials = True
krb5_store_password_if_offline = True
fallback_homedir = /home/%u
ldap_schema = rfc2307bis
Please don't set ldap_schema to anything else than 'ad' (the default)
with id_provider=ad. We should probably just disallow changing the
schema in the code completely.
ldap_sasl_authid = host/spikerealmd02.us.dell.com(a)AMER.DELL.COM
#ldap_sasl_authid = SPIKEREALMD02$(a)AMER.DELL.COM
#ldap_sasl_authid = spikerealmd02(a)AMER.DELL.COM
#TEST REMOVAL. July 4 2018. SW
#ad_enabled_domains =
amer.dell.com,apac.dell.com,emea.dell.com,
japn.dell.com,dell.com
dyndns_update = False
# TEST -- commented out July 4 to not use tokengroups.
ldap_use_tokengroups = False
simple_allow_groups = amerlinuxsup(a)AMER.DELL.COM, amerlinuxeng(a)AMER.DELL.COM,
emealinuxsup(a)EMEA.DELL.COM,
AMER.DELL.COM, emealinuxeng(a)EMEA.DELL.COM,
apaclinuxsup(a)EMEA.DELL.COM, apaclinuxeng(a)EMEA.DELL.COM
# also look at
https://lists.fedorahosted.org/pipermail/sssd-users/2015-February/002648....
[
domain/apac.dell.com]
debug_level = 9
auto_private_groups = True
#use_fully_qualified_names = False
ad_domain =
apac.dell.com
krb5_realm =
APAC.DELL.COM
cache_credentials = True
id_provider = ad
auth_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
fallback_homedir = /home/%u
access_provider = simple
ldap_schema = rfc2307bis
ldap_sasl_authid = host/spikerealmd02.us.dell.com(a)AMER.DELL.COM
#ldap_sasl_authid = SPIKEREALMD02$(a)AMER.DELL.COM
#ldap_sasl_authid = spikerealmd02(a)AMER.DELL.COM
#TEST REMOVAL. July 4 2018. SW
#ad_enabled_domains =
amer.dell.com,
apac.dell.com,
apac.dell.com,
japn.dell.com,
dell.com
dyndns_update = False
subdomains_provider = none
# TEST -- commented out July 4 to not use tokengroups.
ldap_use_tokengroups = False
simple_allow_groups = apaclinuxsup(a)APAC.DELL.COM, apaclinuxeng(a)APAC.DELL.COM
[
domain/emea.dell.com]
debug_level = 9
auto_private_groups = True
#use_fully_qualified_names = False
ad_domain =
emea.dell.com
krb5_realm =
EMEA.DELL.COM
cache_credentials = True
id_provider = ad
auth_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
fallback_homedir = /home/%u
access_provider = simple
ldap_schema = rfc2307bis
ldap_sasl_authid = host/spikerealmd02.us.dell.com(a)AMER.DELL.COM
#ldap_sasl_authid = SPIKEREALMD02$(a)AMER.DELL.COM
#ldap_sasl_authid = spikerealmd02(a)AMER.DELL.COM
#TEST REMOVAL. July 4 2018. SW
#ad_enabled_domains =
amer.dell.com,
apac.dell.com,
emea.dell.com,
japn.dell.com,
dell.com
dyndns_update = False
subdomains_provider = none
# TEST -- commented out July 4 to not use tokengroups.
ldap_use_tokengroups = False
simple_allow_groups = emealinuxsup(a)EMEA.DELL.COM, emealinuxeng(a)EMEA.DELL.COM
[
domain/japn.dell.com]
debug_level = 9
auto_private_groups = True
#use_fully_qualified_names = False
ad_domain =
japn.dell.com
krb5_realm =
JAPN.DELL.COM
cache_credentials = True
id_provider = ad
auth_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
fallback_homedir = /home/%u
access_provider = simple
ldap_schema = rfc2307bis
ldap_sasl_authid = host/spikerealmd02.us.dell.com(a)AMER.DELL.COM
#ldap_sasl_authid = SPIKEREALMD02$(a)AMER.DELL.COM
#ldap_sasl_authid = spikerealmd02(a)AMER.DELL.COM
#TEST REMOVAL. July 4 2018. SW
#ad_enabled_domains =
amer.dell.com,
apac.dell.com,
japn.dell.com,
japn.dell.com,
dell.com
dyndns_update = False
subdomains_provider = none
# TEST -- commented out July 4 to not use tokengroups.
ldap_use_tokengroups = False
simple_allow_groups = japnlinuxsup(a)JAPN.DELL.COM, japnlinuxeng(a)JAPN.DELL.COM
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahost...